Creating an initialization or configuration policy
Creating an initialization or configuration policy
This section details how to create an initialization or configuration policy for the PBA component only. You need to have knowledge about the target computer for deployment. Details such as the number of partitions, drive letters, whether the drive is already encrypted, and so on are necessary for the successful deployment of Matrix42 Full Disk Encryption. Once the policy is created, deploy it, for details see Deploying PBA policies. Follow these steps to create a new policy in PBA Policy Builder:
- Open the Control Center.
- Double-click the Policy Builder icon.
- Select Pre-Boot Authentication.
- The PBA Policy Builder Welcome dialog appears.
- Click Next to continue.
- The Policy selection dialog appears.
- Select the Create a new policy radio button.
- Click Next to continue.
- The Policy type dialog appears.
- Select either Create an initialization policy or Create a configuration policy, and click Next to continue.
- The Initialization dialog appears.
- Check the Switch to expert mode option to display all the initialization/configuration options available for this type of policy
The following steps detail all the available dialogs that you can configure. According to whether you are creating an initialization or configuration policy, some options – and therefore dialogs - will not be available (the screenshot above shows all the available options if you create a configuration policy). If you reach a dialog in the steps below that you do not see on your screen, please move on to the next step.
Option | Details |
---|---|
Switch to expert mode |
Configure every aspect of initialization (activating this option will also display further options – see below). |
Configure Authentication options |
Configure Windows credentials and smart card logon details (not available for an initialization policy). |
Pre-Boot appearance |
Configure a custom PBA background as well as the PBA integrity checking/advanced options. |
Configure the HelpDesk key |
Define a HelpDesk key for the HelpDesk challenge-response scenario in case of emergency. Once the HelpDesk is configured, you can activate Friendly Network. |
User options |
Configure Windows credentials and smart card logon details, as well as error message options. |
Logfile configuration |
Configure the location, name and file size of the PBA and notification DLL log files. |
Configure ERI password restrictions |
Define if the ERI file should have password restrictions. |
Create Emergency Recovery Information |
Define general settings for ERI. |
Enable ACHI boot Options |
This option enables only if the BIOS is set to AHCI-mode: It gives you the possibility to easily test and use an alternative PBA configuration that could improve hardware compatibility (KICKSTART=KEXEC and Kernel parameter: AHCI-to-legacy). There is no guarantee that this option resolves all hardware compatibility issues, or the PBA boots up after that. The mechanism used here is Dmiconfig. With this option it is available to create a dmi.ini for the current hardware platform with the configuration stated above. |
- Once you have made your selection click Next and go to the next step or continue with the below dialog if configuration policy is selected.
Branding file
-
The Branding file dialog appears.
- Browse and select a new branding file. Click Next to continue.
- The Logging dialog appears.
Logging
- Check Configure logging to set a specific location, filename, and maximum size for the log files generated by the PBA component.
- Clear Configure logging to use the default settings.
- The following options are available:
Option | Details |
---|---|
Path |
Enter a full custom path for the PBA and notification DLL log files either directly into the Path field or click “…” to open a file explorer. Remember to enter the log file name and *.log extension. |
Size |
Set the maximum log file size. |
- Once you have made your selection, press Next to continue.
Emergency Recovery Information (1/3)
- The first of three Emergency Recovery Information dialogs appears:
The following options are available:
Option | Details |
---|---|
Configure emergency recovery file settings |
Check this option if you want to either allow the use of unprotected ERI files or set a minimum password length for the ERI file (up to 63 characters). NOTE: Leaving the option unchecked will automatically use the default of an 8-character minimum password and generating a private ERI specifically for this computer. |
Allow using no password for saving emergency recovery information |
Check this option to generate a password-free ERI file (not recommended). |
Minimum required password length |
Enter the minimum length of the password. |
Private emergency recovery information |
Check this option if you want only ERI files generated on this computer to be able to recover this computer (recommended). If you leave this option unchecked, an administrator can access this computer using an ERI file generated on a similar system. |
- Once you have selected, click Next and ,proceed with Administration password setting or continue with the dialog below if configuration policy is selected.
Administration Password Setting
- The Administration password setting dialog appears.
- Select Set the administration password check box to specify the administration password.
- Enter administration password and confirm it in respective text boxes.
- Once you have made a selection click Next to continue.
Emergency Recovery Information (2/3)
- The second Emergency Recovery Information options dialog appears:
The following options are available:
Option | Details |
---|---|
Emergency recovery password |
The password is used to access the ERI file in an emergency. Remember to enter the minimum number of characters as defined in step 10 (if you are using the default then enter a password between 8 to 63 characters). |
Confirm password |
Confirm the password for the ERI file. |
Path for ERI file |
The location to which the ERI file is saved. Either enter the path for the ERI file manually or click ‘…’ to browse for a location. Remember that this location must be accessible from the target computer! For details about ERI copies, see Creating an ERI file. |
- Make your selection and click Next.
