Monday, April 13, 2009

Pointsec for PC: Can't enable WIL, User Account not working.

The help desk brought me a strange Pointsec problem today. I'm not even sure how to describe it properly. They had a customer computer that had been locked out and was requiring authentication at the Pre-Boot Environment, but the password that I had provided for the help desk to use was not working. I also found that my personal password that I use for Pointsec was not working either. This was very concerning, but luckily I was able to log in with a third user account that I had built into the Installation profile used to install Pointsec on this machine.

I checked the Enable WIL checkbox in the preboot environment and booted into Windows like normal. Then I opened up the Management Console and I was able to log in with the accounts that were being denied in the Pre-Boot Environment. Weird! I also double checked that Windows Integrated Logon was turned back on and rebooted. I expected the machine would boot directly into Windows, but it stopped at the Pre-Boot Environment and challenged me for credentials again.

You may be aware that there are actually two places where you have to enable Windows Integrated Logon. If you already know this then skip this paragraph. There are two places where WIL has to be enabled. One place is in the Management Console in Windows which I just looked at. The other place is in the Pre-Boot Customization menu. If WIL isn't turned on in BOTH places, then you have to authenticate in the Pre-Boot Environment. To access the Pre-Boot Customization menu, hold down both shift keys when the computer is booting and says "Pointsec for PC" in the upper left of the screen.

But on this machine when I held down both shift keys during the boot process, nothing happened. I am not able to access the Pre-Boot Customization Menu! WTF! I feared that I was going to have to call Checkpoint Support before this poor soul could have his laptop back.

But instead, I decided to create a user account for him in Pointsec and set up single sign on for him. That way he could work on the time sensitive stuff he had to do and bring the computer back to us when he could stand to be without it for a while. I created the account, saved the settings, and rebooted. Surprise! Windows Integrated Logon worked this time.

My guess is that by creating another user account, Pointsec updated the authentication database and other settings for the Pre-Boot Environment which turned Windows Integrated Logon back on. So now he is able to work, but I am still not able to get into the Pre-Boot Customization Menu. I'll have him come back later and we'll probably just reimage this machine. I wanted to share this with all of you just in case you run into this problem so you'll have a dirty fix if you're in a jam. I looked at the Checkpoint Knowledge base and wasn't able to find any thing that looks similar to this.

1 comment:

computer Help Desk said...

Thanks for sharing this info article with us.