Symantec Endpoint Encryption Full Disk

(1)

Symantec Endpoint Encryption

Full Disk

Autologon Utility & Reboot Utility Guide

(2)

Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Symantec Corporation.

Encryption Anywhere is a trademark of GuardianEdge Technologies Inc. Microsoft, Active Directory, Windows, and Windows XP are either registered trademarks or trademarks of Microsoft Corporation. Any other trademarks used herein are the property of their respective owners and are hereby acknowledged. Other product and company names mentioned herein may be the trademarks of their respective owners.

Printed in the United States of America.

(3)

Autologon Utility & Reboot Utility Guide Contents

Figures

Figure 1—Autologon Utility Installer, Welcome . . . 4

Figure 2—Autologon Utility Installer, Destination Folder . . . 5

Figure 3—Autologon Utility Installer, Ready to Install . . . 5

Figure 4—Autologon Utility Installer, Installation Completed . . . 6

Figure 5—Add Standalone Snap-in . . . 6

Figure 6—Management Password Page . . . 7

Figure 7—Management Password Page, ADAM Authentication . . . 8

Figure 8—Autologon Utility Settings . . . 8

Figure 9—Save the MSI package . . . 9

(5)

Autologon Utility & Reboot Utility Guide

1. Introduction

Basics

The SEE Full Disk Autologon feature provides administrators with the ability to bypass the normal pre-Windows SEE Full Disk client authentication process. The Autologon feature can be controlled either by using a Group Policy Object (GPO) or by using the Autologon Utility described in this document.

Both methods can be used at the same time, with the client behavior defined according to a strict hierarchy of precedence.

About the Autologon Utility

The Autologon Utility is an MMC snap-in intended for use by administrators lacking the necessary rights to create or apply an Autologon GPO.

As with the GPO version of Autologon, the Autologon Utility is used by administrators to set the number of reboots and active period of time during which the normal pre-Windows SEE Full Disk authentication screen is suppressed on the client. After the administrator chooses the settings, the Autologon Utility produces an MSI package that can then be installed on the Client Computers using any standard MSI deployment method.

About the Reboot Utility

A related command-line utility, SEEReboot.exe, is included with the distribution of the Autologon Utility. This utility is used by an administrator to restart a Client Computer remotely.

These versions of the Autologon and Reboot Utilities are compatible with Symantec Endpoint Encryption Full Disk 6.0.0 and 6.1.0

(6)

Symantec Endpoint Encryption Full Disk 4 Autologon Utility & Reboot Utility Guide

2. Autologon Utility

Installation

Install Snap-in

To install the Autologon Utility snap-in on a Manager Computer, perform the following steps.

1. Locate and launch the installation file SEE Autologon.msi. The Welcome page of the installer wizard appears.

Figure 1—Autologon Utility Installer, Welcome

2. Click Next. The License Agreement screen appears. Click I accept the terms in the license agreement. Click Next. The Destination Folder page appears.

The SEE Framework must be installed before the Autologon Utility can be installed.

(7)

Figure 2—Autologon Utility Installer, Destination Folder

3. Click Change to select an installation location other than the default. Click Next. The Ready to Install the Program page appears.

Figure 3—Autologon Utility Installer, Ready to Install

(8)

Figure 4—Autologon Utility Installer, Installation Completed

5. Click Finish.

The Autologon Utility Snap-in is now ready to be added to the SEE Manager or to a custom MMC.

Adding the Autologon Utility Snap-in to the SEE Manager

1. Launch the SEE Manager. From the File menu, click Add/Remove Snap-in.

2. The Add/Remove Snap-in window appears. Click File, then click Add/Remove Snap-in.

3. The Add/Remove Snap-in window opens. Click Add. The Add Standalone Snap-in window opens (Figure 5).

Figure 5—Add Standalone Snap-in

If you are adding the Autologon Utility snap-in to an existing SEE Manager console, the SEE Manager console must have been installed in author mode.

(9)

4. Select Autologon Utility.

5. Click Add, then click Close.

6. From the Add/Remove Snap-in window, click OK. SEE Autologon Utility appears in the SEE Manager.

The Autologon Utility is now installed and ready for use.

Use of the Autologon Utility

1. Open the SEE Manager.

2. In the left pane, click on SEE Autologon Utility. The Management Password page appears in the right pane (Figure 6).

Figure 6—Management Password Page

3. Type the Management Password and click Next. If you are not logged on to Windows using an account with ADAM administrator rights, you will be prompted to authenticate to the SEE Server.

(10)

Figure 7—Management Password Page, ADAM Authentication

4. Type the credentials of the ADAM administrator and click OK. The Autologon Settings page appears.

Figure 8—Autologon Utility Settings

Because the Autologon Utility authenticates to the SEE Server, you must be connected to your network when using the utility.

