Symantec Endpoint Encryption 11.0.0 MP3
Symantec Endpoint Encryption 11.0.0 MP3 Release Notes Preface Documentation version: 11.0.0 MP3, Release Date: March, 2015 Legal Notice Copyright © 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, PGP, and Pretty Good Privacy are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com Technical Support Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec’s support offerings include the following: ■ A range of support options that give you the flexibility to select the right amount of service for any size organization ■ Telephone and/or Web-based support that provides rapid response and up-to-the-minute information ■ Upgrade assurance that delivers software upgrades ■ Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis ■ Premium service offerings that include Account Management Services For information about Symantec’s support offerings, you can visit our website at the following URL: www.symantec.com/business/support/ All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy. Contacting Technical Support Customers with a current support agreement may access Technical Support information at the following URL: www.symantec.com/business/support/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: ■ Product release level ■ Hardware information ■ Available memory, disk space, and NIC information ■ Operating system ■ Version and patch level ■ Network topology ■ Router, gateway, and IP address information ■ Problem description: ■ Error messages and log files ■ Troubleshooting that was performed before contacting Symantec ■ Recent software configuration changes and network changes Licensing and registration If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/business/support/ Customer service Customer service information is available at the following URL: www.symantec.com/business/support/ Customer Service is available to assist with non-technical questions, such as the following types of issues: ■ Questions regarding product licensing or serialization ■ Product registration updates, such as address or name changes ■ General product information (features, language availability, local dealers) ■ Latest information about product updates and upgrades ■ Information about upgrade assurance and support contracts ■ Information about the Symantec Buying Programs ■ Advice about Symantec's technical support options ■ Nontechnical presales questions ■ Issues that are related to CD-ROMs, DVDs, or manuals Support agreement resources If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows: Asia-Pacific and Japan [email protected] Europe, Middle-East, and Africa [email protected] North America and Latin America [email protected] Symantec Endpoint Encryption 11.0.0 Maintenance Packs This document includes the following topics: ■ About Symantec Endpoint Encryption ■ Where to get more information about Symantec Endpoint Encryption version 11.0.0 ■ What's changed in Symantec Endpoint Encryption ■ Installing the Symantec Endpoint Encryption Maintenance Pack ■ Documentation errata About Symantec Endpoint Encryption Symantec Endpoint Encryption v11.0.0 provides organizations with reliable full disk encryption, removable media protection and intuitive central management. Powered by PGP technology, our Drive Encryption client renders data at rest inaccessible to unauthorized parties on laptops and desktops. The Removable Media Encryption functionality enables end users to quickly move sensitive data onto USBs, external hard drives, and memory cards while management features compliance-based, out-of-the-box and customizable reporting to enable administrators to quickly prove systems were protected in the case of loss or theft and manage deployments. 8 Symantec Endpoint Encryption 11.0.0 Maintenance Packs Where to get more information about Symantec Endpoint Encryption version 11.0.0 Where to get more information about Symantec Endpoint Encryption version 11.0.0 The following Symantec Endpoint Encryption documentation is available from the Symantec Technical Support website: Table 1-1 Symantec Endpoint Encryption documentation Name of the guide Web address Symantec Endpoint Encryption 11.0.0 Drive http://www.symantec.com/docs/DOC7520 Encryption Getting Started Guide Symantec Endpoint Encryption 11.0.0 Removable Media Encryption Getting Started Guide http://www.symantec.com/docs/DOC7521 Symantec Endpoint Encryption 11.0.0 Installation Guide http://www.symantec.com/docs/DOC7523 Symantec Endpoint Encryption 11.0.0 Upgrade Guide http://www.symantec.com/docs/DOC7715 Symantec Endpoint Encryption 11.0.0 Policy http://www.symantec.com/docs/DOC7522 Administrator Guide Symantec Endpoint Encryption 11.0.0 Release Notes http://www.symantec.com/docs/DOC7519 Symantec Endpoint Encryption 11.0.0 Drive http://www.symantec.com/docs/DOC7716 Encryption Administrator Command Line Guide Integrating Symantec Endpoint Encryption http://www.symantec.com/docs/DOC7639 11.0.0 with Symantec Data Loss Prevention What's changed in Symantec Endpoint Encryption This section describes the new features and other changes made in Symantec Endpoint Encryption. What's changed in Symantec Endpoint Encryption 11.0.0 MP3 This section describes the new features and other changes included in MP3. Symantec Endpoint Encryption 11.0.0 Maintenance Packs What's changed in Symantec Endpoint Encryption What's new in Symantec Endpoint Encryption 11.0.0 MP3 This section describes the new features included in MP3. Drive Encryption: ■ Added the ability for administrators to create master system images. See “Using Symantec Endpoint Encryption with system images” on page 23. ■ Added the ability for administrators to specify whether to include or skip the encryption of unused disk space. This install-time policy can speed up the time it takes to encrypt a disk but has certain security implications. See “Including or skipping the encryption of unused disk space” on page 21. ■ Users are now prompted to reconfigure their self-recovery questions if policy has changed and the questions are no longer in conformance. See “Updates to the policy enforcement of Drive Encryption Self-Recovery ” on page 23. Removable Media Encryption: ■ Provided compatibility with SEE Removable Storage 8.2.1 format. See “Encrypting Removable Media Encryption files with a Removable Storage format” on page 28. See “Encrypting files in the Removable Storage format using the Removable Media Access Utility” on page 31. ■ Added new session passwords, so users can create temporary passwords when they want to share a file without having to provide default passwords to access a file. See “Using Removable Media Encryption with session passwords” on page 25. ■ Added additional reports for session passwords. See “Viewing new or changed report content” on page 32. Resolved Issues in Symantec Endpoint Encryption 11.0.0 MP3 ■ Resolved the issue that caused blue screen errors after Symantec Endpoint Encryption Drive Encryption was installed on Microsoft Windows systems using HP custom images. [3717299] ■ Resolved an issue so that Microsoft Windows Explorer does not stop unexpectedly when you access mapped Distributed File System (DFS) shares on the client computers with Symantec Endpoint Encryption Removable Media Encryption 11.0.0 MP3 installed. [3683540] 9 10 Symantec Endpoint Encryption 11.0.0 Maintenance Packs What's changed in Symantec Endpoint Encryption Additional information about Symantec Endpoint Encryption 11.0.0 MP3 ■ Decryption of Removable Media Encryption sensitive files with DLP integration: When Removable Media Encryption uses the Automatic Encryption policy option of Encrypt file as per Symantec Data Loss Prevention and an Encryption Format policy option of SEE RS, which is compatible with Symantec Endpoint Encryption Removable Storage version 8.2.1, sensitive files are decrypted when the auto-decrypt time interval expires.” [3670852, 3669212] What's changed in Symantec Endpoint Encryption 11.0.0 MP2 Maintenance Pack 2 was removed from General Availability and replaced with the Maintenance Pack 