Monday, June 23, 2008

Pointsec for PC: Preboot Customization

One question I get asked from time to time is what you should do if you boot a computer that is encrypted with Pointsec and nothing happens. I've personally seen this happen one time and my first instinct was to freak out. Here is the story of why I almost freaked out and how I was able to resolve the problem.

It all started when I was rolling Pointsec for PC out to our beta test group. I went over to the Office of Such-and-Such and had a conversation with the office director. Here is how the conversation went:
Me: "Hi. We're testing some disk encryption software and since your office deals with sensitive information, I'd like to test this on some of your computers. I'd like to start with a small group of about five machines that are not mission critical for your office."
Director: "What do you consider non-mission-critical?"
Me: "Any machine that you could live without for a day in case I have to do some major fixing on it."
Director: "OK, let me give you a few."
So I installed Pointsec on a few machines and went on with life. But then I got a call a few days later and was told that Mr So-and-So was not able to log into his machine, in fact the machine wouldn't boot at all. I went over and verified it for myself, when I booted the computer (which worked fine a couple days ago) all I got was a black screen. I decided that I was going to have to do some major fixing on this machine. Here is how the conversation went:
Me: "I need to take this back to my office and start doing some fixing to get it back in working order."
Director: "How long is it going to be gone?"
Me: "A day at the most."
Director: "A whole day? Our office can't work without this computer!"
Me: "What do you mean it can't work without this computer? You were supposed to give me machines that aren't mission critical!"
Director: "We don't have any computers that aren't mission critical!"
Me: "Then you shouldn't have let me install this on any of your computers! Crap, I'll get this done as quickly as possible."
So I disconnected everything from the computer (it was a laptop) and brought it up to my office. When I opened the lid I saw the Windows login screen looking at me. So I brought the machine back and plugged it into everything and when I turned it on I got the black screen again. Through a process of removing devices and booting I was able to narrow down the problem to a USB smart card reader that he had on his desktop. This left me with a couple of options. I could have told Mr. So-and-So that he had to disconnect the smart card reader when he booted his computer and the plug it in after Windows loads, but that isn't the most user-friendly way of doing things. Instead, I used an update profile to turn off USB devices in the Preboot Environment.

However, there was something I could have done that would have made my troubleshooting process much easier, using the Preboot Customization menu. As you may know, even if you're using Windows Integrated Logon, your computer still moves through the Preboot Environment on the way to Windows. You can alter the Preboot environment by holding down both shift keys at the same time when the words Pointsec for PC appear on the screen. Now, instead of the usual login, you'll be brought to a menu where you can disable USB devices or switch into a low graphics mode and see if any of that fixes your problem.

So for future reference, this should probably be the first thing you take a look at when you're having problems booting a computer running Pointsec for PC. If this had been a desktop I probably would have built a recovery CD right there and gone through a very painful decryption process when there was a very simple fix available.

I especially want to point out the option of disabling Windows Integrated Login from the Preboot Customization menu. This can be a great way to narrow down if your boot problem is Pointsec related, or a problem with Windows itself. Disable WIL and see if you can log in. If that works then you can boot to a CD and try to fix Windows or at least recover some files before you reimage the machine. When I point this out a lot of people ask me if you can enable WIL from this menu and use that to bypass logging into the Preboot Environment. The answer is yes, you can enable WIL from this menu, but only if it is also enabled in the management console. So if your users are logging into the Preboot Environment and they try turning on WIL from the Preboot Customization menu, they will not be successful in skipping the login. For all practical purposes, the Preboot menu can be used to turn off WIL, and turn it back on it it was set in the management console, but if WIL is disabled in the management console then you can't use the Preboot menu to turn it on.


tombtek said...


Thanks for the excellent guides. Great stuff! But I have a couple of general Pointsec question.
What is your view in the WIL vs. Pre-boot debate? In light of the cold boot and firewire tools recently posted, do you believe Pre-boot is better? Or will it just encourage users to leave their machines turned on to avoid the inconvenince of the pre-boot login? Should we disable standby as an option and go with pre-boot? What do you recommend to clients and why (you mentioned in the custom preboot entry that WIL was enabled)? Your insight is appreciated.

Black Fist said...

Thanks for commenting. My Pointsec posts seem to be the most popular stuff on this blog. Your comment inspired me to write a whole blog posting about the subject. You can check it out here.

I'm sorry it took so long to get back to you. I need to set up blogger to email me when people make comments so I can be more responsive.

Chad said...

The black screen after PointSec login is caused by certain USB devices being attached at login. You can usually resolve this by booting with no USB devices attached or by going to the BIOS and disabling USB Emulation (this is a big problem on laptops an external USB CD ROM)