I apologize if this has been asked elsewhere, but I haven't been able to find anything that addresses this particular issue up to this point. I am using ePO 4.6.8 and DE 7.1. Everything else with DE has been working as intended.
When logging into Drive Encryption during the pre-boot authentication step I cannot seem to figure out how to enforce a lockout policy at this point while having Single Sign On (SSO) enabled. It seems based on the Best Practices document that you cannot force User Based Policies (UBP) at just this stage and if you're using SSO, UBP password parameters should not be used due to the potential for conflicts. I tried using UBP for a particular user anyways to see if it would at least enforce during pre-boot and it didn't seem to make a difference either way. I have checked to make sure that all applicable policies are being enforced to the systems/users that they apply to.
The crux of the issue is that it would allow a potential attacker to attempt the username/password as many times as they would like and if in the off-chance that they were to actually get in, SSO would take them straight to the desktop -- this of course cannot happen. Am I missing something obvious here?
I would certainly appreciate any help/insight.
On the Password tab of the User Based Policy that you are applying to the machine or user (via Policy Assignment Rules), this is the option that controls incorrect password attempts.
There is no option to timeout username attempts. However, there is an option to not display the previous username. This option is in the Product Settings policy on the Log On tab.
Thanks for your reply.
I have set these parameters and then assigned the policy to both a group of machines as well as a specific user. My problem is that it doesn't seem to work during the preboot authentication. I am using SSO so as soon as the correct password is entered in preboot authentication it automatically logs into windows for that account. I'm guessing these parameters would work if I was not using group policy and SSO at the Windows log in for an encryption user, but where I need something to work is during the preboot authentication portion:
Hopefully that makes sense, thanks!