Network pre-boot (UEFI)

The settings on the Network Pre-Boot (UEFI) tab are available for both DriveLock Disk Protection and DriveLock BitLocker Management, depending on the license, as DriveLock pre-boot authentication is used for both modules.

The following settings are possible on the tab:

  1. Check the Enable network pre-boot authentication option to enable the feature. However, you must also select at least one of the two options below (automatic or AD logon).

  2. The Allow automatic logon to the network option enables authentication to the client computer without any user interaction, provided that a network connection is available.

    Once the policy with this setting is assigned to the DriveLock Agent (client computer), this is what happens in the background:

    • a special network user is created in the PBA database ('AutoLogon user') along with an auto-generated user password

    • an RSA key pair is exchanged between the DriveLock Agent and the DriveLock Enterprise Service (DES)

      Automatic logon to the PBA will only occur if this key exchange is successful.

    Note that the client operating system can only be started if there is a network connection between DriveLock Agent and DES.

    See this use case for more information.

  1. When you select the automatic login, the Allow other logon methods option is always also selected by default. This option will guarantee that the authentication is still possible even without a network connection.

    If you remove the checkmark here, the possibility of a local logon or logon via challenge response method no longer exists. In the event that the configuration becomes invalid, the system cannot be booted any longer. All user accounts are automatically deleted from the PBA, AD synchronization and user import are no longer enabled!

  2. The Number of network logons to be successfully completed before disabling failsafe option is set to the default value of 3.

    Context: An additional local AutoLogon user is configured in the network PBA to serve as a failsafe in case the network PBA is unable to boot over network.

    When the specified successful network logons have been performed, the local AutoLogon user is deleted and after that it is only possible to boot via the network autologon.

    This option can only be set initially, it has no effect on systems that are already running. For safety reasons, make sure not to select a number too high.

  3. Allow logon via Active Directory (AD): Select this option to obtain credentials from the AD.

  4. Allow network logon for all AD users: Select this option to ensure that users can be logged on who are already known in the AD but not yet in the PBA database.

    See this use case for more information.

  5. User logon must only occur via network authentication: The network PBA only allows logons if the user credentials can also be verified online against AD. This means that a network logon is a prerequisite; without a network, only a challenge-response procedure is available.

  6. Number of automatic retries until the network connection is established: Specify how often the system should automatically try to establish a network connection.

  7. Time between retries: Specify the seconds that may elapse between retries. Default value is 5 seconds.

    Example: To ensure that a router has enough time to establish a network connection, you can increase the number of automatic retries and adjust the pause accordingly. If the pause is set to 0, the process will be repeated immediately.