How to use the Autologon Utility for Symantec Endpoint Encryption version 11.x

book

Article ID: 178697

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

 

Resolution

This article details the usage and implementation of the Symantec Endpoint Encryption Autologon Utility for version 11.x and above. The Autologon Utility allows a system to restart one or more times without requiring a user to authenticate at the Symantec Endpoint Encryption preboot authentication screen. This is useful when a reboot is required while there is not a user physically present at the machine. Software deployment and patch management situations are some examples. The utility may also be used to permanently disable the preboot authentication screen for situations that require it.

Note: Since it removes the need to authenticate to the preboot authentication screen, using the Autologon utility weakens the protection that the Drive Encryption provides. Pay extra attention to the physical security of the machine while the Autologon utility is enabled.

The Autologon utility is deployed to clients as an MSI. Once the Autologon utility is installed on a client, its settings can be controlled via policy (GPO or SEE Native Policies) or by using the Drive Encryption Administrator Command Line utility on the client machine.

Process Overview:

  1. Install the Autologon server MSI on a machine with the Symantec Endpoint Encryption Management Console
    1. The MSI files are included with the initial server installers downloaded from Symantec
    2. The Symantec Endpoint Encryption Management Agent component must be installed first
    3. Credentials to connect to the database will be needed
  2. Use the Symantec Endpoint Encryption Management Console to generate the client MSI files.
    1. If the Autologon Utility Snap-in is not available, you may need to use Add/Remove Snap-ins to add it to the Management Console
    2. Provide the Management password to access the Autologon Utility
    3. Choose the initial install settings and click finish
  3. Install the client MSI on target machines
    1. A reboot will be required after installation
    2. If "Always Autologon" was chosen for the initial setting, the machine will begin bypassing preboot on this first reboot
    3. If "Autologon only when activated by admin locally" was chosen, credentials will need to be entered on this first reboot.

 


After the client MSI has been installed, the settings can be managed in one of the following ways:

Active Directory Group Policy

 

  1. If Directory Synchronization is enabled, and the machine is a member of the domain, GPO's can be used to manage settings for the Autologon Utility
  2. While editing a Group Policy Object from a machine that has the Symantec Endpoint Encryption Management Console installed, you can find Autologon settings in the following location:
    Computer Configuration > Policies > Software Settings > Symantec Endpoint Encryption > Drive Encryption > Autologon

Inside Group Policy Editor:

Note: For more information on managing Active Directory Group Policy settings for Symantec Endpoint Endpoint Encryption, please see the Symantec Endpoint Encryption Policy Administrator Guide for the version you are using


Symantec Endpoint Encryption Native Policy

  1. If Directory Synchronization is not enabled, or the machine is not a member of the configured domain, Native Policies will be used to manage settings for the Autologon Utility
  2. Settings can be updated in the Symantec Endpoint Encryption Management Console from the "Symantec Endpoint Encryption Native Policy Manager" snap-in.

Inside the Symantec Endpoint Encryption Management Console:


Note: For more information on managing Symantec Endpoint Encryption Native Policy settings, please see the Symantec Endpoint Encryption Policy Administrator Guide for the version you are using



Drive Encryption Administrator Command Line Interface

  1. Symantec Endpoint Encryption Autologon Settings may be managed from the client machine itself using the built in Client Administrator Command Line Interface.
  2. The command line utility can be used to check the current status of Autologon, as well as enable or disable the utility.
  3. Only Drive Encryption Client Administrators can use the command line utility

Sample Commands:
To be run from the C:\Program File\Symantec\Endpoint Encryption Clients\Drive Encryption directory inside Command Prompt
In the below examples, replace <Client Admin Username>, <Client Admin Password>, and <Number of bypasses> with the appropriate values

Check Status of Autologon:
eedadmincli --check-autologon --au <Client Admin Username> --ap <Client Admin Password>

Enable Autologon (The count option is optional with a default of 1 if not specified):
eedadmincli --enable-autologon --count <Number of bypasses> --au <Client Admin Username> --ap <Client Admin Password>

Disable Autologon:
eedadmincli --disable-autologon --au <Client Admin Username> --ap <Client Admin Password>

Note: For more information on the Administrator Command Line Interface, please see the Symantec Endpoint Encryption Drive Encryption Administrator Command Line Guide for the version you are using.
 

Attachments