Symantec Encryption Desktop/PGP-How to Bypass PGP BootGuard

book

Article ID: 155207

calendar_today

Updated On:

Products

Drive Encryption Encryption Management Server

Issue/Introduction

This article describes how to setup bypass for PGP Boot Guard with a WDE-ADMIN group or using the WDE Disk Administrator in policy. This bypass feature can assist administrators who need to install software or make other configuration changes to a remote computer.

Resolution

The article contains multiple sections to cover adding the bypass functionality to Symantec Encryption Desktop:
 

Section 1 - Add Bypass using the WDE-ADMIN Security Group

Section 2 - Using Deployment tools such as Altiris, and SCCM to add the bypass user using the WDE-ADMIN Security Group

Section 3 - Add Bypass using the Drive Encryption Disk Administrator method:

Section 4 - Add more than 51 bypass reboots to Symantec Encryption Desktop

 

 

 

Section 1 - Add Bypass using the WDE-ADMIN Security Group

Note: Any user can be put into this group to set the bypass as long as the user has the admin rights to access a client's machine.

On a domain controller, open the Active Directory Users and Computers console. (Start>All Programs>Administrative Tools>Active Directory Users and Computers)

Create a new Global Security Group with the name WDE-ADMIN.

Add the desired domain user account(s) to the WDE-ADMIN group.  Only the most trusted users should ever be added to this group because it allows these users to run administrative WDE commands.

On the client system, login with the user account added to the WDE-ADMIN group.

Click Start>Run, type cmd in the text field and click OK. The Windows command prompt screen appears.

Switch to the following directory: C:\Program Files (x86)\PGP Corporation\PGP Desktop:

1. cd\

2. cd "Program Files (x86)\PGP Corporation\PGP Desktop"

At the command prompt, type pgpwde --add-bypass --admin-authorization --disk 0 and press Enter. This command adds only one bypass to Bootguard.

--admin-authorization (Windows only) specifies that the command is being performed by a member of the WDE-ADMIN Active Directory group.

TIP: Using --aa is the short version of --admin-authorization

Example:  pgpwde --remove-bypass --disk 0 --admin-authorization 

A message displays that the bypass has been successfully completed. You can also verify the bypass user by typing the following at the command prompt:

Check Bypass:

Indicates whether boot bypass is configured for the specified boot disk. If configured, it will also display the original and     remaining bypass restart counts.

The usage format is:

pgpwde --check-bypass --disk --admin-authorization

^Back to Top

 

Section 2 - Using Deployment tools such as Altiris (Symantec IT Management Suite), and SCCM to add the bypass user using the WDE-ADMIN Security Group


The attached script can be used to be able to add the bypass user remotely with Altiris, or other deployment solutions using the WDE-ADMIN Security Group within Active Directory.


This has been tested and has been known to work within Altiris when used with the WDE-ADMIN security group.  The script has also been tested to work with SCCM using a specific set of sequences as described in the attached document.

Download the "WDE-WDE-ADMIN-add-bypass-script-README-with-Bypass-Script.zip" file for the script as well as the steps for SCCM.


Note: It is required to use the attached script, which will stop all PGP services before enabling the bypass user.  Failing to stop all PGP services can intermittently prevent adding the bypass user.

 

 

^Back to Top

Section 3 - Add Bypass using the Drive Encryption Disk Administrator method:

The Drive Encryption Disk Administrator can be used to set the Bootguard Bypass on client machine via policy on Symantec Encryption Management Server.

1. Login to the Symantec Encryption Management Server
2. Go To Consumers, Consumer Policy, Select Default or any custom policy to be modified.
3. Select the "Desktop..." option
4. Select the Drive Encryption tab and enable the "Encrypt Drive Encryption disks to a Disk Administrator Passphrase" option and click save.
Note: The disk needs to be encrypted so the WDE Disk Administrator can be put on the access list for the hard drive.

Use the following steps to set the preference for wdeMaximumBypassRestarts:

1. Log in to Symantec Encryption Management Server

2. Open Consumers > Consumer Policy and choose the policy that applies to the user.

3. On the General option, click Edit then click Edit Preferences.

4. Choose Client as "Symantec Encryption Desktop Client"

5. Click Set, enter the following information:

Pref name: wdeMaximumBypassRestarts

Type: Integer

Value:  100  ( or any number of time that you want to use bypass restart) Maximum Value Range 1-1000000 for Bootguard Bypass

6. Click on Save.

7. Deploy Client Package and install.

Note: If Bypass is added in the future with existing users then update the local client policy. If the update doesn't add the new string value for the BootGuard Bypass to the Prefs.xml then a re-enroll of the client is needed to download a new prefs file to have the correct string value for the Bypass.

8. Open a command prompt window on the client machine and switch to the PGP Desktop directory:

 C:\Program Files (x86)\PGP Corporation\PGP Desktop for Windows 64 Bit

Switch to the following directory: C:\Program Files (x86)\PGP Corporation\PGP Desktop by running the following commands:

cd\

cd "Program Files (x86)\PGP Corporation\PGP Desktop"

At the command prompt, type pgpwde --add-bypass --admin-authorization --disk 0 and press Enter. This command adds only one bypass to Bootguard.

9. Run the command:

       pgpwde --add-bypass --disk [--count ] --admin-passphrase

 

Example of adding 100 bypass restarts to Disk 0, using the admin passphrase of "123!":
pgpwde --add-bypass  --disk 0  --count 100  --admin-passphrase  "123!"

Remove Bypass:

Example:

pgpwde --remove-bypass --disk 0 --admin-passphrase "123!"

Check Bypass:

Indicates whether boot bypass is configured for the specified boot disk. If configured, it will also display the original and remaining bypass restart counts.

The usage format is:

pgpwde --check-bypass --disk --admin-passphrase

 

Section 4 - Add more than 51 bypass reboots to Symantec Encryption Desktop

Use the following steps to set the preference for wdeMaximumBypassRestarts:

1. Log in to Symantec Encryption Management Server.

2. Open Consumers > Consumer Policy and choose the policy that applies to the user.

3. Click the General option, click Edit then click Edit Preferences.

4. Choose Client as "Symantec Encryption Desktop Client"

5. Click Set, enter the following information:

Pref name: wdeMaximumBypassRestarts

Type: Integer

Value:  100  ( or any number of time that you want to use bypass restart) Maximum value range is

 1-1000000 for Bootguard Bypass.

6. Click on Save.

7. Deploy Client Package and install.

Note: If Bypass is added in the future with existing users then update the local client policy. If the update doesn't add the new string value for the BootGuard Bypass to the Prefs.xml then a re-enroll of the client is needed to download a new prefs file to have the correct string value for the Bypass.

8. Open a command prompt window on the client machine and switch to the PGP directory

Switch to C:\Program Files (x86)\PGP Corporation\PGP Desktop for Windows 64 Bit using the following commands:

cd\

cd "Program Files (x86)\PGP Corporation\PGP Desktop"

9. Run the command:

pgpwde --add-bypass --disk [--count ] --admin-authorization

Example of adding 100 bypass reboots to Disk 0:
pgpwde --add-bypass  --disk 0  --count 100  --admin-authorization 

Remove Bypass:

The following error message will appear if a user tries to add a bypass user, but is not allowed:

"Operation add bypass failed: Error code -12198: Not permitted by your Administrator"

 

^Back to Top

 

 

Attachments

1618519381414__WDE-ADMIN-add-bypass-script-README-with-Bypass-Script.zip get_app