Symantec Endpoint Encryption Full Disk

Transcription

1 Symantec Endpoint Encryption Full Disk Policy Administrator Guide Version 8.0.1

2 Copyright 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. GuardianEdge and Authenti-Check are either trademarks or registered trademarks of GuardianEdge Technologies Inc. (now part of Symantec). Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR and subject to restricted rights as defined in FAR Section Commercial Computer Software - Restricted Rights and DFARS , et seq. Commercial Computer Software and Commercial Computer Software Documentation, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement. Symantec Corporation 350 Ellis Street Mountain View, CA

3 Contents Contents 1. Introduction Overview Directory Service Synchronization Active Directory and Native Policies Manager Console Basics Database Access Endpoint Containers Symantec Endpoint Encryption Roles Policy Administrators Client Administrators User Reporting Overview Basics Client Computers Data Available from Users and Computers and Basic Reports Directory Services Synchronization Data Admin Log Data Client Events Data Device Exemptions Report Data Symantec Endpoint Encryption Users and Computers Symantec Endpoint Encryption Reports Basics Active Directory Forests Synchronization Status Client Events Computer Status Report Computers not Encrypting to Removable Storage Computers with Decrypted Drives Computers with Expired Certificates Computers with Specified Users Computers without Full Disk Installed Computers without Removable Storage Installed Device Exemptions Report Percentage of Encrypted Endpoints Full Disk Client Deployment Framework Deployment Non-Reporting Computers Novell edirectory Synchronization Status Custom Reports Resultant Set of Policy (RSoP) Windows System Events Policy Creation & Editing Overview Active Directory Policies Native Policies Policy Options Symantec Endpoint Encryption Full Disk iii

4 Contents Client Administrators Registered Users Password Authentication Token Authentication Authentication Message Communication Single Sign-On Authenti-Check One-Time Password Startup Logon History Autologon Remote Decryption Client Monitor Local Decryption Policy Deployment Overview Active Directory Policies Basics Order of Precedence Forcing a Policy Update Native Policies Basics Symantec Endpoint Encryption Managed Computer Groups Policy Assignment Order of Precedence Forcing a Policy Update Endpoint Support The Management Password Basics Changing the Management Password One-Time Password Program Basics Launch Management Password Method Error Messages Whole Disk Recovery Token (WDRT) Basics Launch Management Password User Identity Token Hard Disk Recovery for Windows Computers Basics Recover DAT File Generation Appendix A. System Event Logging Basics Symantec Endpoint Encryption Full Disk iv

5 Contents Framework System Events List Full Disk System Events List Appendix B. Authentication Method Changes Overview User Experience Appendix C. Policy Settings Honored by Mac Clients Glossary Index Symantec Endpoint Encryption Full Disk v