3 release. What's changed in Symantec Endpoint Encryption version 11.0.0 MP1 This section describes the new features and other changes included in Maintenance Pack 1. What's new in Symantec Endpoint Encryption version 11.0.0 MP1 This section describes the new features included in Maintenance Pack 1. ■ Added the ability to configure policy so that authentication can be bypassed at preboot. See “Autologon management through policy” on page 34. ■ Asterisks are now displayed when users enter their password at preboot authentication. See “Asterisks displayed for passwords during preboot authentication” on page 36. ■ Improved the look of the BIOS preboot authentication screen, so you can now specify a logo, background image, and custom text color. See “BIOS preboot screen enhancements” on page 35. Resolved issues in Symantec Endpoint Encryption version 11.0.0 MP1 ■ Resolved an issue so that the disk encryption status of a Drive Encryption client is updated in the Management Console as soon as disk encryption is initiated. [3567481] Symantec Endpoint Encryption 11.0.0 Maintenance Packs What's changed in Symantec Endpoint Encryption ■ Drive Encryption client computers now properly display the Last check-in date and time of the latest communication of a client computer with the Symantec Endpoint Encryption Management Server. [3579004] ■ Drive Encryption client computers that boot in UEFI-mode now properly display the pause duration time between incorrect password attempts at preboot authentication. [3586535] ■ Resolved an issue so that client computers no longer stop communicating with a Symantec Endpoint Encryption Management Server that is installed on a Microsoft Windows Server 2008 R2 system when administrators use the SEEMS Configuration Manager to change the database credentials. [3611136] Additional information about Symantec Endpoint Encryption version 11.0.0 MP1 ■ Upgrading Symantec Endpoint Encryption Management Server from version 11.0.0: While upgrading Symantec Endpoint Encryption Management Server version 11.0.0 to version 11.0.0 MP1, the user domain is not automatically populated on the Database Access screen of the installer if the database uses Windows Authentication and if you checked Enable TLS/SSL in the Database Config tab of the SEEMS Configuration Manager before running the installer. This issue also occurs if you installed Symantec Endpoint Encryption Management Server using SQL Authentication for database access and then later changed the Authentication Mode to Windows Integrated Authentication. To work around this issue, before you run the installer, edit the GEServerConfig.xml file (located in the Symantec Endpoint Encryption Management Server installation directory), and change the <item name="DBUser">user</item> entry in the DBconnection section of the file to <item name="DBUser">domain\user</item>. [3623882] ■ Saving the Symantec Endpoint Encryption Management Server 11.0.0 logs: When you upgrade Symantec Endpoint Encryption Management Server from version 11.0.0 to 11.0.0 MP1, the existing log data is not saved. To work around this issue, back up the files that are located in the <Installation Directory>\Services\logs directory before running the installer if you want to save the existing log data. [3640137] ■ Dual management console functionality requires Symantec Endpoint Encryption 8.2.1 MP14: If you use Symantec Endpoint Encryption 11.0.0 with dual management consoles, your 8.2.1 environment requires Symantec Endpoint Encryption 8.2.1 MP14 if you want to generate MSIs for SEE Full Disk or SEE Removable Storage clients. [3649650] 11 12 Symantec Endpoint Encryption 11.0.0 Maintenance Packs Installing the Symantec Endpoint Encryption Maintenance Pack ■ Single sign-on and smart cards: If it takes too long for the Microsoft Windows boot process to initialize the smart card reader or the smart card, single sign-on may not always work. There is no workaround at this time. [3635438] ■ Legal Notice on splash screen: In the Japanese version of the Endpoint Encryption client, the maximum number of characters displayed on the splash screen is 512, instead of 1024. This is due to the double-byte Japanese characters occupying double the width of Latin characters when displayed. [3650614] ■ Legal Notice on login screen: In the Endpoint Encryption client, the maximum number of characters displayed on the login screen is 80. In the Japanese version, the maximum will be 40 due to the double-byte Japanese characters occupying double the width of Latin characters when displayed. [3650622] ■ Legal Notice on splash screen: In the Endpoint Encryption client, the maximum number of characters displayed on the splash screen is 1024. There is also a limit of 19 lines of text, therefore not all 1024 characters may be displayed as some longer words can cause lines to wrap early. [3638089] Installing the Symantec Endpoint Encryption Maintenance Pack This section includes information about installing the Symantec Endpoint Encryption Maintenance Pack Installing the Symantec Endpoint Encryption Maintenance Pack versions 11.0.0 MP1 and 11.0.0 MP3 on the server The following sections include information about installing the Maintenance Pack release on the Symantec Endpoint Encryption Management Server and the Management Console. System requirement changes for the server in version 11.0.0 MP3 Added Symantec Endpoint Encryption Management Server compatibility with the following Microsoft Windows Server platforms: ■ Microsoft Windows Server 2012 R2 Datacenter, November 2014 Update, 64-bit version ■ Microsoft Windows Server 2012 R2 Standard, November 2014 Update, 64-bit version Symantec Endpoint Encryption 11.0.0 Maintenance Packs Installing the Symantec Endpoint Encryption Maintenance Pack Added Management Console compatibility with the following Microsoft Windows platforms: ■ Microsoft Windows Server 2012 R2 Datacenter, November 2014 Update, 64-bit version ■ Microsoft Windows Server 2012 R2 Standard, November 2014 Update, 64-bit version ■ Microsoft Windows 8.1 Enterprise, November 2014 Update, 32-bit and 64-bit versions ■ Microsoft Windows 8.1 Pro, November 2014 Update, 32-bit and 64-bit versions System requirement changes for the server in version 11.0.0 MP1 Added Symantec Endpoint Encryption Management Server compatibility with the following Microsoft Windows Server platforms: ■ Microsoft Windows Server 2012 R2 Datacenter, April 2014 Update, 64-bit version ■ Microsoft Windows Server 2012 R2 Standard, April 2014 Update, 64-bit version ■ Microsoft Windows Server 2012 R2 Datacenter, August 2014 Update, 64-bit version ■ Microsoft Windows Server 2012 R2 Standard, August 2014 Update, 64-bit version Added Management Console compatibility with the following Microsoft Windows platforms: ■ Microsoft Windows Server 2012 R2 Datacenter, April 2014 Update, 64-bit version ■ Microsoft Windows Server 2012 R2 Standard, April 2014 Update, 64-bit version ■ Microsoft Windows Server 2012 R2 Datacenter, August 2014 Update, 64-bit version ■ Microsoft Windows Server 2012 R2 Standard, August 2014 Update, 64-bit version ■ Microsoft Windows 8.1 Enterprise, August 2014 Update, 32-bit and 64-bit versions ■ Microsoft Windows 8.1 Pro, August 2014 Update, 32-bit and 64-bit versions 13 14 Symantec Endpoint Encryption 11.0.0 Maintenance Packs Installing the Symantec Endpoint Encryption Maintenance Pack Instructions for installing the Symantec Endpoint Encryption Maintenance Pack version 11.0.0 MP1 or 11.0.0 MP3 on the server Symantec Endpoint Encryption Management Server supports an upgrade from all previous versions. Note: You are not required to provide the Management Password when you upgrade the Management Console. However, you must still provide the Management Password when you upgrade the Symantec Endpoint Encryption Management Server. You create your Management Password when you complete a new installation of Symantec Endpoint Encryption. For more information about the Management Password, see the topic “About the Management Password” in the Symantec Endpoint Encryption 11.0 Installation Guide. 