Symantec Endpoint Encryption Single-Sign On with Hibernation
Article ID: 214039
Updated On:
Products
Issue/Introduction
Symantec Endpoint Encryption includes a Single-Sign On (SSO) feature so that when users are registered with Drive Encryption, when they turn on the machine, they will be able to use their own Windows credentials to login. At the preboot screen, you would enter your credentials and these credentials are then passed to the Windows login and will login automatically to the windows profile.
When hibernating a machine, the Windows state is saved to a file. Because the disk is fully encrypted, when the machine resumes from hibernation, the preboot screen is invoked.
If you are transporting a machine, it is more secure to hibernate your machine then to "sleep" the machine, because to then resume, you are required to enter the credentials.
By default, if you resume from hibernation, you will enter your Windows credentials at the preboot screen, and then the system will resume from hibernation and will then present the user at the Windows login screen. The user must then enter the credentials again to login.
_______________________________________________________________________________
Hibernate - Save state is saved into an encrypted file:
The following is a screenshot to "Hibernate" a machine so that the Preboot Screen is invoked (Recommended):
This option is supported for this "Single Sign-On with Hibernation" feature.
If you only "Sleep" a machine, this will *not* invoke the Preboot screen (less secure), so it is recommended to enable the actual Hibernation option shown above.
_______________________________________________________________________________
Sleep - Save State is saved to memory in a low-power consumption situation:
The following is a screenshot of the "Sleep" option (Not Recommended).
This option will simply bring the machine out of a low-power consumption state, and as a result, it is not protected by our preboot screen:
This option is *not* supported for this "Single Sign-On with Hibernation" feature as it never invokes the preboot screen.
_______________________________________________________________________________
Resolution
Symantec Endpoint Encryption 11.3.1 includes a feature so that after SSO is used, the user need only enter the Windows credentials once at preboot. The system will resume from hibernation and this time will automatically login to Windows.
In order to enable this feature you would create the SEE Client with the "Allow SSO with Hibernation" set to "True":
Once the above setting is configured, when the system resumes, the system will prompt for credentials once, and then the system will login to Windows automatically. This setting can also be configured via policy on the SEE Management Server.
Troubleshooting:
Disable Fast Startup in Windows and Quick Boot in BIOS:
In Windows, there is a Power Management setting called "Fast Startup":
This setting can affect how a system boots and could cause some unexpected behavior, such as keyboards not working properly at preboot, SSO not automatically logging in to Windows or other potential scenarios.
Disable this setting (uncheck) for best performance with Symantec Drive Encryption (Both SEE and PGP).
Check also the BIOS for any Fastboot/Quickstart/Quickboot settings. Fast/Quick Boot/startup does not allow all peripherals to be loaded during the boot process and can sometimes prevent external keyboards from working. It could also cause login failures, especially if USB 3.0 ports are being used. Fast startup does not offer a noticeable increase in speed during the boot process and so disabling these will not cause any performance issues in most cases. It may be necessary to disable both of these settings for benefits to be observed.
Note: Different BIOS vendors, such as Lenovo, Dell, or HP will call these boot settings differently. For Dells as an example, disabling Fast Boot is sometimes called "Thorough".
HP BIOS:
Additional Information
Feedback
