Symantec Encryption Desktop/PGP-How to Bypass PGP BootGuard

Symantec Encryption Desktop/PGP-How to Bypass PGP BootGuard

book

Article ID: 155207

calendar_today

Updated On:

Products

Drive Encryption Encryption Management Server Desktop Email Encryption Endpoint Encryption Policy Based Encryption

Issue/Introduction

This article describes how to setup bypass for PGP Boot Guard with a WDE-ADMIN group or using the WDE Disk Administrator in policy. This bypass feature can assist administrators who need to install software or make other configuration changes to a remote computer.

Resolution

The article contains multiple sections to cover adding the bypass functionality to Symantec Encryption Desktop:
 

Section 1 - Add Bypass using the WDE-ADMIN Security Group

Section 2 - Using Deployment tools such as Altiris, and SCCM to add the bypass user using the WDE-ADMIN Security Group

Section 3 - Add Bypass using the Drive Encryption Disk Administrator method:

Section 4 - Add more than 51 bypass reboots to Symantec Encryption Desktop

 

 

 

Section 1 - Add Bypass using the WDE-ADMIN Security Group

Note: Any user can be put into this group to set the bypass as long as the user has the admin rights to access a client's machine.

On a domain controller, open the Active Directory Users and Computers console. (Start>All Programs>Administrative Tools>Active Directory Users and Computers)

Create a new Global Security Group with the name WDE-ADMIN.

Add the desired domain user account(s) to the WDE-ADMIN group.  Only the most trusted users should ever be added to this group because it allows these users to run administrative WDE commands.

On the client system, login with the user account added to the WDE-ADMIN group.

Click Start>Run, type cmd in the text field and click OK. The Windows command prompt screen appears.

Switch to the following directory: C:\Program Files (x86)\PGP Corporation\PGP Desktop:

1. cd\

2. cd "Program Files (x86)\PGP Corporation\PGP Desktop"

At the command prompt, type pgpwde --add-bypass --admin-authorization --disk 0 and press Enter. This command adds only one bypass to Bootguard.

--admin-authorization (Windows only) specifies that the command is being performed by a member of the WDE-ADMIN Active Directory group.

TIP: Using --aa is the short version of --admin-authorization

Example:  pgpwde --remove-bypass --disk 0 --admin-authorization 

A message displays that the bypass has been successfully completed. You can also verify the bypass user by typing the following at the command prompt:

Check Bypass:

Indicates whether boot bypass is configured for the specified boot disk. If configured, it will also display the original and     remaining bypass restart counts.

The usage format is:

pgpwde --check-bypass --disk --admin-authorization

^Back to Top

 

Section 2 - Using Deployment tools such as Altiris (Symantec IT Management Suite), and SCCM to add the bypass user using the WDE-ADMIN Security Group


The attached script can be used to be able to add the bypass user remotely with Altiris, or other deployment solutions using the WDE-ADMIN Security Group within Active Directory.


This has been tested and has been known to work within Altiris when used with the WDE-ADMIN security group.  The script has also been tested to work with SCCM using a specific set of sequences as described in the attached document.

Download the "WDE-WDE-ADMIN-add-bypass-script-README-with-Bypass-Script.zip" file for the script as well as the steps for SCCM.


Note: It is required to use the attached script, which will stop all PGP services before enabling the bypass user.  Failing to stop all PGP services can intermittently prevent adding the bypass user.

 

 

^Back to Top

Section 3 - Add Bypass using the Drive Encryption Disk Administrator method (PGP Disk Administrator added to the policy):

The Drive Encryption Disk Administrator can be used to set the Bootguard Bypass on client machine via policy on Symantec Encryption Management Server.

To be able to use this option, you will need to enable a WDE administrator in policy first.  To do so, follow these steps:

1. Login to the Symantec Encryption Management Server
2. Go To ConsumersConsumer Policy, Select Default or any custom policy to be modified.
3. Select the "Desktop..." option
4. Select the Drive Encryption tab and enable the "Encrypt Drive Encryption disks to a Disk Administrator Passphrase" option and click save.
Note: The disk needs to be encrypted so the WDE Disk Administrator can be put on the access list for the hard drive.

Once the above has been made in policy, update policy on the clients to update this.  

Next, to run the command to enable a bypass, follow the steps below:

1. Deploy the PGP Drive Encryption client to the machine and encrypt the disk.

2. Open a command prompt window and type the following command to take you to the "C:\" prompt:

cd\

 

3. Now run the following command to take you to the proper working directory for "pgpwde.exe":

cd "Program Files (x86)\PGP Corporation\PGP Desktop"

 

4. At the command prompt, type the following command and press enter:

pgpwde --add-bypass --admin-passphrase "admin passphrase here" --disk 0

This command adds only one bypass to Bootguard.

5. If you would like to run more than one bypass, run the following command:

       pgpwde --add-bypass --disk 0 --count 3 --admin-passphrase "admin passphrase here"


The above command should add 3 bypass restarts, meaning the preboot screen will be skipped 3 times.



Check Bypass:

If you would like to check if this was successful, run the following command:

pgpwde --check-bypass --disk 0 --admin-passphrase "admin passphrase here"

 

This should show you if the bypass is enabled, and for how many counts.

 

Section 4 - Add more than 51 bypass reboots to Symantec Encryption Desktop

Use the following steps to set the preference for wdeMaximumBypassRestarts:

1. Log in to Symantec Encryption Management Server.

2. Open Consumers > Consumer Policy and choose the policy that applies to the user.

3. Click the General option, click Edit then click Edit Preferences.

4. Choose Client as "Symantec Encryption Desktop Client"

5. Click Set, enter the following information:

Pref name: wdeMaximumBypassRestarts

Type: Integer

Value:  100  ( or any number of time that you want to use bypass restart) Maximum value range is

 1-1000000 for Bootguard Bypass.

6. Click on Save.

7. Deploy Client Package and install.

Note: If Bypass is added in the future with existing users then update the local client policy. If the update doesn't add the new string value for the BootGuard Bypass to the Prefs.xml then a re-enroll of the client is needed to download a new prefs file to have the correct string value for the Bypass.

8. Open a command prompt window on the client machine and switch to the PGP directory

Switch to C:\Program Files (x86)\PGP Corporation\PGP Desktop for Windows 64 Bit using the following commands:

cd\

cd "Program Files (x86)\PGP Corporation\PGP Desktop"

9. Run the command:

pgpwde --add-bypass --disk [--count ] --admin-authorization

Example of adding 52 bypass reboots to Disk 0:
pgpwde --add-bypass  --disk 0  --count 52  --admin-authorization 

Remove Bypass:

The following error message will appear if a user tries to add a bypass user, but is not allowed:

"Operation add bypass failed: Error code -12198: Not permitted by your Administrator"

 

^Back to Top

 

 

Attachments

WDE-ADMIN-add-bypass-script-README-with-Bypass-ScriptV2.zip get_app