1 Make sure that your environment meets the minimum system requirements. To review the system requirements, see the article: “Symantec Endpoint Encryption Management Server – System Requirements” at: http://www.symantec.com/docs/TECH224478 2 Make sure that you have completed all of the prerequisite steps that are required to install Symantec Endpoint Encryption. These steps include tasks such as setting up accounts and roles, configuring Microsoft SQL Server, installing prerequisite software, setting up .NET, and configuring TLS/SSL communications. To review the prerequisite tasks, see the topic “Symantec Endpoint Encryption prerequisites” in the Symantec Endpoint Encryption 11.0 Installation Guide. 3 Run the Symantec Endpoint Encryption Management Server installation MSI. When you run the MSI, consider the following: The MSI file supports the following functionality: ■ You can run the installer by double-clicking the MSI file. ■ You can run a new installation from the command line by running: msiexec /i <package name> ■ You can upgrade from supported versions from the command line by running: msiexec /i <package name> ■ You can uninstall the application in the Microsoft Windows Add/Remove Programs list. The MSI file does not support the following functionality: Symantec Endpoint Encryption 11.0.0 Maintenance Packs Installing the Symantec Endpoint Encryption Maintenance Pack 4 5 ■ You cannot use the command line to run a silent installation with the /q command, or other variants. ■ You cannot use the command line to run a repair of an installation with the /f command. ■ You cannot use the command line to run a minor upgrade with the REINSTALLMODE and REINSTALL commands. ■ You cannot use push technologies. The Symantec Endpoint Encryption Management Server and the Management Console do not support deployment through push technologies. Follow the steps in the wizard. For more information, see the following: ■ To install the Symantec Endpoint Encryption Management Server for the first time, see the topic: "Running the Symantec Endpoint Encryption Management Server Installation Wizard - process overview" in the Symantec Endpoint Encryption 11.0 Installation Guide. ■ To upgrade the Symantec Endpoint Encryption Management Server, see the topic "Upgrading the Symantec Endpoint Encryption Management Server" in the Symantec Endpoint Encryption 11.0 Upgrade Guide. Run the Management Console installation MSI. When you run the MSI, consider the following: The MSI file supports the following functionality: ■ You can run the installer by double-clicking the MSI file. ■ You can run a new installation from the command line by running: msiexec /i <package name> ■ You can upgrade from supported versions from the command line by running: msiexec /i <package name> ■ You can uninstall the application in the Microsoft Windows Add/Remove Programs list. The MSI file does not support the following functionality: ■ You cannot use the command line to run a silent installation with the /q command, or other variants. ■ You cannot use the command line to run a repair of an installation with the /f command. ■ You cannot use the command line to run a minor upgrade with the REINSTALLMODE and REINSTALL commands. 15 16 Symantec Endpoint Encryption 11.0.0 Maintenance Packs Installing the Symantec Endpoint Encryption Maintenance Pack ■ 6 7 You cannot use push technologies. The Symantec Endpoint Encryption Management Server and the Management Console do not support deployment through push technologies. Follow the steps in the wizard. For more information, see the following: ■ If you installed Management Console for the first time, see the topic: "Installing the Management Console - process overview" in the Symantec Endpoint Encryption 11.0 Installation Guide. ■ If you upgraded Symantec Endpoint Encryption Management Server, see the topic "Upgrading the Management Console" in the Symantec Endpoint Encryption 11.0 Upgrade Guide. After you complete the wizard, you must complete some post-installation configuration steps. For more information, see the following: ■ To install Symantec Endpoint Encryption Management Server for the first time, see the section: "Configuring the Symantec Endpoint Encryption Management Server" in the Symantec Endpoint Encryption 11.0 Installation Guide. ■ To upgrade Symantec Endpoint Encryption Management Server, see the topic "Configuring the Symantec Endpoint Encryption Management Server - process overview" in the Symantec Endpoint Encryption 11.0 Upgrade Guide. Installing the Symantec Endpoint Encryption Maintenance Pack versions 11.0.0 MP1 and 11.0.0 MP3 on the clients This section includes information on the new platforms that are added and instructions for installing the Maintenance Pack versions 11.0.0 MP1 and 11.0.0 MP3 on the clients. System requirement changes for the clients in version 11.0.0 MP3 System requirement changes for Drive Encryption Added Drive Encryption compatibility with the following Microsoft Windows platforms: ■ Microsoft Windows 8.1 Enterprise, November 2014 Update, 32-bit and 64-bit versions ■ Microsoft Windows 8.1 Pro, November 2014 Update, 32-bit and 64-bit versions Symantec Endpoint Encryption 11.0.0 Maintenance Packs Installing the Symantec Endpoint Encryption Maintenance Pack Added Drive Encryption compatibility with the following Microsoft Windows Server platforms: ■ Microsoft Windows Server 2012 R2 Datacenter, November 2014 Update, 64-bit version ■ Microsoft Windows Server 2012 R2 Standard, November 2014 Update, 64-bit version System requirement changes for Removable Media Encryption Added Removable Media Encryption compatibility with the following Microsoft Windows platforms: ■ Microsoft Windows 8.1 Enterprise, November 2014 Update, 32-bit and 64-bit versions ■ Microsoft Windows 8.1 Pro, November 2014 Update, 32-bit and 64-bit versions Added Removable Media Encryption compatibility with the following Microsoft Windows Server platforms: ■ Microsoft Windows Server 2012 R2 Datacenter, November 2014 Update, 64-bit version ■ Microsoft Windows Server 2012 R2 Standard, November 2014 Update, 64-bit version System requirement changes for the clients in version 11.0.0 MP1 System requirement changes for Drive Encryption Added Drive Encryption compatibility with the following Microsoft Windows platforms: ■ Microsoft Windows 8.1 Enterprise, August 2014 Update, 32-bit and 64-bit versions ■ Microsoft Windows 8.1 Pro, August 2014 Update, 32-bit and 64-bit versions Added Drive Encryption compatibility with the following Microsoft Windows Server platforms: ■ Microsoft Windows Server 2012 R2 Datacenter, August 2014 Update, 64-bit version ■ Microsoft Windows Server 2012 R2 Standard, August 2014 Update, 64-bit version System requirement changes for Removable Media Encryption 17 18 Symantec Endpoint Encryption 11.0.0 Maintenance Packs Installing the Symantec Endpoint Encryption Maintenance Pack Added Removable Media Encryption compatibility with the following Microsoft Windows platforms: ■ Microsoft Windows 8.1 Enterprise, August 2014 Update, 32-bit and 64-bit versions ■ Microsoft Windows 8.1 Pro, August 2014 Update, 32-bit and 64-bit versions Added Removable Media Encryption compatibility with the following Microsoft Windows Server platforms: ■ Microsoft Windows Server 2012 R2 Datacenter, August 2014 Update, 64-bit version ■ Microsoft Windows Server 2012 R2 Standard, August 2014 Update, 64-bit version Added Removable Media Access Utility compatibility with Mac OS X 10.9.5 and Mac OS X 10.10. Instructions for installing the Symantec Endpoint Encryption Maintenance Pack version 11.0.0 MP1 or 11.0.0 MP3 on the clients To upgrade clients from Symantec Endpoint Encryption version 11.0.0 to version 11.0.0 MP1 or 11.0.0 MP3, you upgrade the Symantec Endpoint Encryption Management Agent, Drive Encryption, Removable Media Encryption, and optionally Autologon clients by running the msiexec commands. About the client installer packages: location and names ■ The version 11.0.0 MP1 and 11.0.0 MP3 packages are installed