Symantec Endpoint Encryption has the ability to enable//disable the SEE Autologon functionality. This is useful for Windows upgrades or when you may need to do an unattended install of an application that requires rebooting. Enabling the Autologon client can be done via policy, or on-demand. When enabling/disabling Autologon on demand, it can be executed in several ways. This article will cover the Advanced Settings to enable this via policy or via the SEE Client Installer.
Symantec Endpoint Encryption Autologon client included by default in version 11.3.1 and above
Tip: See the "Additional Information" section of the article below for links to some of these articles.
When you go through the SEE Client creation wizard, you'll see the Advanced Settings page and looks different depending on the version of SEE Management Server you are running:
SEE 11.3.1 MP1 and above:
Client Admin Privilege (AD User Group)
As you can see in the screenshot above, there are two advanced settings that can be used. The first setting highlighted above is "Client Admin Privilege (AD User Group)" with the domain\group. In example above, the domain of "Domain" has been entered, and an AD Security group of "SEE Administrators" has been entered. You would then add administrators to the "SEE Administrators" group and then when admins run any eedadmincli.exe command, their permissions are automatically elevated and no passphrase is needed at the command prompt.
If the AD user "Bobby" was added to the SEE Administrators group, then to enable autologon, you'd enter the following command running as "bobby" in the user context:
eedAdminCli --enable-autologon --count 3
As you can see, no authentication is needed here.
When you are done with the Windows upgrade, you can remove the autologon user:
eedAdminCli --disable-autologon
Note: Only one AD Group can be configured. If more groups are needed, please contact Symantec Encryption Support for more details on logging a Feature Request (EPG-23217).
Allow Autologon Management for SYSTEM user
The next Advanced Setting listed above is "Allow Autologon Management for SYSTEM user". This setting is either "False" or "True". Once this is enabled (set to True as the screenshot above shows), then the SYSTEM account is able to enable Autologon. This is especially useful when doing Windows 10 upgrades. To enable autologon, running the command as SYSTEM context, the same command is used:
eedAdminCli --enable-autologon --count 3
When you are done with the Windows upgrade, you can remove the autologon user:
eedAdminCli --disable-autologon
SEE 11.3.0:
As you can see the above names are different, but they are the same in functionality. In SEE 11.3.1 MP1 the names were improved for clarity.
The "de.clientAdmin.adGroupName" parameter in 11.3.0 and earlier is the same as ""Client Admin Privilege (AD User Group)"in version 11.3.1 MP1. The name was improved for clarity. The way this works is the same as in SEE 11.3.1 MP1.
Note: Only one AD Group can be configured. If more groups are needed, please contact Symantec Encryption Support for more details on logging a Feature Request (EPG-23217).
The "de.autoLogon.allowSystemUserManagement" parameter in 11.3.0 is the same as "Allow Autologon Management for SYSTEM user" in 11.3.1 MP1. The name again was improved for clarity and the functionality is the same.
In older versions of SEE, the same settings would apply, but with a shorter list of options available. both "de.clientAdmin.adGroupName" and "de.autoLogon.allowSystemUserManagement" work in the same manner as explained in the 11.3.1 MP1 section above.