Pre-Login Tunnel Connection for Windows

  • Published on Feb 12, 2026
  • 2 minute(s) read
  • R
 Prev Next

Pre-Login Tunnel Connection allows users to establish a secure Harmony SASE tunnel before signing in to the Windows operating system. This capability enables access to private organizational resources, such as on-premises Active Directory (AD), even when users are outside the corporate network and have not yet logged in to their device.

When enabled, the Harmony SASE agent authenticates the user and creates a secure tunnel directly from the Windows login screen. This ensures that required Private Resources are available during the Windows sign-in process.

Note: This feature is available in Early Availability (EA). For access, contact Check Point Support.

Use Cases

  • New Device Provisioning for Remote Users: Remote users who receive a new PC might need access to an on-premises Active Directory domain defined as a Private Resource. Since AD access requires an active secure tunnel, Pre-Login Tunnel Connection allows the tunnel to be established before the first Windows sign-in.

  • Remote Troubleshooting and IT Support: If users cannot sign-in to Windows or require assistance before sign-in, Pre-Login Tunnel Connection enables secure connectivity to Private Resources. This allows IT teams to access required systems and provide troubleshooting support securely.

Prerequisites

  • Harmony SASE agent version 12.5 or higher is installed on the endpoint.

  • The Harmony SASE agent is connected to the organization workspace.

  • Pre-Login Tunnel Connection is enabled at the tenant level.

  • Users have access to a secondary authentication device, such as a mobile phone for multi-factor authentication approval.

Limitations and Technical Notes

  • Shared Device Protection (Multi-User Environments): If Shared Device Protection is enabled, Pre-Login Tunnel Connection is not supported.

  • Device Posture Check (DPC): Device Posture Check is not performed while the OS user is logged out. DPC runs automatically after the user signs in to Windows.

  • Agent Upgrade Enforcement: Agent upgrades cannot be enforced while the OS user is logged out. Any pending upgrade enforcement occurs immediately after Windows login.

  • Network Selection: Manual network selection is not available in pre-login mode. The agent connects automatically to the last connected network, or to the default network on first connection.

  • Trusted Network Detection: Trusted Network detection is disabled during pre-login mode and resumes after Windows login.

  • Internet Access Only License: Users with an Internet Access only license cannot use the pre-login Tunnel feature.

Enabling Pre-Login Tunnel Connection

Pre-Login Tunnel Connection is controlled at the tenant level and applies to all users in the tenant.

  1. Turn on the Windows device.

  2. On the Windows sign-in screen, click the Network icon.

    The pre-login agent opens and displays a QR code.

  3. Use a secondary device to scan the QR code.

  4. On the secondary device, verify the matching code and complete authentication.

  5. After successful authentication, the Harmony SASE agent establishes a secure tunnel.

    Note: The name represents your organization’s configured tenant. For example, “Connected to <Tenant Name>” based on the tenant configuration.

  6. Sign in to Windows.
    The device can access required Private Resources, such as Active Directory, and the secure session continues uninterrupted.