ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Symantec Endpoint Encryption Lockout Monitoring feature

book

Article ID: 214020

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

Symantec Endpoint Encryption (SEE) uses state-of-the-art drive encryption technology and as part of this includes the ability to lockout machines that have not checked in with the SEE Management Server in a certain amount of days.

 

Resolution

When the SEE Client is created, you can specify the certain amount of days left before the client will be locked out:

In the screenshot above, the defaults are listed.  If the SEE Client does not check in within 15 days, the system will be locked out. Five days before the system reaches the 15-day threshold, the end user will be presented with a message that the client must check in soon or the system will go into a "lockout" mode.

Also, if you go into the SEE Management Agent, you'll see the following when the system is in the warning period:

When this happens, the user will be presented with a message that the system will be locked out and once this happens, even if the user knows the proper passphrase the system will be unable to boot and only a recovery key or SEE Client Administrator will be able to boot the system up.  

This setting can also be configured in the policy if you find that the number of days before lockout may have been too aggressive.  Once the user checks in, the client will download the new value.  SEE Client Administrators can also login to the system locally to extend the lockout period.

Symantec Endpoint Encryption Management Server 11.3.1 includes a report that will allow you to see which machines will enter a lockout period, as well as systems that are locked out.  Check the box "Include computers with 'Locked Out' and 'Extended Contact Period' status" to show all systems that have been locked out or extended lockout period was invoked.  Uncheck the box to see systems that have simply entered the warning period:

 

 

There is another report "Non-Reporting Computers" that can help you determine which machines haven't checked in within X days.  In the screenshot below, all the machines are listed that have not checked in to the SEE Management Server within 100 days:

 

Troubleshooting

 

Important Note: The SEE Client Monitor Lockout feature is related to only the "check in" functionality of the client.  For example, if you open the SEE Management Agent client and click the check in button, then the client will connect to the server.  This will reset the counter for the client monitor lockout feature.  This works the same with both the "SEE Native Policy" as well as "GPO Policy". 

With SEE Native Policy, once it gets policy this would count as a "Check in".

With GPO policy, the policy is delivered via GPO, or whenever a "gpupdate" routine runs.  This will *not* reset the SEE Client Lockout counter. The SEE Client must "check in" to update this counter. 
For more information on the SEE Policy methodologies, see the following article:

237667 - Symantec Endpoint Encryption Policy Configuration Options and Considerations


Scenario 1:
If you have a machine that has been encrypted with Symantec Endpoint Encryption and it has been stored beyond the lockout period, upon booting the system, only an administrator can unlock the system.
Answer: This is by design as the SEE Native encryption will continue the counter, even if the system is powered off.


Scenario 2: SEE Clients are getting locked out even though machines are turned on.
Answer: If your SEE Client is running, it also needs to be able to check in with the SEE Management Server.  If you have a machine that needs to check in, but is not on network, you would want to start the VPN, then check in with the client and then this should reset the counter for lockout.  If you have a system, even if you boot up the machine, if the client never checks in, the system can get locked out.


Scenario 3: Clients are checking in with the server, but the lockout period is not updated, or the Next Check In period may even say "Unable to Fetch".


Answer: This issue is resolved in 11.3.1 MP1HF1 and above.   Once the SEE Management Server is updated to this build, a new client can be created and deployed and will resolve this issue. 

If this issue continues to persist, please submit a ticket to Symantec Support for further troubleshooting.

 

Additional Information

237667 - Symantec Endpoint Encryption Policy Configuration and Considerations

EPG-23360

Attachments