Symantec Endpoint Encryption uses a Preboot Authentication Screen (PBA) such that before a system will even boot, a passphrase must be entered and authenticated successfully. There are some scenarios for when the PBA screen should be skipped, such as when performing Major Windows Feature Updates where an unattended process may be used. Symantec Endpoint Encryption includes Autologon functionality, which means the Preboot Authentication screen will be skipped when a system is booted up. In a scenario such as a Windows Feature Update (requires three reboots), the preboot screen can be skipped allowing the system to be upgraded seamlessly.
Symantec Endpoint Encryption Management Server includes reporting functionality so that you can see which machines in the environment have Autologon enabled.
Tip: See the "Additional Information" section of the article below for links to some of these articles.
In order to take advantage of this reporting, the SEE Clients must be on version 11.3.1 or above. If you are using Symantec Endpoint Encryption 11.3.0 or older, the clients did not have the capability to report back to the server any Autologon status. See the following image for how this report can be viewed:
If you would like to check the status of the autologon client, you can run the following command, which will display the status:
eedadmincli --check-autologon --au <Client Admin Username>
The above command will prompt you for the passphase. If you would like to run the command without any interactive prompt, add the --ap option to the command and enter the passphrase right after it.
Additionally, starting with
Once the command has run, you can then see if Autologon has been enabled or not. The following is the output of a system where Autologon has been enabled:
TPM Usage: Yes
No. of reboots remaining: 1
Request sent to Check autologon was successful
If Autologon is disabled, the following will be displayed:
"Autologon is Disabled
Request sent to Check autologon was successful"
To take advantage of this new reporting capability, Symantec Enterprise Division recommends upgrading to latest versions of SEE 11.3.1 and above.
For more information on using the Autologon functionality, see the following article:
See the following article for information on scenarios where Autologon may become disabled to avoid running into any of these scenarios:
As you can see, there are several entries where the status shows "Unknown" across the board. This is because the clients in this state are on 11.3.0 or older. The values that show a status are SEE 11.3.1 clients and have the capability to report back to the server.