Release notes for Symantec Endpoint Encryption Full Disk 7.0.2

book

Article ID: 177669

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

This article documents the changes and fixes for Symantec Endpoint Encryption Full Disk 7.0.2

Resolution


What’s New
Management Support of Non-Domain Endpoints
  • SEE now provides centralized management services for SEE Full Disk—including policy provisioning and client reporting—for Windows endpoints that are not members of an Active Directory domain.
  • A new administrator-defined hierarchy allows grouping of non-domain endpoints for easier reporting and policy management.
  • A new native policy feature enables policy definition and deployment for both non-domain and eDirectory endpoints through a single, centralized management console.

Management Support of Novell eDirectory Endpoints
  • Centralized management services—including policy provisioning and client reporting—are now provided for Windows endpoints that are members of the Novell eDirectory directory service. SEE provides support for endpoints that are members of either Active Directory or eDirectory, or both.
  • A new connector to eDirectory automatically synchronizes the entire organizational unit hierarchy and all associated computer objects with SEE Full Disk. The connector is capable of performing a complete synchronization as well as incremental updates driven automatically by events within eDirectory.
  • Native policies are assigned to eDirectory endpoints at any level within the eDirectory organizational unit hierarchy.

Fast and Easy Lookup of Endpoint Compliance Reports
  • New, high-performance reporting features make it easier than ever to validate the state of endpoint compliance throughout the organization.
  • The new group view feature enables administrators to quickly view the status of all the endpoints within an Active Directory, eDirectory, or administrator-defined non-domain endpoint group.
  • New reports enable administrators to find compliance reports for arbitrary lists of computers, check on the deployment state of both hard disk encryption and removable storage encryption within the enterprise, and find endpoints with data at risk on unencrypted hard drives.

32-Bit Data Recovery Utilities
  • Both the Full Disk Access Utility and Recover Program are now provided in robust 32-bit versions designed to run in the Windows Preinstallation Environment (Windows PE).

One Time Password Support for Client Lockout
  • Registered users can now (through policy) use the help desk-assisted One Time Password feature to recover access to endpoints that are locked out due to missing their required client reporting period.

User-Driven Endpoint Communication to Server
  • SEE Full Disk users now have the option of forcing immediate endpoint communication with the SEE Management Server. This new control is available in the User Client Console.

Increase in Maximum Numbers of Endpoint Users and Administrators
  • SEE Full Disk endpoints can now have up to 250 (two-hundred fifty) registered user and 250 (two-hundred fifty) Client Administrator accounts in the pre-boot environment.

Protection against the Cold Boot Attack
  • SEE Full Disk administrators can optionally deploy SEE Full Disk endpoint clients configured to provide protection against the gcold booth or gPrincetonh class of attacks on the AES key schedule maintained in persistent DRAM.

Support for Microsoft SQL Server
  • SEE now uses the worldfs standard for Windows relational database servers.Microsoft SQL Server.to store and manage endpoint reporting and native policy data. The Express with Advanced Services, Standard, and Enterprise editions are supported in this release.

Web Services.Based Client/Server Communication
  • SEE now uses an industry-standard web services.based communication architecture with Microsoft Windows Server 2003 Internet Information Services (IIS) for all client and server communication, including endpoint status reports and deployment of native policy to non-domain and eDirectory endpoints. (Active Directory endpoints continue to use Active Directory Group Policy Objects.)

Installation Notes
SEE Framework 7.0.2 is only compatible with SEE Full Disk 7.0.2 and SEE Removable Storage 7.0.2. If you are running SEE Removable Storage and plan to upgrade to SEE Full Disk 7.0.2, you must upgrade to SEE Removable Storage 7.0.2 also.

Resolved Issues
Description
Issues preventing the full support of the Acer Aspire 5515 have been remediated.
Issues preventing the full support of the following Dell models have been remediated: Dimension 3000, Latitude E6400, OptiPlex 760, and Precision M6400.
Issues preventing the full support of the Fujitsu LifeBook T5010 have been remediated.
Issues preventing the full support of the following Hewlett Packard (HP) models have been remediated: Compaq dc7900, Compaq nc6320, Compaq 2710p, Compaq 6535b, Compaq 6710b, Compaq 6735s, Compaq 6715b, Compaq 6730b, EliteBook 2530p, EliteBook 6930p, and EliteBook 8730w.
Issues preventing the full support of the following Panasonic Toughbook models have been remediated: CF-W8 and CF-30K.
Issues preventing the full support of the following Toshiba models have been remediated: Portege M400 and Satellite A215-S5837.
Keyboards or mice connected directly to the right-hand USB port of an HP Compaq 6320 can now be used in Pre-Windows.
The removal and reinsertion of an SCM SCR 201 PCMCIA card reader before or at the Startup screen no longer causes the system to hang.
Users will no longer be able to include the following unsupported characters from Spanish keyboards at the Pre-Windows Password Change dialog: º ¡ ¿ ¬ ª ^ € ¨

Known Issues
Third Party Compatibility
Third Party ToolDescriptionWorkaround
BIOS Power
Management
Client machines will fail to recover after
going into screensaver mode from
Pre-Windows.
Perform a hard reboot and disable BIOS power
management. Windows power management
should be used instead.
Roxio 6.2The Framework client package will fail
to install due to a missing drive letter in
the primary partition.
Ensure that the following Registry key has the
value PartMgr:
HKEY_LOCAL_MACHINE\
SYSTEM\CurrentControlSet\
Control\Class\{4D36E967-E325-11CE-BFC1-
08002BE10318}\UpperFilters
Symantec Endpoint
Protection 11
Following the installation of SEE Full
Disk on the Client Computer, a Network
Threat Protection message may be
displayed, alerting the end user to a
change in the EAFRCliADSI
application.
Open Symantec Endpoint Protection and click
Options in the Network Threat Protection area.
Select Configure Firewall Rules from the popup
menu. Highlight Block IPv6 over IPv4 and
click Edit. Select the Allow this traffic option
button on the General tab. Open the Ports and
Protocols tab. Select All IP Protocols from the
Protocol drop-down list box.
RSA SecurID® 800If a second certificate is added to the
token and the first certificate is deleted,
the user will be unable to register with
the token.
Remove all certificates from the token and add
the certificate again.
SymplisIT
DefragMagic 1.0.0
If an encrypted hard disk is
defragmented, the Full Disk panels of
the User and Administrator Client
Consoles will no longer be displayed.
Defragment with this tool before encrypting the
drive.

