Enabling or disabling Autologon for Symantec Endpoint Encryption using Advanced Settings
search cancel

Enabling or disabling Autologon for Symantec Endpoint Encryption using Advanced Settings

book

Article ID: 213085

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

Symantec Endpoint Encryption has the ability to enable//disable the SEE Autologon functionality.  This is useful for Windows upgrades or when you may  need to do an unattended install of an application that requires rebooting.  Enabling the Autologon client can be done via policy, or on-demand.  When enabling/disabling Autologon on demand, it can be executed in several ways.  This article will cover the Advanced Settings to enable this via policy or via the SEE Client Installer.

 

Symantec Endpoint Encryption Autologon client included by default in version 11.3.1 and above

Uninstalling the legacy Autologon client for Symantec Endpoint Encryption after upgrading to 11.3.1 and above

Tip: See the "Additional Information" section of the article below for links to some of these articles.

Resolution

When you go through the SEE Client creation wizard, you'll see the Advanced Settings page and looks different depending on the version of SEE Management Server you are running:



SEE 11.3.1 MP1 and above:



Client Admin Privilege (AD User Group)
As you can see in the screenshot above, there are two advanced settings that can be used.  The first setting highlighted above is "Client Admin Privilege (AD User Group)" with the domain\group.  In example above, the domain of "Domain" has been entered, and an AD Security group of "SEE Administrators" has been entered.  You would then add administrators to the "SEE Administrators" group and then when admins run any eedadmincli.exe command, their permissions are automatically elevated and no passphrase is needed at the command prompt.  

If the AD user "Bobby" was added to the SEE Administrators group, then to enable autologon, you'd enter the following command running as "bobby" in the user context:

eedAdminCli --enable-autologon --count 3

As you can see, no authentication is needed here.

When you are done with the Windows upgrade, you can remove the autologon user:

eedAdminCli --disable-autologon



Note: Only one AD Group can be configured.  If more groups are needed, please contact Symantec Encryption Support for more details on logging a Feature Request (EPG-23217).


Allow Autologon Management for SYSTEM user
The next Advanced Setting listed above is "Allow Autologon Management for SYSTEM user".  This setting is either "False" or "True".   Once this is enabled (set to True as the screenshot above shows), then the SYSTEM account is able to enable Autologon.  This is especially useful when doing Windows 10 upgrades.  To enable autologon, running the command as SYSTEM context, the same command is used:

eedAdminCli --enable-autologon --count 3

 

When you are done with the Windows upgrade, you can remove the autologon user:

eedAdminCli --disable-autologon

 

 



SEE 11.3.0:  

As you can see the above names are different, but they are the same in functionality.  In SEE 11.3.1 MP1 the names were improved for clarity.

The "de.clientAdmin.adGroupName" parameter in 11.3.0 and earlier is the same as ""Client Admin Privilege (AD User Group)"in version 11.3.1 MP1.  The name was improved for clarity. The way this works is the same as in SEE 11.3.1 MP1.

Note: Only one AD Group can be configured.  If more groups are needed, please contact Symantec Encryption Support for more details on logging a Feature Request (EPG-23217).

 

The "de.autoLogon.allowSystemUserManagement" parameter in 11.3.0 is the same as "Allow Autologon Management for SYSTEM user" in 11.3.1 MP1.  The name again was improved for clarity and the functionality is the same.

 

 

In older versions of SEE, the same settings would apply, but with a shorter list of options available.  both "de.clientAdmin.adGroupName" and "de.autoLogon.allowSystemUserManagement" work in the same manner as explained in the 11.3.1 MP1 section above.

 

Additional Information

ISFR-1822
ISFR-2360

178697 - How to use the Autologon Utility for Symantec Endpoint Encryption version 11

213082 - Symantec Endpoint Encryption Autologon client included by default in version 11.3.1 and above

227535 - Symantec Endpoint Encryption Autologon Reporting

213079 - Uninstalling the legacy Autologon client for Symantec Endpoint Encryption after upgrading to 11.3.1 and above

174999 - Symantec Endpoint Encryption Autologon disables at preboot after upgrade or Autologon will not Enable

 

Attachments