in the same installation folder where the version 11.0.0 packages were installed. Follow the naming conventions as follows, for the Maintenance Pack that you are installing For 11.0.0 MP1: ■ The version 11.0.0 MP1 Management Agent, Drive Encryption, and Removable Media Encryption package names must match the respective version 11.0.0 package names. The administrator defines these names when the administrator creates the client installers on the Management Console. ■ The version 11.0.0 MP3 Management Agent, Drive Encryption, and Removable Media Encryption package names can be different from the respective version 11.0.0 or 11.0.0 MP1 package names. Prerequisites: Before you upgrade Symantec Endpoint Encryption 11.0.0 Maintenance Packs Installing the Symantec Endpoint Encryption Maintenance Pack Before you upgrade the client computer, make sure that the following requirements are met: ■ You have saved all of your work and closed any open files. ■ If Removable Media Encryption is installed, you have: ■ ■ Closed any third-party programs that read and write to removable media. ■ Dismounted and disconnected any removable media from the client computer. If Drive Encryption is installed, you have: ■ Closed any third-party programs that read or write to the disk. ■ Ensured that the disk is either completely encrypted or decrypted. If encryption or decryption is in progress, wait until the disk is completely encrypted or decrypted. Upgrading the clients in sequence To successfully upgrade the clients, you must upgrade the clients in the following sequence: 1. Management Agent 2. Removable Media Encryption 3. Drive Encryption If the Removable Media Encryption functionality is not installed on the client computer, then you can first upgrade the Management Agent, followed by Drive Encryption. If the Drive Encryption functionality is not installed on the client computer, then you can first upgrade the Management Agent, followed by Removable Media Encryption. ■ To install Symantec Endpoint Encryption 11.0.0 MP1 or 11.0.0 MP3 on the client computer To upgrade the client installer packages, you must: ■ Use the msiexec command; do not double-click the client MSIs. ■ Run the msiexec command with administrative rights. 1 To upgrade the Management Agent, run the following command: % msiexec /i <filename>.msi REINSTALLMODE="vemus" REINSTALL="Complete" /qn /norestart /Live "install.log" 19 20 Symantec Endpoint Encryption 11.0.0 Maintenance Packs Installing the Symantec Endpoint Encryption Maintenance Pack where the <filename> is one of the following: ■ If the client computer's operating system is 32-bit: SEE Management Agent Client.msi ■ If the client computer's operating system is 64-bit: SEE Management Agent Client_x64.msi 2 To upgrade Removable Media Encryption, run the following command: % msiexec /i <filename>.msi REINSTALLMODE="vemus" REINSTALL="Complete" /qn /norestart /Live "install.log" where the <filename> is one of the following: ■ If the client computer's operating system is 32-bit: SEE Removable Media Encryption Client.msi ■ If the client computer's operating system is 64-bit: SEE Removable Media Encryption Client_x64.msi Note: If Removable Media Encryption is the last client .MSI to be upgraded, then do not include the ‘/norestart’ parameter in the command. 3 To upgrade Drive Encryption, run the following command: % msiexec /i <filename>.msi REINSTALLMODE="vemus" REINSTALL="Complete" /qn /Live "install.log" where the <filename> is one of the following: ■ If the client computer's operating system is 32-bit: SEE Drive Encryption Client.msi ■ If the client computer's operating system is 64-bit: SEE Drive Encryption Client_x64.msi Note: To get the updated Drive Encryption preboot settings, restart your client computer again. 4 (Optional) To upgrade Autologon, run the following command: % msiexec /i <filename>.msi REINSTALLMODE="vemus" REINSTALL="Complete" /qn /Live "install.log" where the <filename> is one of the following: Symantec Endpoint Encryption 11.0.0 Maintenance Packs Documentation errata ■ If the client computer's operating system is 32-bit: Autologon NoAutologon.msi or Autologon Infinite <dd mmm yyyy>.msi ■ If the client computer's operating system is 64-bit: Autologon NoAutologon_x64.msi or Autologon Infinite <dd mmm yyyy>_x64.msi Documentation errata Documentation errata for Symantec Endpoint Encryption 11.0.0 MP3 This section includes information about documentation errata for Symantec Endpoint Encryption 11.0.0 MP3. Drive Encryption feature enhancements This section includes information about documentation errata for the Drive Encryption feature in the Symantec Endpoint Encryption 11.0.0 MP3 release. Including or skipping the encryption of unused disk space About including or skipping encryption of unused disk space On the Drive Encryption – Encryption policy, a new advanced option lets you include or skip the encryption of unused disk space on the client computer. If you elect to include unused disk space, Drive Encryption encrypts all sectors, including the unused sectors. The include unused disk space option is selected by default and Drive Encryption encrypts all sectors. If you elect to skip unused disk space, Drive Encryption skips the encryption of unused sectors. As in Symantec Endpoint Encryption 11.0.0 MP3, the Encryption policy is available only at install time. This advanced option, therefore, is enforced only during the initial auto-encryption process, when the Drive Encryption MSI is installed on the client computer. If you re-encrypt the disk later, this policy is ignored, and all sectors are encrypted. Note: Client administrators, however, can use Drive Encryption Administrator Command Line at any time, to issue an encrypt command with the option to skip unused disk space. 21 22 Symantec Endpoint Encryption 11.0.0 Maintenance Packs Documentation errata This policy option applies to the following file systems: NTFS and FAT32. Skipping the unused disk space substantially reduces the initial time required to encrypt the disk and therefore, improves the end-user experience. With strict encryption compliance requirements, you can now quickly encrypt the disk on new computers before handing them over to the users. Security considerations when you skip encryption of unused disk space The skip unused disk space option only encrypts the disk space that is currently in use by Windows for storing files and data during initial encryption. Any data that was deleted before initial encryption is marked as unused disk space by Windows and is not encrypted during initial encryption, posing a possible security risk. Therefore, it is recommended that the skip unused disk space option should only be used to quickly encrypt new systems before you hand them to users. If you re-use older computers or disks for new users, it is recommended to do a low-level format to delete all traces of existing data before deployment. All new data written to disk is encrypted. The unused disk space that was skipped during initial encryption is encrypted when new data is written to it. Using a policy to include or skip the encryption of unused disk space On the Management Console on the Drive Encryption – Encryption install-time policy, under Advanced Options choose one of the following settings: ■ To include the encryption of the unused disk space while encrypting the disks and partitions, check Include unused disk space when encrypting disks and partitions. This check box is selected by default. ■ To skip the encryption of the unused disk space while encrypting the disks and partitions, uncheck Include unused disk space when encrypting disks and partitions. A message box appears to warn you about the potential security risk that if the unused disk space is not encrypted, the data that was deleted before initial encryption may still be accessible. For more information on creating install-time policies or creating the Drive Encryption installation package, refer to the Symantec Endpoint Encryption Policy Administrator Guide. Using the Administrator Command