If you choose to save the ERI file to the local hard disk, and your hard disk is already encrypted, then a dialog will appear to remind you that saving the ERI file to encrypted location is not a good idea. If you do save the ERI file to the local drive then please transfer it to an unencrypted network, or external drive (USB stick recommended), as soon as possible so that it is accessible in an emergency.
Emergency Recovery Information (3/3)
- The last Emergency Recovery Information options dialog appears:
The following options are available:
Option | Description |
---|---|
Cache Emergency Recovery Information on disk |
Check this to store the ERI on the hard disk. |
Define the user account that will store the Emergency Recovery Information |
Check this option if you want a specific user to be able to store ERI |
Username |
The Windows credentials username. |
Domain |
The Windows credentials domain. |
Account Password |
The Windows credentials password. |
- Make your selection and click Next to continue.
Authentication Options
- The Authentication Options dialog appears:
- Enable the method of authentication you want to implement on the target computer (this will affect which dialogs are displayed hereafter). You can implement both user ID/password (Windows credentials) and smart card authentication. Select Enable ACHI boot options (this option enables only if the BIOS is set to AHCI-mode) and if a dmi.ini file already exists, the user will be asked to overwrite it or not.
- Make your selection and click Next to continue.
Smart card reader/PKCS#11 provider
- The Smart card reader/PKCS#11 provider dialog appears:
Use the following options to determine the smart card reader and provider:
Option | Details |
---|---|
Choose a smart reader
|
Set Configure the smart card reader and provider check box to choose a reader and provider. Select the card reader you want to use for PBA from the drop-down list (choosing a specific card reader vendor will decrease the amount of time it takes the computer to start; choosing Automatically detect card reader will mean that all the smart card-reader vendors will be checked upon startup, therefore increasing the startup time). |
Use PKCS#11 provider
|
Select the PKCS#11 provider mechanism on the smart card by selecting it from the combo box. (Selecting Automatically detect provider will mean that all the providers will be checked upon startup - this setting does not work with several smart cards). |
- Once you have made your selection, click Next to continue.
Certificates
- The Certificates dialog appears:
This dialog enables you to define the criteria for selecting the certificate used for encryption. Certificates can be distinguished by labels or key usage.
Option | Details |
---|---|
Label |
The term ‘Label’ refers to the filename of the certificate file on the smart card, for example User Certificate. Follow these steps to add a certificate based on a Label:
The following warning messages appears if there is no certificate Label defined: |
Key usage |
Key usage extensions define the purpose of the public key contained in a certificate. You can use them to restrict the public key to as few or as many operations as needed. For example, if you have a key used only for signing, enable the Digital Signature and/or Non-repudiation extensions. Alternatively, if a key is used only for key management, enable Key Encipherment. Follow these steps to add a certificate based on Key usage:
|
Match policy |
Select one of the following policies:
|
-
Click Next to continue.
Single sign-on
- The Single sign-on dialog appears.
- Use the options in this dialog to determine an SSO method to Windows.
The following options are available:
Option | Details |
---|---|
Default logon method |
Select the default logon method from the combo box. Choose between Windows credentials (user ID/password based) or smart card-based logon. Both logon methods can be available at boot time. |
Default PBA boot mode |
Select the default PBA boot method.
For details, please refer to Boot mechanisms for additional information. |
Enable single sign-on for authentication user credentials |
Check this option if you want PBA to take care of the traditional username/password/domain logon to Windows (you will be required to enter the password only once at startup, make sure that the password is no longer than 32 symbols.). |
Enable single sign-on for authentication via smart card |
Check this option if you already use a smart card (with X.509 certificates) to logon to the Windows domain. |
- Click Next to continue.
Locking
- The Locking dialog appears. This page allows to set the PBA login behavior.
The following options are available:
Option | Details |
---|---|
Configure locking
|
Use this option to enable the authentication locking mechanism where you can define the number of login tries before PBA locking. |
Maximum number of failed logins
|
This option limits the total number of attempts a user needs to successfully login to the Matrix42 Full Disk Encryption Pre-Boot Authentication component. |
Failed logins till login is delayed
|
This option penalizes the user after entering their credentials incorrectly. This value must be lower or equal to the maximum number of failed logins. |
- Select the options and click Next.
Pre-boot options
- The first Pre-boot options dialog appears.
Use this dialog to determine, which pre-boot options will be available to the end user in the PBA component:
- Disable login method change: Check this option to disable switching between authentication methods in the PBA component.
- Disable PBA advanced options: Check this option to disable access to the PBA log options as well as the PBA advanced options.
- Allow only numeric PIN entries: This option allows only numeric smart card PIN entries.
- Disable PIN change (in HelpDesk): Check this option to prevent smart card users from changing their PIN during the PBA HelpDesk procedure.
- Disable PIN reset (in HelpDesk): Check this option to prevent smart card users from resetting their PIN during the PBA-HelpDesk procedure.
- Select screen resolution: change screen resolution if the default one doesn’t fit.
- "Without DRM” mode: select this boot mode option if there are problems with graphic card and PBA loading.