Upgrade/Install/Uninstall/Migration
DescriptionWorkaround
If an account that already exists on the database is specified in the
Database Configuration page of the SEE Management Server
InstallShield wizard, the installation will fail with a SQL script error.
Do not enter the credentials of a
pre-existing account. Type the
credentials of an account that does not
exist.
When uninstalling the SEE Full Disk client, the following error may be
displayed, “Error 25027. Stop EAFRCliManager service –failed.”
Manually stop the service and try again.
If power is lost during an upgrade of the client machine, a blue screen
may occur and the machine may loop continuously in an effort to boot
into Windows.
Run Recover /d. If Recover /d fails, try
Recover /b. If the Recover Program
completes successfully, back up
important files, then reinstall SEE Full
Disk. If this fails, you will need to
reinstall Windows or reimage the
machine.
If password authentication is selected during the installation of SEE
Framework Manager console, but token authentication is specified by
policy, users will be unable to register.

Hibernation
DescriptionWorkaround
On certain machines, such as the Compaq nc6320, Optiplex GX280,
Lifebook T5010, EliteBook 8730w, and ThinkPad T400, errors ranging
from inconvenient to fatal may occur if the machine goes into
hibernation following the registration of the first user and before
reboot.
Disable hibernation or ensure that the
machine reboots following registration of
the first user.

Peripheral Devices
DescriptionWorkaround
If the user or Client Administrator removes their card from their
PCMCIA reader after entering their PIN and before the validation
process has completed, they will receive a fatal error.
Leave the card in for the duration of the
authentication operation.
SEE Full Disk may not recognize PCMCIA card readers on certain
Hewlett Packard machines, such as HP Compaq 6710b and HP
Compaq nc6120.
In Pre-Windows, SEE Full Disk will receive double input for each key
pressed on external keyboards connected to the left-hand USB slots of
HP Compaq nc6120 computers.
Use the right-hand USB slot instead.

Client Keyboards
DescriptionWorkaround
Users may be unable to combine the ^ (Circumflex), ¨ (Diaeresis), `
(Grave) and ´ (Acute) dead keys with l (0131), I (0049), Shift+i (0069)
or Shift+I (0130) from the Turkish Q keyboard.
The Turkish Q character İ; (0130) may display as I in pre-Windows.
Users will be unable to enter the following characters from Canadian
French keyboards in Pre-Windows: á ç
Users will be unable to enter the following character from German
keyboards in Pre-Windows: μ
Users will be unable to toggle keyboards after launching logon
assistance.
If users need to toggle keyboards, they
should do so before launching logon
assistance.

Manager Console
DescriptionWorkaround
Validation is not performed on the client-side SSL certificates selected
when creating client installation packages.
Ensure that the certificate file is in the
CER format and valid for IIS
communications.
Highlighted computers and/or groups may incorrectly display,
“Currently no policy has been assigned to the group.”
Review policy precedence rules in Policy
Administrator Guide to determine the
policy in effect.
The name of the Last Logon Time column of the Associated Users
dialog refers to the last time/date that the user or Client Administrator
logged on to the User or Administrator Client Console.
After turning off synchronization services using the Configuration
Editor, the SEE Native Policy Manager may show that a policy has
been applied to a Novell or Active Directory object that no longer
exists.
Deploying an Active Directory policy that contains a change to the
Client Administrator settings from a 6.1.0 or later Manager to 6.0.0 or
earlier clients will result in a failure of the new Client Administrator
policy to be applied, a deletion of all existing Client Administrator
policies, and a return to the Client Administrators specified in the
original installation settings.
When deploying an Active Directory
policy from a 6.0.0 or earlier Manager,
add the following WMI filter:
Select * FROM Win32_Product
WHERE (name="Symantec Endpoint
Encryption Framework Client") AND
(version <= "6.0.0")
When deploying an Active Directory
policy from a 6.1.0 or later Manager, add
the following WMI filter:
Select * FROM Win32_Product
WHERE name = “Symantec Endpoint
Encryption Framework Client” AND
version > "6.1.0"

Single Sign-On
DescriptionWorkaround
Under rare circumstances, the Novell SSO panel may display absent
any check boxes.
Close the User Client Console and
reopen.
If a user presses CRTL+ALT+DEL in Windows Vista, clicks Change
Password, provides the incorrect old password causing an error or is
prevented from changing their password due to Windows policies, and
then cancels out, that user will be unregistered from SEE.
Visit
http://support.microsoft.com/kb/936183
Obtain and apply the hotfix
Password synchronization problems in Windows Vista could occur if
users specify blank passwords.
Set the Windows policy to prevent users
from specifying blank passwords.

Section 508
DescriptionWorkaround
JAWS does not always announce all of the information displayed
within the Registration wizard and User Client consoles.
Users should follow these steps:
1. Press INSERT+F9.
2. Select the frame that is of interest
from the resultant Frames List
dialog.
3. Click OK.
4. Press P.
If this doesn’t work, restart JAWS and
try the steps again.





Attachments