Symantec Endpoint Encryption uses a Preboot Authentication Screen (PBA) such that before a system will even boot, a passphrase must be entered and authenticated successfully. This is useful when a reboot is required while there is not a user physically present at the machine. There are some scenarios for when the PBA screen should be skipped, such as when performing Major Windows Feature Updates where an unattended process may be used. Symantec Endpoint Encryption includes Autologon functionality, which means the Preboot Authentication screen will be skipped when a system is booted up. In a scenario such as a Windows Feature Update (requires three reboots), the preboot screen can be skipped allowing the system to be upgraded seamlessly.
This article details the usage and implementation of the Symantec Endpoint Encryption Autologon Utility.
For troubleshooting Symantec Endpoint Encryption Autologon after upgrade, see the following article:
174999 - Symantec Endpoint Encryption Autologon disables at preboot after upgrade
As mentioned, the Autologon Utility allows a system to restart one or more times without requiring a user to authenticate at the Symantec Endpoint Encryption preboot authentication screen. The utility may also be used to permanently disable the preboot authentication screen for situations that require it.
Note: Since it removes the need to authenticate to the preboot authentication screen, pay extra attention to the physical security of the machine while the Autologon utility is enabled. For example, if you do not know if a system if physically secure, it may be better to not enable Autologon at all.
In versions 11.3.0 and older, the Autologon utility was deployed to clients as an MSI. Once the Autologon utility was installed on a client, its settings can be controlled via policy or by using the Drive Encryption Administrator Command Line utility on the client machine depending on the situation. The older versions required two installation packages, one for SEE Drive Encryption and a separate autologon installer for the Autologon functionality.
Starting with 11.3.1 and above, the Autologon functionality is included in the SEE Client installer so only one MSI file is needed going forward. The overall functionality is largely the same, but there are some improvements in the newer verions, so Symantec Enterprise Division strongly recommends upgrading to the latest version to take advantage of this functionality.
Tip: See the "Additional Information" section of the article below for links to some of these articles.
1. With SEE 11.3.1 and above, when creating the SEE Client, the Autologon functionality will be included as part of the creation.
The policy that manages the Autologon client will then be part of the single SEE Client installer itself.
Never Autologon: This does *not* built in to the SEE Client package. If this option is chosen, in order to use Autologon, a new SEE Client must be created and re-deployed.
This option is not recommended except for special cases.
Autologon only when activated by Admin Locally (Autologon Admin Only): This option includes the Autologon functionality, but will be disabled by default.
If the SEE Client machine is put into a policy on SEE Management Server that enables Autologon, this will enable Autologon until policy states it should be disabled.
A local SEE Client Administrator can also enable Autologon on demand.
Always Autologon (Infinite Autologon): This option enables Autologon by default. Autologon will only disable if the SEE Client machine is put into a policy that disables it.
Autologon takes precedence over client monitor lockout: This means that if a SEE Client is unable to connect back to the SEE Management Server, Autologon will remain enabled.
Client Monitor Lockout takes precedence over Autologon: This means that if a SEE Client is unable to connect back to the SEE Management Server, Autolgon will disable.
TPM: Use TPM if Available: This means that if TPM is enabled on a machine (1.2 for BIOS minimum requirement, or 2.0 for UEFI minimum requirement), then if PCR codes 0, 2, or 4 are triggered, Autologon will disable.
Take care using this feature as Autologon can get disabled when triggered and could affect some systems that may be critical for Autologon to remain enabled.
With SEE 11.3.0 and older, follow these steps:
After the client MSI has been installed, the settings can be managed in one of the following ways:
Active Directory Group Policy
Inside Group Policy Editor:
Note: For more information on managing Active Directory Group Policy settings for Symantec Endpoint Endpoint Encryption, please see the Symantec Endpoint Encryption Policy Administrator Guide for the version you are using
Symantec Endpoint Encryption Native Policy
Inside the Symantec Endpoint Encryption Management Console:
Note: For more information on managing Symantec Endpoint Encryption Native Policy settings, please see the Symantec Endpoint Encryption Policy Administrator Guide for the version you are using
Drive Encryption Administrator Command Line Interface
Important Tip: If you would like to enable Autologon via the command line as SYSTEM account, consider using the Advanced Settings described in the following article:
To be run from the
C:\Program File\Symantec\Endpoint Encryption Clients\Drive Encryption directory inside Command Prompt
In the below examples, replace <Client Admin Username>, <Client Admin Password>, and <Number of bypasses> with the appropriate values
Check Status of Autologon:
eedadmincli --check-autologon --au <Client Admin Username> The above command will prompt for a passphrase that will not be visible on the screen. If you wish to enter the passphrase on the same command, add the "--ap" option followed by the passphrase, although this will be displayed on the screen.
Enable Autologon (The count option is optional with a default of 1 if not specified):
eedadmincli --enable-autologon --count <Number of bypasses> --au <Client Admin Username>
eedadmincli --disable-autologon --au <Client Admin Username>
Note: For more information on the Administrator Command Line Interface, please see the Symantec Endpoint Encryption Drive Encryption Administrator Command Line Guide for the version you are using.