Authentication

Policy Setting Explanation
Access
User may only boot from internal hard disk
Note: This setting is only supported by endpoints with an earlier SafeGuard Enterprise version than 6.1 installed. It was used to enable recovery by allowing the user to start the endpoint from external media. As of version 6.1 this setting does not have any effect on endpoints. For the recovery scenario concerned, you can use recovery with Virtual Clients, see Challenge/Response using Virtual Clients.
Determines whether users may start the computer from the hard drive and/or another medium.

YES: Users can only boot from the hard disk. The SafeGuard POA does not offer the option to start the computer with a floppy disk or other external media.

NO: Users may start the computer from hard disk, floppy disk or external medium (USB, CD etc.)

Logon Options
Logon mode Determines how users need to authenticate themselves at the SafeGuard POA.
  • User ID/Password

    Users have to log on with their user name and password.

  • Token

    The user can only log on to the SafeGuard POA using a token or smartcard. This process offers a higher level of security. The user is requested to insert the token at logon. User identity is verified by token ownership and PIN presentation. After the user has entered the correct PIN, SafeGuard Enterprise automatically reads the data for user logon.

Note: Once this logon process has been selected, users can only log on using a previously issued token.

You can combine the settings User ID/Password and Token. To test whether logon using a token works, first select both settings. Only deselect the User ID/Password logon mode, if authentication using the token was successful. In order to switch between logon modes, allow users to log on once while the two settings are combined or they might run into a logon deadlock. You must also combine the two settings, if you want to allow Local Self Help for token logon.

  • Fingerprint

    Select this setting to enable logon with Lenovo Fingerprint Reader. Users to whom this policy applies can then log on with a fingerprint or a user name and password. This procedure provides the maximum level of security. When logging on, users swipe their fingers over the fingerprint reader. Upon successful recognition of the fingerprint, the SafeGuard Power-on Authentication process reads the user’s credentials and logs the user on to Power-on Authentication. The system then transfers the credentials to Windows, and the user is logged on to the computer.

    Note: After selecting this logon procedure, the user can only log on with a pre-enrolled fingerprint or a user name and password. Token and fingerprint logon procedures cannot be combined on the same computer.
Display unsuccessful logons for this user If this is set to Yes: After logon at the SafeGuard POA and Windows, a dialog is shown containing information on the last failed logon (user name/date/time).
Display last user logon If this is set to Yes: After logon at the SafeGuard POA and Windows, a dialog is shown containing information on the
  • last successful logon (user name/date/time)

  • last user credentials of the logged on user

Disable 'forced logoff' in workstation lock
Note: This setting only takes effect on endpoints with Windows XP. Windows XP is no longer supported as of SafeGuard Enterprise 6.1. This policy setting is still available in the SafeGuard Management Center to support SafeGuard Enterprise 6 clients managed with a 7.0 Management Center.
If users wish to leave the endpoint for a short time only, they can click Block workstation to lock the computer for other users and unlock it with the user password. No: The user who has locked the computer as well as an administrator can unlock it. If an administrator unlocks the computer, the currently logged on user is logged off automatically. Yes: Changes this behavior. In this case, only the user can unlock the computer. The administrator cannot unlock it and the user will not be logged off automatically.
Activate user/domain preselection Yes: The SafeGuard POA saves the user name and domain of the last logged on user. Users therefore do not need to enter their user name every time they log on.

No: The SafeGuard POA does not save the user name and the domain of the last logged on user.

Service Account List To prevent administrative operations on a SafeGuard Enterprise protected endpoint leading to an activation of the Power-on Authentication and the addition of rollout operators as users to the endpoint, SafeGuard Enterprise allows you to create service account lists for Windows logon at SafeGuard Enterprise endpoints. The users listed are treated as SafeGuard Enterprise guest users.

Before you select a list here you must first create the lists in the Policies navigation area under Service Account Lists.

Pass through to Windows
Note: For the user to be able to grant other users access to their computer, the user has to be permitted to deactivate logon passthrough to Windows.
  • Let user choose freely

    The user can decide by selecting/deselecting this option in the SafeGuard POA logon dialog whether automatic logon at Windows is to be performed.

  • Disable pass-through to Windows

    After the SafeGuard POA logon, the Windows logon dialog will be displayed. The user has to log on to Windows manually.