6 Figures Figures Figure 1.1 Sample Network Configuration Figure 1.2 SQL Server Logon Prompt Figure 2.1 Group Policy Results Wizard, User Selection Figure 2.2 RSoP Report From a Symantec Endpoint Encryption Client Figure 3.1 Framework Computer Policy, Client Administrators Options Figure 3.2 Add New Client Administrator Dialog Figure 3.3 Framework Computer Policy, Registered Users Options Figure 3.4 Framework Computer Policy, Password Authentication Options Figure 3.5 Framework Computer/User Policy, Authenti-Check Options Figure 3.6 Framework Computer/User Policy, One-Time Password Options Figure 3.7 Full Disk Computer Policy, Startup Options Figure 3.8 Full Disk Computer Policy, Autologon Options Figure 3.9 Full Disk Computer Policy, Client Monitor Options Figure 4.1 Symantec Endpoint Encryption Managed Computers, Add New Group Figure 4.2 Name New Group Dialog Figure 4.3 SEE Unassigned, Computer Highlighted Figure 4.4 Symantec Endpoint Encryption Managed Computers Groups Dialog Figure 4.5 Symantec Endpoint Encryption Managed Computers Group Selected Figure 4.6 Policy Selection Dialog Figure 4.7 Native Policy Assignment Confirmation Figure 4.8 Symantec Endpoint Encryption Managed Computers Policy Assigned Figure 5.1 Management Password Snap-in Figure 5.2 Management Password Changed, Confirmation Message Figure 5.3 One-Time Password, Welcome Figure 5.4 One-Time Password, Management Password Figure 5.5 One-Time Password, Method Selection, Online Figure 5.6 One-Time Password, Online Method, Identifying Information Figure 5.7 One-Time Password, Online Method, Response Key Figure 5.8 One-Time Password, Method Selection, Offline Figure 5.9 One-Time Password, Offline Challenge Key Figure 5.10 One-Time Password, Offline Response Key Figure 5.11 One-Time Password, User Record Not Found Figure 5.12 One-Time Password, Invalid Code Synchronization Figure 5.13 Whole Disk Recovery Token, Welcome Figure 5.14 Whole Disk Recovery Token Program, Management Password Figure 5.15 Whole Disk Recovery Token Program, Identify User Figure 5.16 Whole Disk Recovery Token Program, Token Characters Figure 5.17 Manager Console, Computer in Need of Recovery Highlighted Figure 5.18 Management Password Prompt Figure 5.19 Recovery Password Prompt Figure 5.20 Recovery Data Export Dialog Figure 5.21 Recovery Data Export Success Message Symantec Endpoint Encryption Full Disk vi

7 Tables Tables Table 1.1 Active Directory and Native Policies Compared Table 2.1 Client Computer Data Available from Main Window of Users and Computers and Basic Reports Table 2.2 Client Computer Data Available from Computer Info Tab Table 2.3 Client Computer Data Available from Framework Tab Table 2.4 Client Computer Data Available from Full Disk Tab Table 2.5 Client Computer Data Available from Removable Storage Tab Table 2.6 Client Computer Data Available from Associated Users Tab Table 2.7 Fixed Drives Data Table 2.8 Directory Services Synchronization Data Table 2.9 Admin Log Data Table 2.10 Client Log Data Table 2.11 Device Exemptions Report Table 2.12 Symantec Endpoint Encryption Version Numbers and Equivalent GuardianEdge Version Numbers. 17 Table A.1 Framework System Events Table A.2 Full Disk System Events Table B.1 Effect of a Change in Authentication Method on Existing User Accounts Table C.1 Policy Settings Honored by Mac Clients Symantec Endpoint Encryption Full Disk vii

8 Introduction 1. Introduction Overview Symantec Endpoint Encryption Full Disk protects data on laptops and PCs from the threat of theft or loss with strong, centrally managed encryption, auditing, and policy controls for hard disks and partitions, ensuring that the loss of a machine and its data does not result in disclosure required by corporate policy or government regulation. As part of Symantec Endpoint Encryption, Full Disk leverages existing IT infrastructures for seamless deployment, administration, and operation. Symantec Endpoint Encryption is comprised of Full Disk, Removable Storage, and Framework. Framework includes all the functionality that is extensible across Symantec Endpoint Encryption. It allows behavior that is common to both Removable Storage and Full Disk to be defined in one place, thus avoiding potential inconsistencies. The following diagram depicts a sample network configuration of Symantec Endpoint Encryption. SOAP over HTTP Group Policy LDAP Database Server TDS TLS/SSL Domain Controller Client Manager Computer edirectory Server Management Server Client your-org.com Client your_tree Client Figure 1.1 Sample Network Configuration The Active Directory domain controller and Symantec Endpoint Encryption Management Server are required. Multiple domains, forests, trees, and Symantec Endpoint Encryption Management Servers are supported. A database server is recommended, but the Symantec Endpoint Encryption database can also reside on the Symantec Endpoint Encryption Management Server. If a database server is chosen to host the Symantec Endpoint Encryption database, the database server can be located inside or outside of Active Directory. The Manager Console can be installed on multiple Manager Computers. It can also be installed on the Symantec Endpoint Encryption Management Server. It must reside on a computer that is a member of Active Directory. Symantec Endpoint Encryption Full Disk 1

