Enabling or disabling Autologon for Symantec Endpoint Encryption using Advanced Settings
search cancel

Enabling or disabling Autologon for Symantec Endpoint Encryption using Advanced Settings

book

Article ID: 213085

calendar_today

Updated On:

Products

Endpoint Encryption Drive Encryption Encryption Management Server File Share Encryption Gateway Email Encryption Desktop Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

Symantec Endpoint Encryption has the ability to enable//disable the SEE Autologon functionality.  This is useful for Windows upgrades or when you may  need to do an unattended install of an application that requires rebooting.  Enabling the Autologon client can be done via policy, or on-demand.  When enabling/disabling Autologon on demand, it can be executed in several ways.  This article will cover the Advanced Settings to enable this via policy or via the SEE Client Installer.

 

Symantec Endpoint Encryption Autologon client included by default in version 11.3.1 and above

Uninstalling the legacy Autologon client for Symantec Endpoint Encryption after upgrading to 11.3.1 and above

Tip: See the "Additional Information" section of the article below for links to some of these articles.

Resolution

When you go through the SEE Client creation wizard, you'll see the Advanced Settings page and looks different depending on the version of SEE Management Server you are running:

 

 

Symantec Endpoint Encryption Management Server version 12


Starting with SEE version 12, the Policies are configured via the Web portal. For information to upgrade to SEE 12, see the following article:

179347 - HOW TO: Install/Upgrade Symantec Endpoint Encryption Management Server (SEE Management Server)

 

For information on how to use the new web portal, see the following articles:

206503 - How to find your license number for Symantec Encryption products

240649 - Symantec Endpoint Encryption Web Dashboard and Reports

276507 - How to: Enter your License information for Symantec Endpoint Encryption version 12

276501 - Groups, Policies, and Client Creation with Symantec Endpoint Encryption version 12

The following screenshot displays all the settings available as Symantec Encryption recommends, not as the default settings:

Notice that "Client Admin Privilege (AD User Group)" option is configured with domain\security-group.  Anyone in this group will allow client administrator privilege's.
Of course, put only the most trusted SEE Client Admins in this group.

Next, "Allow Autologon Management for SYSTEM User" is enabled.  This allows you to enable Autologon via the SYSTEM account.
If you are doing a Windows update, you can issue the enable-autologon command before the update takes place, and at the end of the update, you can disable.
This makes it very easy to perform Windows Feature Updates that usually require three reboots.

Example:

eedAdminCli --enable-autologon --count 3

When you are done with the Windows upgrade, you can remove the autologon user:

eedAdminCli --disable-autologon

 

Next, "Preboot Shutdown Timeout" is set to 5 to turn the machine off if it is at the Preboot screen for 5 minutes.

The "Allow SSO Hibernation" option should be used to require only one login after coming out of Hibernation.
Note: Sleep is not hibernation and does not invoke the preboot screen.

TIP: Symantec recommends using the settings as mentioned above for these reasons.  You may need to update your policies as these settings were hidden in previous versions.
SEE 12 now makes it easy to make adjustments to these parameters. 

The other settings are to be used only as needed, but are for specific use cases.

The "Allow Client Uninstallation (AD User Group)" Should be used only if the SEE-RME Only product is installed. 
If Drive Encryption is installed, this already prevents uninstalling the product so this is not recommended if in use.

The "Allow Client Uninstallation for SYSTEM User Only" Should be used only if the SEE-RME Only product is installed. 
If Drive Encryption is installed, this already prevents uninstalling the product so this is not recommended if in use.

The "Alternate File Writing Method for CD/DVD Method" is a good option to use if burning optical media. 
It uses twice as much disk space as the optical media, but provides additional error checking to ensure the burn is succesful.




SEE 11.3.1 MP1 through SEE 11.4 MP2:




Client Admin Privilege (AD User Group)
As you can see in the screenshot above, there are two advanced settings that can be used.  The first setting highlighted above is "Client Admin Privilege (AD User Group)" with the domain\group.  In example above, the domain of "Domain" has been entered, and an AD Security group of "SEE Administrators" has been entered.  You would then add administrators to the "SEE Administrators" group and then when admins run any eedadmincli.exe command, their permissions are automatically elevated and no passphrase is needed at the command prompt.  

If the AD user "Bobby" was added to the SEE Administrators group, then to enable autologon, you'd enter the following command running as "bobby" in the user context:

eedAdminCli --enable-autologon --count 3

As you can see, no authentication is needed here.

When you are done with the Windows upgrade, you can remove the autologon user:

eedAdminCli --disable-autologon



Note: Only one AD Group can be configured.  If more groups are needed, please contact Symantec Encryption Support for more details on logging a Feature Request (EPG-23217).


Allow Autologon Management for SYSTEM user
The next Advanced Setting listed above is "Allow Autologon Management for SYSTEM user".  This setting is either "False" or "True".   Once this is enabled (set to True as the screenshot above shows), then the SYSTEM account is able to enable Autologon.  This is especially useful when doing Windows 10 upgrades.  To enable autologon, running the command as SYSTEM context, the same command is used:

eedAdminCli --enable-autologon --count 3

 

When you are done with the Windows upgrade, you can remove the autologon user:

eedAdminCli --disable-autologon

 

 




SEE 11.3.0:  


As you can see the above names are different, but they are the same in functionality.  In SEE 11.3.1 MP1 the names were improved for clarity.

The "de.clientAdmin.adGroupName" parameter in 11.3.0 and earlier is the same as "Client Admin Privilege (AD User Group)" in version 11.3.1 MP1.  The name was improved for clarity. The way this works is the same as in SEE 11.3.1 MP1.

Note: Only one AD Group can be configured.  If more groups are needed, please contact Symantec Encryption Support for more details on logging a Feature Request (EPG-23217).

 

The "de.autoLogon.allowSystemUserManagement" parameter in 11.3.0 is the same as "Allow Autologon Management for SYSTEM user" in 11.3.1 MP1.  The name again was improved for clarity and the functionality is the same.

 

 

In older versions of SEE, the same settings would apply, but with a shorter list of options available.  both "de.clientAdmin.adGroupName" and "de.autoLogon.allowSystemUserManagement" work in the same manner as explained in the 11.3.1 MP1 section above.

 

Additional Information