  • Enforce pass-through to Windows

    The user will always be automatically logged on to Windows.

BitLocker Options

BitLocker Logon Mode for Boot Volumes

The following options are available:
  • TPM: The key for logon is stored on the TPM (Trusted Platform Module) chip.

  • TPM + PIN: The key for logon is stored on the TPM chip and a PIN is also required for logon.

  • Startup Key: The key for logon is stored on a USB memory stick.

  • TPM + Startup Key: The key for logon is stored on the TPM chip and on a USB memory stick. Both are needed for logon.

    Note: To be able to use TPM + PIN, TPM + Startup Key or Startup Key enable the Group Policy Require additional authentication at startup either in Active Directory or on computers locally. In the Local Group Policy Editor (gpedit.msc) the Group Policy can be found here: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive

    To use Startup Key you must also activate Allow BitLocker without a compatible TPM in the Group Policy.

    Note: If the logon mode that is currently active on the system is an allowed fallback logon mode, the logon mode set here is not enforced.
BitLocker Fallback Logon Mode for Boot Volumes If the setting defined as BitLocker Logon Mode for Boot Volumes cannot be applied, SafeGuard Enterprise offers the following alternatives for logon:
  • Password: The user will be required to enter a password.

  • Startup Key: The key for logon is stored on a USB memory stick.

  • Password or Startup Key: USB memory sticks will be used only if passwords are not supported on the client operating system.

  • Error: An error message will be displayed and the volume will not be encrypted.

    Note: In the case of clients with version 6.1 or earlier the values Password or Startup Key and Password will be mapped to the old settings USB Memory Stick and Error.
    Note: Passwords are only supported on Windows 8 or later.
BitLocker Logon Mode for Non-Boot Volumes For non-boot volumes (fixed data drives) the following options are available:
  • Auto-Unlock: If the boot volume is encrypted, an external key is created and stored on the boot volume. The non-boot volume(s) will then be encrypted automatically. They will be unlocked automatically using the auto-unlock functionality provided by BitLocker. Note that auto-unlock works only if the boot volume is encrypted. Otherwise the fallback mode will be used.

  • Password: The user will be prompted to enter a password for each non-boot volume.

  • Startup Key: The keys for unlocking the non-boot volumes are stored on a USB stick.

    Note: Clients with version 6.1 or earlier ignore this policy setting and they use the values defined for the logon mode for boot volumes instead. As the TPM cannot be used for non-boot volumes, USB memory stick or an error message will be used in such cases.
    Note: Passwords are only supported on Windows 8 or later.
    Note: If the logon mode that is currently active on the system is an allowed fallback logon mode, the logon mode set here is not enforced.
BitLocker Fallback Logon Mode for Non-Boot Volumes If the setting defined as BitLocker Logon Mode for Non-Boot Volumes cannot be applied, SafeGuard Enterprise offers the following alternatives:
  • Password: The user will be prompted to enter a password for each non-boot volume.

  • Startup Key: The keys are stored on a USB memory stick.

  • Password or Startup Key: USB memory sticks will be used only if passwords are not supported on the client operating system.

    Note: Clients with version 6.1 or earlier ignore this policy setting. They instead use the values defined for the fallback logon mode for boot volumes. As they cannot handle passwords, USB memory stick or error message will be used instead.
    Note: Passwords are only supported on Windows 8 or later.
Failed Logons
Maximum no. of failed logons Determines how many times a user can attempt to log on using an invalid user name or password. After incorrectly entering a user name or password three times in a row for instance, a fourth attempt will lock the computer.
Display "Logon failed" messages in POA Defines level of detail for messages on failed logons:
  • Standard: Shows a short description.

  • Verbose: Displays more detailed information.

Token Options
Action if token logon status is lost Defines behavior after removing the token from the computer:

Possible actions include:

  • Lock Computer

  • Present PIN dialog

  • No Action

Allow unblocking of token Determines whether the token may be unblocked at logon.
Lock Options
Lock screen after X minutes inactivity Determines the time after which an unused desktop is automatically locked.

The default value is 0 minutes, and the desktop will not be locked if this value is not changed.

Lock screen at token removal Determines whether the screen is locked if a token is removed during a session.
Lock screen after resume Determines whether the screen is locked if the computer is reactivated from standby mode.