9 Introduction The Novell edirectory tree, Active Directory group policy communications, and TLS/SSL encryption are optional. Directory Service Synchronization Synchronization with Active Directory and/or Novell edirectory is an optional feature. If enabled, then the Symantec Endpoint Encryption Management Server will obtain the organizational hierarchy of the specified forest, domain, and/or tree and store this information in the Symantec Endpoint Encryption database. It also keeps this information up to date. This improves performance during Client Computer communications with the Management Server, as the Management Server will be able to identify the Client Computer without having to query the Active Directory domain controller and/or the Novell edirectory server. When you open the Manager Console, you will have your Active Directory and/or Novell endpoints organized just the way that they are in the directory service, easing your deployment activities. In addition, you will have records of computers that reside in the designated forest, domain, or tree, even if these computers do not have any Symantec Endpoint Encryption products installed and/or have never checked in with the Management Server. This will allow you to run reports to assess the success of a given deployment and gauge the risk that your organization may face due to unprotected endpoints. The timing of the synchronization event differs according to the directory service. Whereas Novell informs the Management Server of any changes that may occur, the Management Server needs to contact Active Directory to obtain the latest information. Synchronization with Active Directory is set to occur once every fifteen minutes. Active Directory and Native Policies Active Directory policies are designed for deployment to the users and computers residing within your Active Directory forest/domain. Active Directory policies can be created and deployed whether synchronization with Active Directory is enabled or not. Native policies are designed for deployment to computers that are not managed by Active Directory. Should you wish to deploy native policies to computers that are managed by Active Directory, you must turn synchronization with Active Directory off. The following table itemizes the differences between Active Directory and native policies. Table 1.1 Active Directory and Native Policies Compared Active Directory Policies Native Policies Certain policies are deployed to users and others are Policies can only be applied to computers. deployed to computers. Policies applied in Local, Site, Domain, OU (LSDOU) order of precedence. Single pane policy creation/deployment. Policies are obtained from the domain controller and applied at each reboot. An immediate policy update can be forced using the gpupdate \force or secedit command. Ignored by Mac clients Policies are applied in Computer, Subgroup, Group (CSG) order of precedence. Each pane must be visited when creating the policy. Policies are applied when the client checks in with the Symantec Endpoint Encryption Management Server. An immediate policy update can be forced by clicking Check In Now from the User Client Console. Honored by Mac clients Symantec Endpoint Encryption Full Disk 2

10 Introduction Manager Console Basics The Manager Console contains the following Symantec Endpoint Encryption snap-ins: Symantec Endpoint Encryption Management Password allows you to change the Management Password. The Management Password controls administrator access to two Full Disk help desk functions: Recover /B and the Help Desk Program. Symantec Endpoint Encryption Software Setup is used to create client installation/migration packages. Symantec Endpoint Encryption Native Policy Manager escorts you through the process of creating a computer policy for clients not managed by Active Directory, such as Novell and other clients. Symantec Endpoint Encryption Users and Computers displays the organizational structure of your Active Directory forest and/or Novell tree; allows you to organize clients not managed by either Active Directory or Novell into groups; provides the ability to export computer-specific Recover DAT files necessary for Recover /B. Symantec Endpoint Encryption Reports includes reports to allow you to obtain endpoint data, Policy Administrator activity logs, and directory service synchronization configuration. In addition, you will be able to export computer-specific Recover DAT files and create your own custom reports. SEE Help Desk Program (optional) enables you to assist Windows or Mac users that forgot their credentials. You can also assist Windows users that have been locked out for a failure to communicate with the Management Server. It also contains the following Microsoft snap-ins to help you manage your Active Directory computers: Active Directory Users and Computers allows you to both view and modify your Active Directory organizational hierarchy. Group Policy Management lets you manage group policy objects and launch the Group Policy Object Editor (GPOE). Within the GPOE you will find Symantec Endpoint Encryption snap-in extensions that allow you to create and modify Symantec Endpoint Encryption user and computer policies for Active Directory managed computers. Depending on your responsibilities, you may not have access to all of these snap-ins. These restrictions, if any, will be effected as part of the privileges associated with your Windows account. Database Access Your Windows account may have been provisioned with rights to access the Symantec Endpoint Encryption database. If so, ensure that you are logged on to Windows with this account before launching the Manager Console. If you are not logged on to Windows with read and write access to the Symantec Endpoint Encryption database at the time that you launch the Manager Console, you will be prompted for your SQL or Windows credentials. Figure 1.2 SQL Server Logon Prompt Symantec Endpoint Encryption Full Disk 3

