How Windows Start Before Logon Works

Background

Windows Start Before Logon (SBL) is a Windows-specific workflow where the device is able to connect to a remote network at the Windows logon prompt, before the user has authenticated themselves on their machine. This is normally achieved using a traditional VPN network connection, usually to access a domain controller for authentication and/or group policy application.

Twingate supports the SBL workflow using the following combination of supported functionality:

Device-only Resource Policies
Twingate Windows Client [v1.0.14 or later]
(Recommended) Trusted Devices

If you are looking to use SBL with your Active Director Domain Controller, we also recommend reviewing our use case on Active Directory with Twingate.

Example Configuration: Domain Controller access via SBL

After completing the following steps, you will have the following configuration:

Users will need to sign in to Twingate at least once every 30 days.
Your domain controllers will be accessible to users that must be on Windows devices that are also marked as trusted in Twingate.
Domain controllers will be accessible at the Windows logon prompt as long as users have signed into Twingate within the last 30 days.

Add your Domain Controller addresses as Resources in Twingate. Follow the instructions available in our Active Directory with Twingate example.
Create a Group and add the Domain Controller Resources to the group. You should also add Users you wish to access these Resources to the Group. An example is shown in the screenshot below.

Create a new Resource Policy called “Windows SBL”. Select “Create Resource Policy” from the “Policies” tab in the Admin console.
Disable user authentication requirements for the Windows SBL Policy, and enable device requirements. In the example below we have restricted access to Windows devices only, and added the additional requirement that the device must be marked as trusted for access to be authorized.

Modify the Resource Policy for the Group you created in step 2. This enables the device-only policy specifically for the Resources and Users that are in this Group.

Verify the Minimum Authentication Requirements session length matches your requirements. Minimum Authentication Requirements are applied when users sign in to the Twingate Client application. Unless the configuration is modified, the session length defaults to 30 days, which means that users must re-authenticate at least once every 30 days for the Client to remain signed in. This session length persists across machine restarts or re-launching the Client application unless the user logs out of the Client. Authentication for Resources then applies as follows:

Device-only Resource Policies, such as the one we have configured here, do not have user authentication requirements, and thus are accessible as long as the Minimum Authentication Requirements session is valid and any device requirements have been met.
Standard Resource Policies, including the Default Policy, include a user authentication requirement, which must always be re-validated between machine restarts or re-launching the Client application.

After following the above steps, the Active Directory resources you have configured will be accessible to users at the Windows logon screen under the following circumstances:

They are using the Windows Twingate Client v1.0.14 or newer.
They have signed in to the Twingate Client application within the last 30 days and have not logged out of the Twingate Client.
They are using a device that has been marked as trusted in Twingate.

Last updated 2 months ago

Home

Guides

Use Cases

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

API

Getting Started with the API

Schema

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Best Practices

Updating Connectors

Advanced Connector Management

Resources

Remote Networks

Aliases

Team

Users

Groups

Identity Providers

Security Policies

Policy Guides

Two-Factor Authentication

Devices

Client Application

Managed Devices

Device Administration

Services

Headless Clients

CI/CD Configuration

Analytics

Network Overview

Audit Logs

Network Traffic

User Activity

Syncing Data to AWS S3

Internet Security

DNS Filtering

DNS-over-HTTPS (DoH)

Internet Security Client Configuration

Administration

Admin Console Security

Subscription Management

Managed Service Providers

Cancel Your Subscription

additional resources

Help Center ↗

Changelog

FAQ

Twingate Trust Center

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

How Twingate Works

How DNS Works with Twingate