Line to skip encryption of the unused sectors on the disk Purpose: The --encrypt command with the --skip-unused-space option skips the encryption of unused disk space and encrypts only those sectors on the disk that contain data. Client administrators can use this command even if the Include unused disk space when encrypting disks and partitions policy option is not selected on the Drive Encryption - Encryption policy installed on a client computer. Usage format: Symantec Endpoint Encryption 11.0.0 Maintenance Packs Documentation errata eedAdminCli --encrypt --disk <number> --skip-unused-space --au <AdminUserName> --ap <AdminPassword> Example: eedAdminCli --encrypt --disk 0 --skip-unused-space --au jsmith --ap safepass Command output: Request sent to Start encrypt disk was successful. This example shows that the administrator with the username jsmith and password safepass has started disk encryption skipping the unused sectors on the boot disk 0. Note: To know whether the feature to skip the encryption of the unused disk space is enabled on a client computer, client administrators can use the following command: eedAdminCli --status --disk <disk number> --verbose For more information on using the Administrator Command Line interface, see the Symantec Endpoint Encryption Drive Encryption Administrator Command Line Guide. Updates to the policy enforcement of Drive Encryption Self-Recovery The behavior of the Drive Encryption Self-Recovery prompt has changed. The user is now prompted to reconfigure the self-recovery question and answers if they do not comply with the current policy. The prompt is based on the following conditions: ■ If the user has configured two questions and the policy is changed so that two questions come from the server, then the user is prompted to reconfigure their Drive Encryption Self-Recovery questions. ■ If the user has configured two questions, and the policy is changed so that three questions are necessary, then the user is prompted to reconfigure their Drive Encryption Self-Recovery questions. ■ If the user has configured three questions and now the policy has changed so that two questions are necessary, then user is not prompted. Using Symantec Endpoint Encryption with system images A system image is a template of a system configuration. A system administrator prepackages the image with the operating system and software. The administrator 23 24 Symantec Endpoint Encryption 11.0.0 Maintenance Packs Documentation errata can deploy the image to endpoint computers so that each computer shares the same setup and configuration. Enterprise environments commonly use system images to configure computers to a pristine, working state. In some cases, Symantec Endpoint Encryption is also included as part of the image as an installed application so that installation is not necessary later. You can provision Drive Encryption and Removable Media Encryption on system images and use Symantec Endpoint Encryption Management Server to manage encryption on your imaged computers. However, you must install the software with a specific command line switch to prevent potential problems. Before you provision Drive Encryption and Removable Media Encryption on a system image, be aware of the following limitations: ■ When you install on system images, you cannot run the installation file by double-clicking it. You must install from the command line and use a specific switch. ■ You cannot use system images as VDI master images. ■ You cannot create a system image from another system image that already has Symantec Endpoint Encryption products installed. ■ The install time on cloned images is not unique. Each cloned image shares the same install time. Your reports in Symantec Endpoint Encryption Management Server display the same install time for each cloned computer. If you need to access the specific time when a cloned image first started running Symantec Endpoint Encryption, you must use the event logs. The logs include an event called "cloned." ■ You cannot use Drive Encryption and Removable Media Encryption functionality on your system image. However, when you create a cloned image, Symantec Endpoint Encryption applies the install-time policies and can run as normal. ■ Drive Encryption and Removable Media Encryption do not work until you deploy the image. On the cloned image, the install-time policies execute normally. Installing Symantec Endpoint Encryption products on a system image When you install Symantec Endpoint Encryption products on a system image, you must use a specific command line parameter. This command line parameter instructs the installer to install into a system image environment and to use specific settings. The command line parameter is: IMAGE=SYSTEM For example: Symantec Endpoint Encryption 11.0.0 Maintenance Packs Documentation errata msiexec /i "SEE Management Agent Client_x64.msi" IMAGE=SYSTEM To install Symantec Endpoint Encryption products on a system image: 1 On the Symantec Endpoint Encryption Management Server, create the client installer packages (MSIs) by running the Installation Wizards for Management Agent, Drive Encryption, and Removable Media Encryption. 2 On your system image, prepare the system image by running the command line for the Management Agent MSI. 3 Deploy the system image. 4 When the computer is imaged the install-time policies are instantiated. 5 Update the clone as you would any client computer, using GPOs and native policies, as desired. 6 Over time, the cloned clients check in with the server. Run reports to track the state of your cloned clients. Removable Media Encryption feature enhancements This section includes information about documentation errata for the Removable Media Encryption feature in the Symantec Endpoint Encryption 11.0.0 MP3 release. Using Removable Media Encryption with session passwords About session passwords Session passwords allow users the flexibility to share the files that are encrypted with temporary passwords, without disclosing their default password. A user typically shares a session password with a small number of other users for a specific purpose. After a user provides a session password the first time, the user is no longer prompted for credentials when they open the related encrypted files. Files encrypted with session passwords are also encrypted with the default password, if it is active. Up to two session passwords can be active at one time. A policy administrator sets a policy option to control session passwords. The administrator may or may not allow session passwords. When passwords are allowed, the policy option defines the expiration behavior. End users use the client console interface to define and activate the session passwords. The users can change their session passwords at any time. Setting the session password policy option on the server On the Symantec Endpoint Encryption Management Server, the Removable Media Encryption - Default Passwords panel contains the session password option. This 25 26 Symantec Endpoint Encryption 11.0.0 Maintenance Packs Documentation errata policy is available at installation time, as a GPO, or as a native policy. Session passwords can remain active indefinitely, or they can expire. One policy setting is to expire session passwords permanently (delete them) at the end of each Windows session. Alternatively, another policy setting is to expire session passwords temporarily (deactivate them) when a Windows session ends. Users must reactivate the session passwords when they begin a new Windows session. The policy options are: ■ ■ To allow the use of session passwords, select Allow users to set session passwords. This setting is the default. Define the expiration characteristics by choosing one of the following: ■ Delete session passwords at the end of every Windows session ■ Deactivate session passwords at the end of every Windows session, but allow them to persist across every Windows session ■ Do not delete or deactivate session passwords. This setting is the default. To not allow the use of session passwords, select