11 Introduction The Server name and Initial catalog fields will contain the information that was provided when this Manager Console was installed. In general, you should not modify the default contents of these fields. Circumstances that require you to edit these entries would be unusual, such as the loss of your primary Symantec Endpoint Encryption database. In such a situation, you could edit the Server name and Initial catalog fields to connect to a disaster recovery site. The syntax used in the Server name field is as follows: computer name,port number\instance name While the NetBIOS name of the server hosting the Symantec Endpoint Encryption database will always be required, the TCP port number will only be necessary if you are using a custom port, and the instance name will only be needed if you are using a named instance. The custom port number would need to be preceded by a comma and the instance name by a backslash. To use a SQL account, select SQL Authentication and type the SQL user name in the User name field. Otherwise, select Windows Authentication and type the Windows account name in NetBIOS format in the User name field. Type the account password in the Password field. Click Connect to authenticate. If you don t wish to authenticate to the Symantec Endpoint Encryption database at this time, click Cancel. You may receive one or more error messages following cancellation. You will receive additional prompts upon attempting to access the individual Symantec Endpoint Encryption snap-ins in the console. Endpoint Containers Basics The Symantec Endpoint Encryption Manager will place each endpoint into one or more of the following containers: Active Directory Computers, Novell edirectory Computers, or Symantec Endpoint Encryption Managed Computers. Active Directory/Novell edirectory Computers No computers will be placed in the Active Directory Computers or Novell edirectory Computers containers unless synchronization with the directory service is enabled. If synchronization with Active Directory is enabled, the Active Directory Computers container will be populated with the computers in the Active Directory forest/domain. If synchronization with Novell is enabled, the Novell edirectory Computers container will hold the computers in the Novell tree. If synchronization with both directory services is enabled and the computer is managed by both, it will appear in both containers. Computer and user objects located within the Active Directory and/or Novell containers cannot be moved or modified with Symantec Endpoint Encryption snap-ins. Symantec Endpoint Encryption Managed Computers Computers located within the Active Directory Computers and/or Novell edirectory Computers containers will not be shown in the Symantec Endpoint Encryption Managed Computers container. Only computers that have checked in with the Management Server will be shown in the Symantec Endpoint Encryption Managed Computers container. Whether a computer is placed in the Symantec Endpoint Encryption Managed Computers container or not following check in will vary depending on whether synchronization is enabled or not. If synchronization is not enabled, all Client Computers that have checked in will be placed in the Symantec Endpoint Encryption Managed Computers container. If synchronization is enabled, only Client Computers that have checked in that do not reside within the designated Active Directory forest/domain and/or Novell tree will be placed in the Symantec Endpoint Encryption Managed Computers container. Symantec Endpoint Encryption Full Disk 4