- Disable PBA: temporarily deactivate PBA so that the computer can be rebooted without the need for authentication in the PBA. This can be permanent or configurable for ‘n’ reboots.
- Disable Adaptive Boot mode. Adaptive Boot mode is used to automatically select the PBA boot mode that is needed for correct operating system boot. If the problem phase is identified, a user is informed. By default, Adaptive boot mode is enabled. For details about available boot modes, see boot mechanisms.
- Re-enable PBA after ‘n’ reboots: Use this option to allow the user/admin to reboot the computer a specific number of times before the PBA is automatically re-enabled.
- Power off PBA after ‘n’ seconds: Set whether the PBA should turn the computer off if the PBA is left unattended for a configurable number of seconds.
- For further information, please refer to Installation and Troubleshooting.
- Click Next to continue.
Customize background and keyboard layout
- The second Pre-boot Options dialog appears.
- This dialog allows you to customize the PBA background and keyboard layout.
Select one of the Background image options for the PBA logon dialog:
- Default to use a default PBA image.
- Sync desktop wallpaper to use an individual desktop wallpaper of each computer where PBA is launched.
- Sync lock screen wallpaper to use an individual lock screen wallpaper of each computer where PBA is launched.
- Custom to select an optional background image in the Custom image path field. The image is automatically resized to the correct resolution and color depth for the PBA screen: 800x600 pixels, 24-bit.
Consider that the custom background image path must be accurate and valid. If you intend to use a specific background image to many target computers, then the image must either be located locally on each target computer, or on a network drive that uses local system access.
If you choose to copy the image to each target computer, then copy it per software distribution to the C:\WINDOWS\NAC\ directory. Matrix42 recommends copying the image to each target computer.
Keyboard layout for text-based and graphical Simple PBA (UEFI): only German and English layouts are supported. Directly in the mode, language switch is available only in graphical Simple PBA.
Keyboard layout for text-based Simple PBA (BIOS): only English layout is supported.
Integrity checking is the guarantee that the Linux PBA components are protected against tampering by third parties. The following levels are available:
- High level (highly recommended) will check first and second-level hashes and offers the most security but is slower than the other two. This is the default parameter.
- Middle level will check first-level hashes only and offers a compromise between speed and security.
- Low level (not recommended) - No integrity checking is performed which means the PBA will boot quicker, but there is no security against tampering by third parties.
Press Next to continue.
HelpDesk keys and Friendly Network
- The HelpDesk keys and Friendly Network dialog appears.
- This dialog allows you to configure the HelpDesk keys for use in an emergency. Once the HelpDesk is configured, you can activate Friendly Network.
- For further information, please refer to Installation and Troubleshooting.
- Click Next to continue.
Windows credentials
- The Windows credentials user dialog appears.
- This dialog helps you to define the users to be authenticated to the system via their Windows user account details.
- For further information, please refer to Installation and Troubleshooting.
- Click Next to continue.
Smart Card
- The Smart card user dialog appears.
- This dialog helps you to define the users to be authenticated to the system via their smart card details.
- For further information, please refer to Installation and Troubleshooting.
- Click Next to continue.
Messages
- The Messages options dialog appears.
- The messages below are shown only on computers with Windows versions below Windows 10.
Option | This option determines if... |
---|---|
Show status dialogs |
… status dialogs should be displayed on the target computer during policy deployment. |
Show warning messages
|
… warning messages should be displayed on the target computer during policy deployment. If you do not select this option, warning messages are suppressed. |
Show error messages
|
… error messages should be displayed on the target computer during policy deployment. If you do not select this option, error messages are suppressed. |
Show success messages
|
… success messages should be displayed on the target computer that relate to individual policy tasks during deployment. |
Show other messages
|
… information messages should be displayed on the target computer during and after policy deployment. If you do not select this option, information messages are suppressed. |
- Make option selection and click Next.
Administration password options
- The Administration password options dialog appears.
- Enter and confirm the administration password to be used on the target computer.
- Click Next to continue.
Policy Location
- The Policy location dialog appears:
The following options are available
Option | Details |
---|---|
Policy file Path
|
Enter the path for the policy in this field by clicking ‘…’ and selecting a location and filename for the file in the file browser. |
Create an unencrypted copy of the policy
|
Check this option to create an unencrypted copy of the policy (recommended for reconfiguration). If you want to reconfigure a computer that has already been configured using a policy, then check this option - the Policy Builder can only open an unencrypted policy to edit the settings. |
Plain copy of policy
|
Enter the path for the plain copy of the policy in this field by clicking ‘…’ and selecting a location and filename for the file in the file browser. |
- If you want to use your configuration policy for remote deployment, then name the encrypted file Autoconf.PBA (the policy will not be recognized by the target computer as a deployment policy if it has any other name).
- Use the plain copies to create new policies for future changes in configuration.
- Enter the path for your policy and click Finish to complete the procedure.
For security reasons, encrypted policies cannot be edited with the FDE Policy Builder.