Hardware Integrity Configuration with Symantec Endpoint Encryption

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Encryption Suite PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

The Hardware Integrity Check feature is pivotal in safeguarding endpoint security.

It enforces hardware integrity by monitoring changes in hardware, thereby ensuring comprehensive protection.

This feature is configurable as part of the native policy and is enabled by default in the SEE web console.

Resolution

To use this functionality, go to your SEE Management Server, and navigate to the following:

Symantec Endpoint Encryption Web Console, then "POLICIES" (then create a policy or view an existing policy), then click on "Drive Encryption" and then "Preboot Configuration".

The following page will appear:

Once enabled in policy and when the SEE Drive Encryption Client 12.0.1 or above is deployed on an endpoint, the "Hardware Integrity Check" option calculates and stores pertinent information based on specific hardware parameters that are applicable only to that endpoint. This ensures that the disk is exclusively associated with its dedicated endpoint.

Hardware Integrity Check Recovery Options

Help Desk Recovery: By default, this option redirects the user to the Help Desk Recovery screen.

Here, the user can contact the help desk administrator to generate a recovery key for the new endpoint.

After entering the recovery key during preboot authentication, the system regenerates hardware integrity information based on the new hardware changes.

Therefore, during subsequent user authentication, the authentication process proceeds smoothly with updated hardware parameters.

Client Administrator: Alternatively, the user can opt for the Client Administrator option, redirecting them to the Client Administrator screen.

Any of the registered SEE client administrators can then authenticate on preboot, ensuring a seamless user experience.

Enhanced Security Measures
If the disk is removed from an endpoint and connected to a new endpoint, the Hardware Integrity Check at the new endpoint detects the discrepancy in parameter values. The user is then presented with the recovery mechanism that was chosen in the native policy.

Therefore, the Hardware Integrity Check fails, and the user is presented with the recovery mechanism that was chosen in the native policy.

Configuration Notes
For users to be able to use the "Help Desk Recovery" option, ensure that the native policy has this option that is configured under the "Recovery Methods" section.

Similarly, for users to be able to use the "Client Administrator" option, at least one administrator must be configured under the "Client Administrators" section in the native policy. Based on these policy configurations, users can choose a recovery option during hardware integrity check.

For further guidance, reach out to Symantec Encryption Support.

Additional Information

240649 - Symantec Endpoint Encryption Web Dashboard and Reports

205088 - What's New with Symantec Endpoint Encryption version 12 (and 11.4 and 11.3.1)

Symantec Endpoint Encryption Policy Administrator Guide version 12.0.1