The Hardware Integrity Check feature is pivotal in safeguarding endpoint security.
It enforces hardware integrity by monitoring changes in hardware, thereby ensuring comprehensive protection.
This feature is configurable as part of the native policy and is enabled by default in the SEE web console.
To use this functionality, go to your SEE Management Server, and navigate to the following:
Symantec Endpoint Encryption Web Console, then "POLICIES" (then create a policy or view an existing policy), then click on "Drive Encryption" and then "Preboot Configuration".
The following page will appear:
Once enabled in policy and when the SEE Drive Encryption Client 12.0.1 or above is deployed on an endpoint, the "Hardware Integrity Check" option calculates and stores pertinent information based on specific hardware parameters that are applicable only to that endpoint. This ensures that the disk is exclusively associated with its dedicated endpoint.
Hardware Integrity Check Recovery Options
Help Desk Recovery: By default, this option redirects the user to the Help Desk Recovery screen.
Here, the user can contact the help desk administrator to generate a recovery key for the new endpoint.
After entering the recovery key during preboot authentication, the system regenerates hardware integrity information based on the new hardware changes.
Therefore, during subsequent user authentication, the authentication process proceeds smoothly with updated hardware parameters.
Client Administrator: Alternatively, the user can opt for the Client Administrator option, redirecting them to the Client Administrator screen.
Any of the registered SEE client administrators can then authenticate on preboot, ensuring a seamless user experience.
Enhanced Security Measures
If the disk is removed from an endpoint and connected to a new endpoint, the Hardware Integrity Check at the new endpoint detects the discrepancy in parameter values. The user is then presented with the recovery mechanism that was chosen in the native policy.
Therefore, the Hardware Integrity Check fails, and the user is presented with the recovery mechanism that was chosen in the native policy.
Configuration Notes
For users to be able to use the "Help Desk Recovery" option, ensure that the native policy has this option that is configured under the "Recovery Methods" section.
Similarly, for users to be able to use the "Client Administrator" option, at least one administrator must be configured under the "Client Administrators" section in the native policy. Based on these policy configurations, users can choose a recovery option during hardware integrity check.
For further guidance, reach out to Symantec Encryption Support.