Do not allow users to set session passwords. Defining and activating the session password(s) on the client On the client computers, end users use the Management Agent console to define and activate session passwords. New fields for session passwords now exist in the Removable Media Password panel. The behavior of the fields is based on policy. ■ If the policy does not allow session passwords, the Session Password 1 and Session Password 2 fields are collapsed and unavailable. The On/Off toggle is set to Off in red font. ■ If the policy allows session passwords, the Session Password 1 and Session Password 2 fields are collapsed but available for user input. The On/Off toggle is set to Off in red font. To set and activate session passwords on the Removable Media Password panel, a user: ■ Expands Session Password 1. ■ Defines and confirms a password. ■ Optionally adds a hint, to remind the user of what the password is. ■ Clicks Save. The toggle changes to On. ■ To define a second session password, the user repeats the process for Session Password 2. Symantec Endpoint Encryption 11.0.0 Maintenance Packs Documentation errata The same user aids are available on the Password panel for both the default password and the session passwords. That is, the user can select Show password to display a password as characters rather than as dots. The user can also click the exclamation mark to see the requirements that you have defined for Symantec Endpoint Encryption passwords. Notes: ■ If two session passwords are active, a file is encrypted with both of the session passwords. The file is also encrypted with the default password, if it is active. ■ A user can change a session password at any time. ■ Users who have administrator privileges should check the Symantec Endpoint Encryption policies that are active on their computer. The policy for session passwords defines if and when these passwords are set to expire. If they expire temporarily (are deactivated) at the end of each Windows session, the users must manually reactivate them by setting each password's toggle to On. If they expire permanently (are deleted) at the end of each Windows session, the users must redefine them. About activating and deactivating session passwords Users activate or deactivate Removable Media Encryption session passwords by using the On/Off toggle. When a user enters a password and saves it, the toggle automatically defaults to On. Deactivating a password makes the password unusable but does not remove it from the computer. The user can reactivate the password by moving the toggle to the On position. For more information on how to create install-time policies, GPOs, or native policies, refer to the Symantec Endpoint Encryption Policy Administrator Guide, version MP3. For more information on the Management Agent user interface, from the Management Agent click on the Client online Help. Deactivating and reactivating the default password in Removable Media Encryption In Removable Media Encryption, users can now deactivate the default password that they have set. Deactivating the default password gives users the flexibility to be prompted temporarily for a different password when encrypting particular files, if required. It also lets users encrypt files only to session passwords, if they are allowed by policy and activated. If the user wants to use the default password again, the user can reactivate it without having to redefine it. Users can continue to set the default password in two ways: ■ Go to the Management Agent console interface and use the Removable Media Encryption Password panel. 27 28 Symantec Endpoint Encryption 11.0.0 Maintenance Packs Documentation errata ■ Enter the password in the Set Default Password dialog box that may appear when they encrypt a file. Moreover, users now can leave the default password set, then later deactivate or re-activate it by toggling On or Off. By default, the toggle option is On when the user sets the default password. The user can deactivate the default password by setting the toggle to Off. Deactivating the default password makes the password unusable but does not remove it from the computer. The user can always reactivate it by setting the toggle back to On. Encrypting Removable Media Encryption files with a Removable Storage format About Users can now encrypt files on removable media storage devices using Removable Media Encryption so that the files are compatible with Symantec Endpoint Encryption Removable Storage client version 8.2.1. Setting the Encryption Format policy option on the server The new Encryption Format policy option is available on the Removable Media Encryption Access and Encryption policy panel. With the Encryption Format policy option settings, you can encrypt files so that they can be used on client computers running: ■ Symantec Endpoint Encryption 8.2.1 ■ Symantec Endpoint Encryption 11.0.0 or later You can set the Encryption Format policy option during installation, or when you create or update a native policy or GPO. The Encryption Format options are: ■ SEE RME: Select this option to encrypt files using the Removable Media Encryption format. This format allows users to decrypt and read files on client computers running Symantec Endpoint Encryption 11.0.0 or later. ■ SEE RS: Select this option to encrypt files using the Removable Storage format. This format allows registered users to decrypt and read files on the client computers running Symantec Endpoint Encryption 8.2.1. Regardless of the Encryption Format option that you select, Removable Media Encryption can decrypt an encrypted file. The Encryption Format policy option also applies to on-demand encryption. Also, on-demand decryption works for files encrypted with the SEE RS format, whether the files are decrypted from a removable device inserted into a client running Symantec Endpoint Encryption 11.0.0 MP3 or Symantec Endpoint Encryption 8.2.1. Symantec Endpoint Encryption 11.0.0 Maintenance Packs Documentation errata Using the Encryption Format policy option in a managed environment You must carefully consider the implications of using each encryption format option and take appropriate precautions for each. The following scenarios describe some of the effects of using a particular encryption format policy option and the actions you can take to make the selection successful for your users. SharingfilesoftenbetweenRemovableStorageandRemovableMediaEncryption If your users share files often between Removable Storage 8.2.1 and Removable Media Encryption 11.0.0 MP3, Symantec recommends that you select the SEE RS option as the encryption format for your Removable Media Encryption client computers. If you select the SEE RME option and encrypt a Removable Storage file using Removable Media Encryption, the file becomes inaccessible on Removable Storage client computers. Preliminary actions you can take: ■ Before selecting an Encryption Format policy option, evaluate the extent to which your users share files between the two removable-storage encryption software systems. If file sharing is frequent, select the SEE RS option. Editing a file that is encrypted with the Removable Storage format If you select SEE RS as the encryption format for a Removable Media Encryption client computer, users can edit files originally encrypted on Removable Storage computers. When a user saves the edits, the encrypted format is compatible with Removable Storage. The user can then open or decrypt that modified file on their Removable Storage computer. However, an issue can arise over the credentials with which the edited file may be re-encrypted when it is saved. The issue is that the original credentials with which the Removable Storage file was encrypted may be discarded and replaced with Removable Media Encryption credentials. This condition can arise in the following situation. Unless Removable Media Encryption is running with the DLP option selected, Removable Media Encryption automatically encrypts any new file that users create on a removable storage device. On a Removable Media Encryption client computer, some applications that a user uses to edit a file create a temporary file, which Removable Media Encryption identifies as a new file. Microsoft Office is one of these applications. When the user finishes editing the file, therefore, Removable Media Encryption re-encrypts the temporary file based on the Encryption Method policy. This policy defines how files are encrypted: with a password, a certificate, or both a password and a certificate. Because Removable Media Encryption identifies the temporary file as new, it does not use the original Removable Storage credentials, but rather uses whatever credentials are defined in its encryption-method policy. 