This article documents the changes and fixes for Symantec Endpoint Encryption Full Disk 7.0.5

What’s New
Data Protection for Multiple Physical Drives

• SEE Full Disk now supports policy for provisioning users with both token and password credentials, as well as token-only or password-only. This is especially useful within environments transitioning from single-factor (password-only) to multi-factor (token-only) authentication.
• Up to 26 (twenty-six) logical Windows drives can be encrypted across any number of physical fixed drives on the endpoint, enabling data protection through strong encryption for a broad range of both laptop and desktop deployments.

Support for Microsoft Windows 7
The SEE Full Disk endpoint client now supports both the 32-bit and 64 bit versions of Windows 7. User authentication for SEE Full Disk on a Windows 7 client is enabled through the Windows authentication process.

The following editions of Windows 7 are supported:

• Professional
• Ultimate
• Enterprise

64-Bit Client and Server Windows Platform Support

• The SEE Full Disk and SEE Removable Storage endpoint clients now support the 64-bit editions of Windows XP Professional, Windows Vista and Windows 7. (See the Installation Guide for specific edition support for Vista and Windows 7.)
• 64-bit support includes the standard SEE Full Disk utilities for administrative access and recovery.
• The server-side components of SEE Full Disk and SEE Removable Storage now support the 64-bit editions of both Windows Server 2008 and Microsoft SQL Server 2008.

Autologon Support for Wake-on-LAN
Autologon has been enhanced with new administrative controls to better support Wake-on-LAN scenarios. Administrators can now set endpoints to boot without requiring user authentication regardless of the length of time an endpoint have been physically turned off or whether an SEE Management Server is available.

Support for Windows Safe Mode
The SEE Full Disk client now supports the display of, and keystroke-based selection from, the Windows Safe Mode or F8 boot-time screen.

Simplified Authentication Enforcement

• Rules for enforcing different user authentication methods on endpoints have been simplified for easier and more secure administration. User authentication methods are now always and immediately enforced on endpoints according to the current policy.
• The administrative limit on the number of times a token user can successfully use Authenti-Check has been removed.

New Options for Endpoint Policy Management
Install-time policy settings on the endpoint clients are now automatically updated whenever the client is upgraded by an installer MSI package. This new feature provides administrators with more options for establishing policy when endpoints are decoupled from a central administrative environment.

Server and Client User Interface Improvements

• Requirements for the minimum length of administrative account passwords have been relaxed to give administrators greater flexibility in provisioning these accounts.
• The SEE Full Disk and SEE Removable Storage client user string identifier for registered user accounts is no longer required.
• The maximum length of the legal notice set by administrators in the SEE Full Disk client splash screen has been increased to 1,024 characters.

Installation Notes
SEE Framework 7.0.5 is only compatible with SEE Full Disk 7.0.5 and SEE Removable Storage 7.0.5. If you are running SEE Removable Storage and plan to upgrade to SEE Full Disk 7.0.5, you must upgrade to SEE Removable Storage 7.0.5 also.

Windows 7 Endpoint Support Notes
This release of SEE Full Disk features limited support for Windows 7 on the Client Computer.

• Automatic authentication will be in place on all Windows 7 endpoints. User registration will occur silently, without user intervention, unless a registration password is required.
• The installation settings cannot be changed using either a policy or an upgrade package.
• Users cannot be automatically unregistered. Client Administrators must visit the workstation and utilize the Administrator Client Console to unregister a user.

Resolved Issues

Description

Issues preventing the full support of the following Dell models have been remediated: Optiplex 320 and Studio 1440.

Issues preventing the full support of the Panasonic T8 model have been remediated.

The administrator is no longer prompted to close SEE Active Directory Sync Service and SEE Novell Sync Service when uninstalling the SEE Management Server from a Windows Server 2008 machine.

Client machines with BIOS power management enabled no longer fail to recover after going into screensaver mode from Pre-Windows.

JAWS users no longer experience an Internet Explorer script error after tabbing onto the QuickHelp icon.

Third Party Compatibility

Third Party Tool	Description	Workaround
SanDisk 4GB Cruzer Micro USB Flash Drive and HP Compaq dc7700.	A SanDisk 4GB Cruzer Micro USB Flash Drive inserted at startup will cause HP Compaq dc7700 computers to hang after Pre-Windows authentication.	Remove SanDisk devices before powering on.
SanDisk Cruzer Micro 512 MB USB 2.0 Flash Drive (SDCZ4-512-A10)	If the SanDisk Cruzer Micro 512 MB USB 2.0 Flash Drive (SDCZ4-512-A10) device is inserted at startup, users may experience slow boot times.	Remove SanDisk devices before powering on.
Roxio 6.2	The Framework client package will fail to install due to a missing drive letter in the primary partition.	Ensure that the following Registry key has the value PartMgr: HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\ Control\Class\{4D36E967-E325-11CEBFC1-08002BE10318}\UpperFilters
Symantec Endpoint Protection 11	Following the installation of SEE Full Disk on the Client Computer, a Network Threat Protection message may be displayed, alerting the end user to a change in the AFRCliADSI application.	Open Symantec Endpoint Protection and click Options in the Network Threat Protection area. Select Configure Firewall Rules from the pop-up menu. Highlight Block IPv6 over IPv4 and click Edit. Select the Allow this traffic option button on the General tab. Open the Ports and Protocols tab. Select All IP Protocols from the Protocol drop-down list box.
RSA SecurID® 800	If a second certificate is added to the token and the first certificate is deleted, the user will be unable to register with the token.	Remove all certificates from the token and add the certificate again.

