Lockdown Bootstrap Admin

Is it possible to lock down the bootstrap admin account so that it can only be accessed via the management kiosk?

We are using Entra ID to control access to our other admin accounts, with various policies configured for MFA etc.  But the bootstrap admin account is a weak link that I'd like to lock down if possible. 

  • You can disable the bootstrap admin account but make sure you have another account with admin permissions required to perform the admin tasks

    In case you are locked out and need to reset the admin account then a service request with Support is required to perform a challenge \ response key exchange to reset it.


  • thanks, that seems to be an acceptable solution.  Once we are comfortable with authentication for our admin accounts, we will review disabling the bootstrap account.  Our plan is to use Safeguard to manage many of our root/admin accounts, so I need to reduce any risks of people gaining access to Safeguard, disabling the bootstrap account should take care of that.

  • Hi Jody

    Please forgive me if stating the obvious but remember that the bootstrap account is a local account.

    Therefore I would recommend making your new admin account a local user as well with a ridiculously difficult password that is perhaps kept in a safe that requires duel authorisation to access. This account only being used in exceptional circumstances.

    While all access to the SPP interface is via network I have seen cases where bootstrap account was deleted and all admin accounts required external authentication. The external authentication failed and as Tawfiq says, you can recover using the kiosk, it is by design to make is secure, a real pain of a process!

    Just my 5p's worth.

    Good luck with your deployment.