29 30 Symantec Endpoint Encryption 11.0.0 Maintenance Packs Documentation errata Thus, when the user attempts to open the file on their Removable Storage computer, the decryption of the file may fail. The failure is based not on a format incompatibility, but on a credentials incompatibility. Therefore, to use this encrypted file on the Removable Storage computer, users must provide the password, or the certificate, or both, that was enabled on the Removable Media Encryption client computer during the file modification process. Preliminary actions you can take: ■ Make your users aware of what can happen when they edit a Removable Storage file using certain applications on a Removable Media Encryption computer. (Newly saved files can have their encryption credentials changed.) Note that text editors do not have this issue. ■ Confirm that your users are aware of what the Encryption Method policy is for their computer. (Are they encrypting using a password, a certificate, or both password and certificate?) ■ Remind your users that even if they are not prompted for credentials at the time they save a file, Removable Media Encryption can change the encryption credentials without user intervention, by using a default password and/or a default certificate that is already user-defined. ■ If files are re-encrypted on a Removable Media Encryption computer with new credentials, make sure that users know that they must provide those new credentials when they return to their Removable Storage computers to decrypt the files. Editing a Removable Storage file encrypted with multiple certificates Removable Storage lets users encrypt files using multiple certificates. To open or decrypt a file, a user provides at least one of those certificates as the decryption credential. Removable Media Encryption, however, allows users to encrypt files with only one certificate. Therefore, even if an administrator selects the SEE RS Encryption Format option, which allows users to move files between Removable Media Encryption computers and Removable Storage computers, the decryption of that file on the Removable Storage computer could fail. This failure would not be an issue of encryption format incompatibility, but of encryption credentials incompatibility. On a Removable Storage computer, the decryption failure of a file can happen for two reasons. When the user attempts to open the file on the Removable Storage computer, following its re-encryption on a Removable Media Encryption computer, either: ■ The user no longer has that particular certificate out of the multiple certificates originally used, or Symantec Endpoint Encryption 11.0.0 Maintenance Packs Documentation errata ■ The user never had that certificate available. The new certificate that is used for encryption is probably the Removable Media Encryption default certificate Preliminary action you can take: ■ Inform your users that whatever certificate they use on their Removable Media Encryption computer for file encryption must be available on their Removable Storage computer as well. Editing a file encrypted with a format other than the format that policy supports Removable Media Encryption is able to open (decrypt) files encrypted with either of the encryption formats. However, Symantec recommends that your users do not edit a file encrypted with a format other than the format that the policy option supports. For example, if a file is already encrypted to the Removable Media Encryption format, but the policy option enables the SEE RS format, the user should not edit the file. If the encrypted file format does not match the active policy, a change of format could result. Encrypting files in the Removable Storage format using the Removable Media Access Utility About encrypting files in the Removable Storage format using the Removable Media Access Utility Users can now use the Removable Media Access Utility for Windows or the Removable Media Access Utility for Mac OS X to encrypt files that are compatible with Symantec Endpoint Encryption Removable Storage version 8.2.1. Encrypting files on the Removable Media Access Utility to different encryption formats On the Management Console, the new Encryption Format policy option is available on the Removable Media Encryption - Access and Encryption policy panel. You can select one of the following format settings: ■ SEE RME (format for Symantec Endpoint Encryption 11.0.0 MP3 or later) ■ SEE RS (format for Symantec Endpoint Encryption 8.2.1) Settings that apply to the Removable Media Access Utility are made known in different ways. For Removable Media Access Utility for Windows, the policy setting is embedded. For Removable Media Access Utility for Mac OS X, a name change indicates the setting. If you selected the SEE RS encryption format, the executable file name that is written to the removable device is modified to include a capital letter "C." The "C" stands for compatibility. The executable file name becomes 31 32 Symantec Endpoint Encryption 11.0.0 Maintenance Packs Documentation errata RemovableMediaAccessUtilityC.dmg. If you selected the SEE RME encryption format, the name is not changed; the Removable Media Encryption format is assumed. A user knows which format a file is encrypted with by looking at the Encrypted column in the Removable Media Access Utility user interface: Yes indicates the Removable Media Encryption format; SEERS indicates the Removable Storage format. Issues that can arise with file sharing and editing related to encryption format policy options are described in these sections: ■ Editing a file that is encrypted with the Removable Storage format ■ Editing a Removable Storage file encrypted with multiple certificates ■ Editing a file encrypted with a format other than the format that policy supports Upgrading the Removable Media Access Utility from Removable Storage Access Utility Notification for Removable Media Access Utility upgraded from Removable Storage Access Utility If you have a removable storage device that has Removable Storage Access Utility 8.2.1 on it, the older version of the utility is replaced with the newer version of Removable Media Access Utility 11.0.0 MP3. The first time you insert this device on a client computer that has Removable Media Encryption 11.0.0 MP3 installed and Access Utility enabled, the 8.2.1 version of Access Utility is replaced with the latest version. To indicate the Access Utility upgrade, a balloon notification appears on the Microsoft Windows 7 operating systems and a toast notification appears on the Microsoft Windows 8 operating systems. Viewing new or changed report content Viewing the Encryption Format policy setting in reports In Symantec Endpoint Encryption reports, the RME Encryption Format column indicates the current value of the Encryption Format policy setting in Removable Media Encryption as configured by the administrator. The RME Encryption Format column is displayed in the Computer Status Report and the Removable Media Encryption Details Report by default. You can customize other reports to display or hide this column as needed. For information about customizing reports to display and hide columns, refer to the Symantec Endpoint Encryption Policy Administrator Guide. Symantec Endpoint Encryption 11.0.0 Maintenance Packs Documentation errata Note: For the client computers that use a version