Upgrade/Install/Uninstall/Migration

Description	Workaround
The 32-bit Manager Console MSI (Symantec Endpoint Encryption Framework.msi) can be installed on a 64-bit operating system.	Uninstall the Manager Console and reinstall using the correct MSI.
If a local instance is selected during the installation of the SEE Management Server, the SEE Management Server uninstallation will fail with the message, “Could not connect to Microsoft SQL Server.”	Locate the GEServerConfig.xml file on the SEE Management Server machine. Find (local). Replace with the computer name of the SEE Management Server machine. Save and close the file. Try the uninstall again.
If power is lost during an upgrade of the client machine, a blue screen may occur and the machine may loop continuously in an effort to boot into Windows.	Run Recover /d. If Recover /d fails, try Recover /b. If the Recover Program completes successfully, back up important files, then reinstall SEE Full Disk. If this fails, you will need to reinstall Windows or re-image the machine.
If password authentication is selected during the installation of SEE Manager console, but token authentication is specified by policy, users will be unable to register.	If password authentication is selected during the installation of SEE Manager console, but token authentication is specified by policy, users will be unable to register.

Token Authentication

Description	Workaround
Tokens cannot be used for Pre-Windows authentication on the Acer Aspire 5515.	None at this time.
Only tokens inserted into a USB card reader can be used for Pre-Windows authentication on the HP Compaq 6535b.	None at this time.
The GemPC Express reader cannot be used for Pre-Windows authentication on an HP Compaq 6535b.	None at this time.

Drive Size/Fragmentation

Description	Workaround
Drives larger than 1 TB may become unavailable after encryption.	Do not attempt to encrypt drives larger than 1 TB.
The following error message is displayed on the first reboot after installation, “EPHD BIOS Translation Driver: heap allocation error.”	One or more drives are severely fragmented. Decrypt all drives. Uninstall SEE Full Disk. Defragment the drive(s). Reinstall SEE Full Disk.

Windows Vista

Description	Workaround
Vista computers will fail to boot if a PCMCIA reader is inserted.	Provision Vista users with USB readers.
Following the installation of SEE Full Disk, machines missing the Sleep power option will go into hibernation on a schedule that does not correspond to the Windows power plan.	Apply all of the latest Vista updates.

Safe Mode

Description	Workaround
The Safe Mode reboot option may fail to allow administrators to access safe mode on certain machines, such as the HP Compaq dc5800 and HP Compaq 67108.	Reboot. Provide Client Administrator credentials and select the Safe Mode Reboot check box. Click OK. Click Restart Computer. Watch screen closely. As soon as “Starting SEE Full Disk…” displays, press F8. Select Safe Mode. Press F8. Select Safe Mode again.

Recover Program

Description	Workaround
Additional hard disks on Windows 7 computers will be listed erroneously within the Partitions Not Managed by SEE Platform area of the User/Administrator Client Console following a successful Recover /D or /B operation.	Reboot.

Manager Console

Description	Workaround
If an XPS print job is cancelled, the following error may be displayed, “The data area passed to a system call is too small.”	None at this time.
After clicking a column heading to sort by the column, the sort arrow will be displayed to the left of the column heading if the operating system is Vista or Server 2008.	None at this time.
Deploying an Active Directory policy that contains a change to the Client Administrator settings from a 6.1.0 or later Manager to 6.0.0 or earlier clients will result in a failure of the new Client Administrator policy to be applied, a deletion of all existing Client Administrator policies, and a return to the Client Administrators specified in the original installation settings.	When deploying an Active Directory policy from a 6.0.0 or earlier Manager, add the following WMI filter: Select * FROM Win32_Product WHERE (name="Symantec Endpoint Encryption Framework Client") AND (version <= "6.0.0") When deploying an Active Directory policy from a 6.1.0 or later Manager, add the following WMI filter: Select * FROM Win32_Product WHERE name = “Symantec Endpoint Encryption Framework Client” ANDversion > "6.1.0"

Client Keyboards

Description	Workaround
Users may be unable to combine the ^ (Circumflex), ¨ (Diaeresis), ` (Grave) and ´ (Acute) dead keys with l (0131), I (0049), Shift+i (0069) or Shift+I (0130) from the Turkish Q keyboard.	None at this time.
The Turkish Q character İ; (0130) may display as I in pre-Windows.	None at this time.
Users will be unable to enter the following characters from Canadian French keyboards in Pre-Windows: á ç	None at this time.
The CAPSLOCK key will behave like the SHIFTLOCK key for nonalphabet characters in Pre-Windows for the Belgian (Period), French, and German keyboards.	None at this time.
The character ł (0142) displays as Ł (0141) in pre-Windows when the Hungarian keyboard is used.	None at this time.
CTRL+ALT combinations do not produce the expected special characters in Pre-Windows	None at this time.

Single Sign-On

Description	Workaround
If a user presses CRTL+ALT+DEL in Windows Vista, clicks Change Password, provides the incorrect old password causing an error or is prevented from changing their password due to Windows policies, and then cancels out, that user will be unregistered from SEE.	Visit http://support.microsoft.com/kb/936183 Obtain and apply the hotfix
Password synchronization problems in Windows Vista could occur if users specify blank passwords.	Set the Windows policy to prevent users from specifying blank passwords.

Pre-Windows Authentication

Description	Workaround
Users will not be able to utilize the Keyboard Layout window if Help is open.	Close the Help window and try again.

Section 508

Description	Workaround
JAWS does not always announce all of the information displayed within the Registration wizard and User Client consoles.	Users should follow these steps: 1. Press INSERT+F9. 2. Select the frame that is of interest from the resultant Frames List dialog. 3. Click OK. 4. Press P. If this doesn’t work, restart JAWS and try the steps again.

Technical Information
SEE-FD 7.0.5 Release Notes.pdf