How to use the Autologon Utility for Symantec Endpoint Encryption version 11

book

Article ID: 178697

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

Symantec Endpoint Encryption uses a Preboot Authentication Screen (PBA) such that before a system will even boot, a passphrase must be entered and authenticated successfully. This is useful when a reboot is required while there is not a user physically present at the machine.  There are some scenarios for when the PBA screen should be skipped, such as when performing Major Windows Feature Updates where an unattended process may be used.  Symantec Endpoint Encryption includes Autologon functionality, which means the Preboot Authentication screen will be skipped when a system is booted up.  In a scenario such as a Windows Feature Update (requires three reboots), the preboot screen can be skipped allowing the system to be upgraded seamlessly.

This article details the usage and implementation of the Symantec Endpoint Encryption Autologon Utility.

For troubleshooting Symantec Endpoint Encryption Autologon after upgrade, see the following article:

174999 - Symantec Endpoint Encryption Autologon disables at preboot after upgrade

Resolution

As mentioned, the Autologon Utility allows a system to restart one or more times without requiring a user to authenticate at the Symantec Endpoint Encryption preboot authentication screen. The utility may also be used to permanently disable the preboot authentication screen for situations that require it.

Note: Since it removes the need to authenticate to the preboot authentication screen, pay extra attention to the physical security of the machine while the Autologon utility is enabled.  For example, if you do not know if a system if physically secure, it may be better to not enable Autologon at all.

In versions 11.3.0 and older, the Autologon utility was deployed to clients as an MSI. Once the Autologon utility was installed on a client, its settings can be controlled via policy or by using the Drive Encryption Administrator Command Line utility on the client machine depending on the situation. The older versions required two installation packages, one for SEE Drive Encryption and a separate autologon installer for the Autologon functionality.

Starting with 11.3.1 and above, the Autologon functionality is included in the SEE Client installer so only one MSI file is needed going forward.  The overall functionality is largely the same, but there are some improvements in the newer verions, so Symantec Enterprise Division strongly recommends upgrading to the latest version to take advantage of this functionality. 

Tip: See the "Additional Information" section of the article below for links to some of these articles.



Process Overview:

1. With SEE 11.3.1 and above, when creating the SEE Client, the Autologon functionality will be included as part of the creation. 

The policy that manages the Autologon client will then be part of the single SEE Client installer itself.



Definitions:
Never Autologon: This does *not* built in to the SEE Client package.  If this option is chosen, in order to use Autologon, a new SEE Client must be created and re-deployed.
This option is not recommended except for special cases.

Autologon only when activated by Admin Locally (Autologon Admin Only): This option includes the Autologon functionality, but will be disabled by default.
If the SEE Client machine is put into a policy on SEE Management Server that enables Autologon, this will enable Autologon until policy states it should be disabled.
A local SEE Client Administrator can also enable Autologon on demand.

Always Autologon (Infinite Autologon): This option enables Autologon by default.  Autologon will only disable if the SEE Client machine is put into a policy that disables it.

Autologon takes precedence over client monitor lockout: This means that if a SEE Client is unable to connect back to the SEE Management Server, Autologon will remain enabled.

Client Monitor Lockout takes precedence over Autologon: This means that if a SEE Client is unable to connect back to the SEE Management Server, Autolgon will disable.

TPM: Use TPM if Available: This means that if TPM is enabled on a machine (1.2 for BIOS minimum requirement, or 2.0 for UEFI minimum requirement), then if PCR codes 0, 2, or 4 are triggered, Autologon will disable.
Take care using this feature as Autologon can get disabled when triggered and could affect some systems that may be critical for Autologon to remain enabled.  


 

With SEE 11.3.0 and older, follow these steps:

  1. Install the Autologon server MSI on a machine with the Symantec Endpoint Encryption Management Console
    Note: With SEE Clients 11.3.1 and above, the Autologon client is included in a single installer so some of the steps below will not apply.  Policies are then included in the individual policy on the SEE Management Server.
    SEE Management Server 11.3.1 and above do not require this server installer file, only 11.3.0 and older clients. 