12 Introduction Computers located within the Symantec Endpoint Encryption Managed Computers container should be grouped into the organizational structure that you desire. Deleted Computers The Deleted Computers container stores Symantec Endpoint Encryption managed computers that have been deleted, allowing you to restore the computer and revert its deletion. Symantec Endpoint Encryption managed computers will remain in the Manager Console even after the client-side software has been uninstalled. To complete the uninstallation of an Symantec Endpoint Encryption managed computer, locate the computer within the Symantec Endpoint Encryption Managed Computers container. Right-click the computer and select Delete. The computer will be removed from the Symantec Endpoint Encryption Managed Computers container and placed in the Deleted Computers container. Should you fail to delete the computer from the Symantec Endpoint Encryption Managed Computers container following uninstallation and then reinstall, you will find two computers with the same name in the Symantec Endpoint Encryption Managed Computers container. Locate the computer with the older last check-in date, right-click it, and select Delete. Symantec Endpoint Encryption Roles Policy Administrators As the Policy Administrator, you perform centralized administration of Symantec Endpoint Encryption. Using the Manager Console and the Manager Computer, you perform one or more of the following tasks: Update and set client policies. Run reports. Change the Management Password. Run the Help Desk Program. Create the computer-specific Recover DAT file necessary for Recover /B. Client Administrators Basics Client Administrators provide local support to Symantec Endpoint Encryption users. Client Administrator accounts are created and maintained from the Symantec Endpoint Encryption Manager. Client Administrator accounts are managed entirely by Symantec Endpoint Encryption, independent of operating system or directory service, allowing Client Administrators to support a wide range of users. Client Administrator passwords are managed from the Manager Console and cannot be changed at the Client Computer. This single-source password management allows Client Administrators to remember only one password as they move among many Client Computers. Mac Client Each Mac client must have at least and no more than one Client Administrator account. The Client Administrator account is specified within the client installation package or policy. It will be created on the client at the time that the encryption of the boot disk is manually initiated. The Client Administrator account cannot be deleted by the user, ensuring administrative access to the Client Computer. The Client Administrator authenticates with a password. Privilege level is ignored by the Mac client. The Client Administrator account cannot be used to initiate encryption. Windows Client Client Administrators may be configured to authenticate with either a password or a token. Symantec Endpoint Encryption Full Disk 5

13 Introduction Each Client Administrator account can be assigned any of the following individual administrative privileges: Unregister users allows Client Administrators to unregister registered users from the Administrator Client Console; Decrypt drives provides Client Administrators with the right to decrypt encrypted disks and partitions from the Administrator Client Console or through the use of Recover /D; Extend lockout permits Client Administrators to extend the Client Computer s next communication date using the Administrator Client Console; and Unlock enables Client Administrators to unlock Client Computers that have been locked for failure to communicate with the Symantec Endpoint Encryption Management Server. Client Administrators are always able to authenticate to Client Computers. Client Administrators should be trusted in accordance with their assigned level of privilege. Each Client Computer must have one default Client Administrator account. The default Client Administrator account has all administrative privileges and authenticates using a password. Only Client Administrators that authenticate with a password and have all administrative privileges can perform hard disk recovery. Up to 1024 total Client Administrator accounts can exist on each Client Computer. Client Administrator accounts have the following restrictions: Client Administrators do not have either of the authentication assistance methods (Authenti-Check and One-Time Password) available. Client Administrators cannot use Single Sign-On. User Basics Full Disk protects the data stored on the Client Computer by encrypting it and requiring valid credentials to be provided before allowing the operating system to load. Users set their own Symantec Endpoint Encryption credentials, which allow them to power the machine on from an off state and gain access to the operating system. Only the credentials of registered users and Client Administrators will be accepted by Full Disk. Mac Client Upon manual initiation of encryption, a user account must be created. Up to 119 users can be added. Windows Client At least one user is required to register with Symantec Endpoint Encryption on each Client Computer. A wizard guides the user through the registration process, which involves a maximum of five screens. The registration process can also be configured to occur without user intervention. Authentication to Full Disk can be configured to occur in one of three ways: Single Sign-On enabled The user will be prompted to authenticate once each time they restart their computer. Single Sign-On not enabled The user must log on twice: once to Full Disk and then separately to Windows. Automatic authentication enabled The user is not prompted to provide credentials to Full Disk; the authentication process is transparent. This option relies on Windows to validate the user s credentials. A maximum of 1024 users can be allowed during the creation of the installation package and can be changed by policy. To ensure the success of this product in securing your encrypted assets, do not define users as local administrators or give users local administrative privileges. Symantec Endpoint Encryption Full Disk 6