of Removable Media Encryption earlier than 11.0.0 MP3, no value is displayed. Viewing the Session Password policy setting in reports The RME Session Passwords column indicates the current behavior of session passwords in Removable Media Encryption as defined by the administrator. Alternatively, it also indicates whether session passwords are disabled. The RME Session Passwords column is not displayed in any reports by default. You can customize reports to display or hide the RME Session Passwords column as needed. For information about customizing reports to display and hide columns, refer to the Symantec Endpoint Encryption Policy Administrator Guide. Change in the Removable Media Encryption password policy information that is displayed in reports In Symantec Endpoint Encryption reports, the RME Passwords column now indicates all of the active password policies in Removable Media Encryption. As of version MP3 11.0.0, Removable Media Encryption supports both default passwords and session passwords. When the administrator enables multiple password policies, they appear separated by semicolons (;). Updates to the toggle button in Management Agent's user interface for the Removable Media Encryption password panel The Removable Media Encryption password panel includes the following updates: ■ When the user successfully sets or updates the password, the toggle button is automatically set to the On state. ■ When the user attempts to set the toggle button to the On state, without first setting a password, an error is displayed. ■ The user must first enter and save a password. The toggle button is then set to On. This behavior applies to all of the passwords, including the default and the session passwords. Documentation errata for Symantec Endpoint Encryption 11.0.0 MP1 This section includes information about documentation errata. 33 34 Symantec Endpoint Encryption 11.0.0 Maintenance Packs Documentation errata Autologon management through policy The Autologon feature temporarily removes the preboot authentication credential prompt on a client computer for administrative purposes. Currently, client administrators enable or disable Autologon on client computers through the Drive Encryption Administrator Command Line. The new feature allows a server policy administrator to define and distribute a remote policy that manages Autologon. Note: You must install the Autologon utility MSI on a client computer before you can apply the Autologon policy. The Drive Encryption – Autologon policy options are: ■ To enable Autologon remotely, select Always Autologon. No preboot authentication credentials are required from the user. This setting remains active until you deploy another Autologon policy. ■ To disable Autologon remotely, select Never Autologon. Users are always prompted for their preboot authentication credentials. This policy remains active until you deploy another Autologon policy. ■ To give control to the Drive Encryption Administrator Command Line to enable or disable Autologon locally, select Autologon only when activated by admin locally. Note: If you change Autologon management from policy-based to command-line based, the default state of Autologon is disabled. The client administrator must issue the appropriate local command through the Administrator Command Line interface to enable Autologon. Note: If an "Always Autologon" or "Never Autologon" policy is active and you attempt to enable or disable Autologon through the command line, you will receive an error message that the command line is disabled. The following sequence shows the order of precedence in which the Autologon policy is applied to a managed client computer: 1. Autologon settings from a policy (highest precedence) 2. Autologon settings from Drive Encryption Administrator Command Line 3. Autologon MSI (lowest precedence) If you are updating pre-11.0.0 clients (Symantec Endpoint Encryption 8.2 or earlier), the policy options for defining the number of times to boot without authentication, and single or recurring usage parameters, are displayed but not Symantec Endpoint Encryption 11.0.0 Maintenance Packs Documentation errata available for update. The clients keep those settings until you deploy a new Autologon policy through Symantec Endpoint Encryption 11.0.0 MP1. For more information on creating GPO or native policies, refer to the Symantec Endpoint Encryption Policy Administrator Guide. For more information on using the Drive Encryption Administrator Command Line, refer to the Symantec Endpoint Encryption Drive Encryption Administrator Command Line Guide. BIOS preboot screen enhancements You can define a legal notice and modify the font color on the splash screen. You can also suppress the splash screen. You can define a background image as well as change the font for your instructions on the Drive Encryption preboot login screen. When you create the Startup install-time policy, you can do the following: ■ To suppress the splash screen at startup, select No splash screen. ■ To use the default Symantec Endpoint Encryption logo (image), select The SEE logo. ■ To use your company’s preferred image, select and upload A custom image. ■ Change the default legal notice and choose black or white for the text color. Black is the default. You cannot change the text color when using the SEE logo. For the preboot login screen, you can do the following: ■ To use the default Symantec Endpoint Encryption logo (image), select The SEE logo. ■ To use your company’s preferred image, select and upload A custom image. ■ Change the default logon message and choose black or white for the text color. Black is the default. When you create a policy to update the startup panel, you can do the following: ■ To suppress the screen at startup, select No splash screen. ■ To use the default Symantec Endpoint Encryption logo (image), select The SEE logo. ■ To use your company’s preferred image that you predefined at installation time, select The custom image, if available. ■ Change the default legal notice. For the preboot login screen, you can do the following: ■ To use the default Symantec Endpoint Encryption logo (image), select The SEE logo. 35 36 Symantec Endpoint Encryption 11.0.0 Maintenance Packs Documentation errata ■ To use your company’s preferred image that you predefined at installation time, select The custom image, if available. Note: If you are updating pre-11.0.0 clients, the previous options for Logon instructions and Enable Safe Mode Boot are displayed but not available. For more information on creating install-time policies or GPO or native-policy updates, refer to the Symantec Endpoint Encryption Policy Administrator Guide. Asterisks displayed for passwords during preboot authentication By default, the preboot authentication screen now displays asterisk characters instead of the random-stepping of the curser though blank spaces when a user or client administrator enters a password. Client administrators can use Symantec Endpoint Encryption Drive Encryption Administrator Command Line to switch this functionality between asterisks and the random-stepping of the cursor. To configure preboot authentication formatting, use the following command: ■ Usage Format: eedAdminCli --bootprop-set --name “PWDFORMAT” --val <num> --au <AdminUserName> --ap <AdminPassword> Where val is the flag that indicates to either use asterisks or random-stepping formatting. The number 0 sets asterisks and the number 1 sets random-stepping. ■ The following is an example that shows how to configure preboot authentication to use asterisks: eedAdminCli --bootprop-set --name “PWDFORMAT” --val 0 --au jsmith --ap safepass ■ The following is an example that shows how to configure preboot authentication to use random-stepping of the cursor: eedAdminCli --bootprop-set --name “PWDFORMAT” --val 1 --au jsmith --ap safepass For more information about using Symantec Endpoint Encryption Drive Encryption Administrator Command Line, see the Symantec Endpoint Encryption Drive Encryption Administrator Command Line Guide.
© Copyright 2025