  2. The MSI files are included with the initial server installers downloaded from Symantec (11.3.0 and older)
  3. The Symantec Endpoint Encryption Management Agent component must be installed first (11.3.0 and older)
  4. Credentials to connect to the database will be needed (11.3.0 and older)
  5. Use the Symantec Endpoint Encryption Management Console to generate the Autologon client MSI files.
  6. If the Autologon Utility Snap-in is not available, you may need to use Add/Remove Snap-ins to add it to the Management Console (11.3.0 and older)
  7. Provide the Management password to access the Autologon Utility (11.3.0 and older)
  8. Choose the initial install settings and click finish (In 11.3.1 and above, this is a policy configuration page whereas in 11.3.0 and older it was built in to the SEE Autologon client MSI).
  9. Install the client MSI on target machines (In 11.3.0 and older this separate installer was needed.  In 11.3.1 and above, Autologon is included with the SEE Client installer).
  10. A reboot will be required after installation
  11. If "Always Autologon" (AKA "Infinite Autologon) was chosen for the initial setting, the machine will begin bypassing preboot on this first reboot and the only time it will disable is if the SEE policy disables it.
    The Autologon Infinite policy should be used with care as it is enabled by default.  If policy is unsuccessful during some scenarios, it could re-enable.
  12. If "Autologon only when activated by admin locally" was chosen, credentials will need to be entered on this first reboot to enable as a "one-off".

 

 

 


After the client MSI has been installed, the settings can be managed in one of the following ways:

Active Directory Group Policy

 

  1. If Directory Synchronization is enabled, and the machine is a member of the domain, GPO's can be used to manage settings for the Autologon Utility
  2. While editing a Group Policy Object from a machine that has the Symantec Endpoint Encryption Management Console installed, you can find Autologon settings in the following location:
    Computer Configuration > Policies > Software Settings > Symantec Endpoint Encryption > Drive Encryption > Autologon

Inside Group Policy Editor:

Note: For more information on managing Active Directory Group Policy settings for Symantec Endpoint Endpoint Encryption, please see the Symantec Endpoint Encryption Policy Administrator Guide for the version you are using


Symantec Endpoint Encryption Native Policy

  1. If Directory Synchronization is not enabled, or the machine is not a member of the configured domain, Native Policies will be used to manage settings for the Autologon Utility
  2. Settings can be updated in the Symantec Endpoint Encryption Management Console from the "Symantec Endpoint Encryption Native Policy Manager" snap-in.

Inside the Symantec Endpoint Encryption Management Console:


Note: For more information on managing Symantec Endpoint Encryption Native Policy settings, please see the Symantec Endpoint Encryption Policy Administrator Guide for the version you are using



Drive Encryption Administrator Command Line Interface

  1. Symantec Endpoint Encryption Autologon Settings may be managed from the client machine itself using the built in Client Administrator Command Line Interface.
  2. The command line utility can be used to check the current status of Autologon, as well as enable or disable the utility.
  3. Only Drive Encryption Client Administrators can use the command line utility

 

Important Tip: If you would like to enable Autologon via the command line as SYSTEM account, consider using the Advanced Settings described in the following article:

213085 - Enabling or disabling Autologon for Symantec Endpoint Encryption using Advanced Settings

 

Sample Commands:
To be run from the C:\Program File\Symantec\Endpoint Encryption Clients\Drive Encryption directory inside Command Prompt
In the below examples, replace <Client Admin Username>, <Client Admin Password>, and <Number of bypasses> with the appropriate values

Check Status of Autologon:
eedadmincli --check-autologon --au <Client Admin Username> 

The above command will prompt for a passphrase that will not be visible on the screen.  If you wish to enter the passphrase on the same command, add the "--ap" option followed by the passphrase, although this will be displayed on the screen.


Enable Autologon (The count option is optional with a default of 1 if not specified):
eedadmincli --enable-autologon --count <Number of bypasses> --au <Client Admin Username>

Disable Autologon:
eedadmincli --disable-autologon --au <Client Admin Username>

Note: For more information on the Administrator Command Line Interface, please see the Symantec Endpoint Encryption Drive Encryption Administrator Command Line Guide for the version you are using.
 

Additional Information

178697 - How to use the Autologon Utility for Symantec Endpoint Encryption version 11

213082 - Symantec Endpoint Encryption Autologon client included by default in version 11.3.1 and above

213085 - Enabling or disabling Autologon for Symantec Endpoint Encryption using Advanced Settings

227535 - Symantec Endpoint Encryption Autologon Reporting

213079 - Uninstalling the legacy Autologon client for Symantec Endpoint Encryption after upgrading to 11.3.1 and above

174999 - Symantec Endpoint Encryption Autologon disables at preboot after upgrade

 

Attachments