ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Symantec Endpoint Encryption Autologon Reporting


Article ID: 227535


Updated On:


Endpoint Encryption


Symantec Endpoint Encryption uses a Preboot Authentication Screen (PBA) such that before a system will even boot, a passphrase must be entered and authenticated successfully.  There are some scenarios for when the PBA screen should be skipped, such as when performing Major Windows Feature Updates where an unattended process may be used.  Symantec Endpoint Encryption includes Autologon functionality, which means the Preboot Authentication screen will be skipped when a system is booted up.  In a scenario such as a Windows Feature Update (requires three reboots), the preboot screen can be skipped allowing the system to be upgraded seamlessly.

Symantec Endpoint Encryption Management Server includes reporting functionality so that you can see which machines in the environment have Autologon enabled.


Tip: See the "Additional Information" section of the article below for links to some of these articles.


In order to take advantage of this reporting, the SEE Clients must be on version 11.3.1 or above.  If you are using Symantec Endpoint Encryption 11.3.0 or older, the clients did not have the capability to report back to the server any Autologon status.  See the following image for how this report can be viewed:

If you would like to check the status of the autologon client, you can run the following command, which will display the status:

eedadmincli --check-autologon --au <Client Admin Username> 

The above command will prompt you for the passphase.  If you would like to run the command without any interactive prompt, add the --ap option to the command and enter the passphrase right after it.

Additionally, starting with 


Once the command has run, you can then see if Autologon has been enabled or not.  The following is the output of a system where Autologon has been enabled:

Autologon Enabled
TPM Usage: Yes
No. of reboots remaining: 1
Request sent to Check autologon was successful



If Autologon is disabled, the following will be displayed:

"Autologon is Disabled
Request sent to Check autologon was successful"


To take advantage of this new reporting capability, Symantec Enterprise Division recommends upgrading to latest versions of SEE 11.3.1 and above.

For more information on using the Autologon functionality, see the following article:

178697 - How to use the Autologon Utility for Symantec Endpoint Encryption version 11


See the following article for information on scenarios where Autologon may become disabled to avoid running into any of these scenarios:

174999 - Symantec Endpoint Encryption Autologon disables at preboot after upgrade


As you can see, there are several entries where the status shows "Unknown" across the board. This is because the clients in this state are on 11.3.0 or older.  The values that show a status are SEE 11.3.1 clients and have the capability to report back to the server. 

Additional Information

178697 - How to use the Autologon Utility for Symantec Endpoint Encryption version 11

213082 - Symantec Endpoint Encryption Autologon client included by default in version 11.3.1 and above

213085 - Enabling or disabling Autologon for Symantec Endpoint Encryption using Advanced Settings

213079 - Uninstalling the legacy Autologon client for Symantec Endpoint Encryption after upgrading to 11.3.1 and above

174999 - Symantec Endpoint Encryption Autologon disables at preboot after upgrade