Remote Decryption
The remote decryption policy is used by Policy Administrators to decrypt all encrypted disk partitions on computers protected by SEE Full Disk without having to physically send a Client Administrator to the location(s) of the computers.
Client computers receiving this policy will commence decryption once the policy has been processed. Processing of the policy takes approximately five minutes.
Creating a Remote Decryption Policy
To create a remote decryption policy, perform the following steps:
1. Right-click Group Policy Objects on the navigation tree.
2. Click New. The New GPO (Group Policy Object Editor) window displays.
3. Type the name of the Group Policy Object you wish to create.
4. Click OK. The new Group Policy Object you created will be displayed in the navigation tree.
5. Right-click the new Group Policy Object on the navigation tree.
6. Click Edit. The Group Policy Object Editor (GPOE) displays.
7. Click Software Settings, expand Symantec Endpoint Encryption, expand Symantec Endpoint Encryption - Full Disk Edition, then click Remote Decryption.
Figure 5.1—Full Disk Computer Policy—Remote Decryption
8. Choose the Change this Setting radio button.
9. Select the Decrypt all disk partitions check box.
Policy Administrator Guide SEE Full Disk
10. Click Save.
11. Close the GPOE window.
12. Drag and drop to link the policy to the target location containing the computers you wish to decrypt.
13. Monitor decryption progress using the Client Monitor.
Monitoring Encryption Status
After you have deployed a remote decryption policy, you can monitor decryption progress of the computers in your Watchlist by examining the HD Encryption column of the Watchlist. The status of computer hard drive encryption states may be Decrypted, Mixed, Encrypted, or Encrypting. These states are defined in the following table.
Autologon
Basics
Autologon is used by Policy Administrators for remotely deploying software to computers protected by SEE Full Disk. Many software installation packages require one or more restarts of the target computer, and Autologon will automatically authenticate without user or administrator intervention. The Policy Administrator defines a window of time during which Autologon remains active, along with the total number of restarts that may occur within the defined period.
When either the total number of restarts has been reached, the defined time window has elapsed, or the computer shuts down for more than five minutes, the Autologon feature terminates. Once Autologon initiated by a given Full Disk Computer Policy Autologon GPO has terminated, subsequent invocations of the Autologon feature require that you either update the existing GPO and select new Autologon settings or create a new Full Disk Computer Policy Autologon GPO with the desired settings.
The Autologon policy will take effect approximately five minutes after receipt.
Because this policy temporarily bypasses the normal logon process for SEE Full Disk, computers receiving this policy will be in a state of heightened vulnerability while Autologon remains active. To minimize the associated risks, make certain that you carefully review the number of reboots allowed and the inclusive dates and times that Autologon will remain active before linking a GPO containing this policy.
Table 5.1—Partition Encryption States
Status Definition
Decrypted The partitions are in a decrypted state.
Mixed The partitions are in mixture of neither fully encrypted nor fully decrypted states.
Encrypted The partitions are in an encrypted state.
Encrypting The partitions are in the process of being encrypted.
Decrypting The partitions are in the process of being decrypted.
Policy Administrator Guide SEE Full Disk
Policy Creation
This section explains the options found on the Full Disk Computer Policy - Autologon panel shown in Figure 5.2.
Figure 5.2—Full Disk Computer Policy—Autologon
When the default option Boot only after user authentication to SEE is selected, the Autologon feature is deactivated, and Client Computers receiving the policy will only boot after user authentication. To activate the Autologon feature, select the Boot up to radio button and type the maximum number of Autologon restarts you wish to occur, from 1–999, in the text box.
Autologon will deactivate itself if either the specified number of restarts has been reached or the specified active period has elapsed. Autologon will also automatically deactivate itself five minutes after the computer has been shut down, thus limiting exposure should the computer be stolen while an Autologon policy is in effect.
When the Autologon feature is activated, use the eight controls provided to define the inclusive starting and ending period during which the Autologon feature will be active. The start and end dates and times must be within a valid range in order for the Autologon feature to function as intended.
Indefinite Autologon
Autologon can also be used to suppress SEE Full Disk authentication indefinitely. To turn on this indefinite Autologon mode, choose an ending year of --- in the drop-down list box. In this mode, it is recommended that good security practices to secure the computer be followed, such as setting a Windows administrator password and requiring token-based Windows authentication. Remove this policy to restore the secure authentication provided by
If a Client Computer has a pending lock out condition due to a failure to communicate within the period of time specified in either the Full Disk Installation Settings Client Monitor or Full Disk Computer Policy Client Monitor panels, an Autologon policy applied will pre-empt the lockout condition for as long as the Autologon policy is in effect. This is to ensure that a communication lockout condition does not disrupt the completion of the Autologon process.
Policy Administrator Guide SEE Full Disk
SEE Full Disk. Note that the five minute self-deactivation behavior is suppressed when indefinite Autologon mode is used.
Policy Administrator Guide SEE Server