If you use role-based administration:
- You must have the Policy
setting - full disk encryption right to edit a full disk
encryption policy.
- You cannot edit a policy if it is
applied outside your active sub-estate.
For more information, see About roles and sub-estates.
By default, computers that use a full disk encryption policy are protected by
Power-on Authentication.
To configure how users log on at the Power-on
Authentication on their computers:
-
Check which full disk encryption policy is used by the group or groups of
computers you want to configure.
-
In the Policies pane, double-click Full disk
encryption. Then double-click the policy you want to
change.
The Full Disk Encryption dialog box is
displayed.
-
Go to Power-on Authentication (POA).
-
Make sure that Enable Power-on Authentication is
selected.
In addition, you can specify Windows accounts that can log on to endpoint
computers for post-installation tasks without activating the Power-on
Authentication:
-
Click the Exceptions button next to the
Enable Power-on Authentication field.
The Exceptions dialog box is
displayed.
-
Click Add, enter the User
name and the Computer or Domain
Name of the relevant Windows account(s) and click
OK.
Note: In the fields User name and
Computer or Domain Name you can use
wildcards as the first or last character. In the User
name field, the ? character is not allowed. In the
Computer or Domain Name field, the
characters / \ [ ] : ; | = , + ? < > " are not allowed.
-
Select Fingerprint, to enable users to log on with
Lenovo Fingerprint Reader.
-
To specify a user who can log on to the endpoint computer for administrative
tasks when the Power-on Authentication is already active, select POA
user and click the Configure
button.
-
In the Configure POA User dialog box, enter a
logon name of your choice for the POA user in the User
name field. You can freely define the logon name, with
the following exceptions:
Note: In the User name field, the characters / \
[ ] : ; | = , + ? < > " * are not allowed.
Note: When setting up and entering logon names for POA users in
Japanese, you have to use Romaji (Roman) characters to successfully
log on at the POA.
-
Click the Set button next to the
Password field.
The POA User Password dialog box is
displayed.
-
Enter and confirm a password for the POA user account and click
OK.
Note: When setting up and entering passwords for POA users in Japanese,
you have to use Romaji (Roman) characters to successfully log on at
the POA.
-
In the Configure POA User dialog box, click
OK.
-
To configure the temporary deactivation of the Power-on Authentication for Wake
on LAN, select Temporary deactivation (for Wake on
LAN).
-
In the Full Disk Encryption dialog box, click
OK.
Note: If you clear Enable Power-on Authentication, you are
prompted to confirm if you want to disable Power-on Authentication or not. For
security reasons, we strongly recommend that you click No to
keep Power-on Authentication enabled. Deactivating Power-on Authentication reduces
system security to Windows logon security and increases the risk of unauthorized
access to encrypted data.