Symantec Endpoint Encryption Autologon Reporting
search cancel

Symantec Endpoint Encryption Autologon Reporting

book

Article ID: 227535

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

Symantec Endpoint Encryption uses a Preboot Authentication Screen (PBA) such that before a system will even boot, a passphrase must be entered and authenticated successfully.  There are some scenarios for when the PBA screen should be skipped, such as when performing Major Windows Feature Updates where an unattended process may be used.  Symantec Endpoint Encryption includes Autologon functionality, which means the Preboot Authentication screen will be skipped when a system is booted up.  In a scenario such as a Windows Feature Update (requires three reboots), the preboot screen can be skipped allowing the system to be upgraded seamlessly.

Symantec Endpoint Encryption Management Server includes reporting functionality so that you can see which machines in the environment have Autologon enabled.

 

Tip: See the "Additional Information" section of the article below for links to some of these articles.

Resolution

In order to take advantage of this reporting, the SEE Clients must be on version 11.3.1 or above.  If you are using Symantec Endpoint Encryption 11.3.0 or older, the clients did not have the capability to report back to the server any Autologon status.  See the following image for how this report can be viewed:

If you would like to check the status of the autologon client, you can run the following command, which will display the status:

eedadmincli --check-autologon --au <Client Admin Username> 

The above command will prompt you for the passphase.  If you would like to run the command without any interactive prompt, add the --ap option to the command and enter the passphrase right after it.

Additionally, starting with 

 

Once the command has run, you can then see if Autologon has been enabled or not.  The following is the output of a system where Autologon has been enabled:

Autologon Enabled
TPM Usage: Yes
No. of reboots remaining: 1
Request sent to Check autologon was successful

 

 

If Autologon is disabled, the following will be displayed:


"Autologon is Disabled
Request sent to Check autologon was successful"

 

To take advantage of this new reporting capability, Symantec Enterprise Division recommends upgrading to latest versions of SEE 11.3.1 and above.

For more information on using the Autologon functionality, see the following article:

178697 - How to use the Autologon Utility for Symantec Endpoint Encryption version 11

 

See the following article for information on scenarios where Autologon may become disabled to avoid running into any of these scenarios:

174999 - Symantec Endpoint Encryption Autologon disables at preboot after upgrade

 

As you can see, there are several entries where the status shows "Unknown" across the board. This is because the clients in this state are on 11.3.0 or older.  The values that show a status are SEE 11.3.1 clients and have the capability to report back to the server. 

Additional Information