(11)

5. Type the number of reboots, select the start month/day/year/time, and select the end month/day/year/time. Click Finish. In the dialog box that appears, select a destination location to save the Autologon MSI.

Figure 9—Save the MSI package

6. Click Save.

The Autologon MSI is now ready to be installed on Client Computers using any of the standard MSI deployment methods. Note that Client Computers must have both SEE Framework and SEE Full Disk installed.

Upgrades

You can upgrade from an existing version of the Autologon Utility either by using a software installation GPO or by invoking the Windows Installer.

If the Autologon Utility is upgraded as part of a software installation GPO, the Client Computer will restart one time after the upgrade. This mandatory restart will consume one of the remaining grace restarts on the client.

Consider saving the MSI with a descriptive name, such as [start_date]+[end+date]. However, if you plan to upgrade the Autologon MSI later on, the MSI package you upgrade it with must have the same name as the original Autologon MSI package. This is a characteristic of the MSI format.

(12)

MSIEXEC /i "[path]\Encryption Anywhere Autologon.msi" REINSTALL="ALL"

REINSTALLMODE="vomus"

Client Operation

Use of the Autologon MSI requires that SEE Full Disk is fully installed on the Client Computer. SEE Full Disk is fully installed only after the Client Computer has restarted following the installation of the SEE Framework and Full Disk Client packages.

The Client Computer must make and maintain contact with the SEE Server in order for the Autologon MSI to remain operational. Use the Client Monitor Watchlist to verify that successful client-server communication is taking place.

The client checks connectivity every 5 minutes. When the Autologon MSI is operational, the Autologon process will be deactivated if the Client Computer loses connectivity with the SEE Server. Once the Client Computer has restarted into Windows and re-establishes contact with the SEE Server, the Autologon process will resume. If the Client Computer remains shut down for more than ten minutes, the Autologon feature terminates.

Installation Return Codes

If MsiExec.exe or InstMsi.exe are used to install the Autologon MSI package, the return codes shown in the following table will be written to the Windows system event log on the client to indicate a successful installation.

Autologon Order of Precedence

Both an Autologon GPO as well as an Autologon MSI can be active on the Client Computer at the same time.

However, the client will honor each according to the hierarchy shown in Table 2.

Table 2—Autologon Order of Precedence Table 1—Installation Error Codes

Error Code Value Description

ERROR_SUCCESS 0 The action completed successfully

ERROR_SUCCESS_REBOOT_INITIATED 1641 The installer has initiated a restart. This message is indicative of a success.

ERROR_SUCCESS_REBOOT_REQUIRED 3010

A restart is required to complete the install. This message is indicative of a success. This does not include installs where the ForceReboot action is run.

Order of Precedence Pre-Boot Authentication Suppression

Feature Notes

(1) Highest Autologon GPO, Indefinite mode When using an Autologon GPO in Indefinite mode.

(2) High Autologon MSI

End date is in the future (even if the start date has not been reached) and the maximum number of reboots has not been reached.

(3) Low Autologon GPO, normal mode When not using Indefinite Autologon mode.

(4) Lowest Grace restarts

User has not yet registered. When an MSI or GPO-based Autologon expires or is removed, Grace restarts resume with the remaining value.

(13)

Uninstalling an Autologon MSI Deployed Using a GPO

As is true of any software deployed using a software installation GPO, the Autologon MSI should never be

uninstalled manually at the client. Packages deployed using a software installation GPO should only be uninstalled by removing or changing the scope of the software installation GPO. Attempting to remove GPO-deployed client packages by manually uninstalling the packages using the Add or Remove Programs control panel on the client while the software installation GPO is still in effect will result in the packages being reinstalled at the next restart.

Further attempts to uninstall the client packages will result in an error. As a Policy Administrator, you should set the appropriate Windows policies to prevent users from manually removing the client packages.

Limiting Access to the Autologon Utility Snap-in

Access to the Autologon Utility snap-in can be restricted by policy. Doing so requires that the supplied administrative template (ADM) file "Autologon Utility.adm" be loaded using the Group Policy Object Editor (GPOE).

(14)

3. Reboot Utility

The Reboot Utility is used by an administrator to restart a Client Computer remotely. This utility should only be used on Client Computers on which the Autologon Utility has already been installed. GEReboot.exe uses the following parameters:

SEEReboot.exe /n <username> /d <domain> /p <password>

or

SEEReboot.exe -n <username> -d <domain> -p <password>

The Reboot Utility accepts the credentials of either an SEE registered user or a Client Administrator. When using the credentials of a Client Administrator, the /d and -d parameters are not applicable and should be omitted.

The Reboot Utility will not accept a password containing special characters unless the password is delimited by quote marks. The list of special characters:

< > ( ) + = ^ ~ and <space>

For example, the user password pass+word should be delimited by quote marks as shown:

SEEReboot.exe -n esmith -d your-org.com -p “pass+word”