14 Reporting 2. Reporting Overview Basics The Manager Console reporting tools allow you to obtain information about: Client Computers, Policy Administrator activities, and Directory service synchronization. Client Computers Data Available from Users and Computers and Basic Reports Basics At the time that a Client Computer succeeds in checking in with the Symantec Endpoint Encryption Management Server, it sends information about itself that is stored in the Symantec Endpoint Encryption database. This section discusses the data available about Client Computers from the following snap-in and reports: Symantec Endpoint Encryption Users and Computers on page 14; Computer Status Report on page 15; Computers not Encrypting to Removable Storage on page 15; Computers with Decrypted Drives on page 15; Computers with Expired Certificates on page 15; Computers with Specified Users on page 15; Computers without Full Disk Installed on page 16; Computers without Removable Storage Installed on page 16; Non-Reporting Computers on page 16; and Custom Reports on page 17. Basic data is shown in the main window and you can double-click a record of interest or right-click it and select Show Selection to obtain further details. If Active Directory and/or Novell synchronization is enabled, you will be able to obtain the computer names and directory service location of any computer located on your forest(s), domain(s), and/or tree(s) even if it has never checked in with the Management Server. While only the computer name and directory service location of these machines will be available, the absence of additional data will allow you to identify computers that are unprotected or have not checked in. Symantec Endpoint Encryption Full Disk 7

15 Reporting Main Window The following table itemizes the data available about Client Computers from the main window. Columns that will be displayed but not populated by Full Disk are identified as not applicable (N/A). Table 2.1 Client Computer Data Available from Main Window of Users and Computers and Basic Reports Column Heading Data Displayed Explanation Computer name computer name Computer name Group name* Last Check-In Decrypted Decrypting Encrypted group name time/date stamp drive letter(s) or disk ID(s) drive letter(s) or disk ID(s) drive letter(s) or disk ID(s) Location of the computer within Symantec Endpoint Encryption Users and Computers The time and date of the last connection that the Client Computer made with the Management Server The drive letter(s) or disk ID(s) of any decrypted drives and/or partitions on this computer The drive letter(s) or disk ID(s) of any drive and/or partitions on this computer that are in the process of decrypting The drive letter(s) or disk ID(s) of any encrypted drive and/or partitions on this computer Encrypting drive letter(s) or disk ID(s) The drive letter(s) or disk ID(s) of any drives and/or partitions on this computer that are in the process of encrypting Version n.n.n The three digit version number of Full Disk that is currently installed Installation Date time/date stamp The time and date on which Full Disk was installed RS Device Access Control* N/A RS Encryption Policy N/A N/A RS Encryption Method N/A N/A RS On-Demand Encryption* N/A N/A RS Access Utility* N/A N/A RS Self-Extracting Archives* N/A N/A * This column is not shown in the Symantec Endpoint Encryption Users and Computers snap-in. This column is not shown in the reports. N/A Computer Info Tab After double-clicking the record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Computer Info tab. Table 2.2 Client Computer Data Available from Computer Info Tab Column Heading Data Displayed Explanation Group group name Location of the computer within Symantec Endpoint Encryption Users and Computers OS operating system name The name of the installed operating system OS Type 32-bit 64-bit The number of bits of memory supported by the installed operating system Serial Number serial number The System Management BIOS (SMBIOS) serial number from WMI_SystemEnclosure class. If the data does not exist on the client, the value will be blank. Symantec Endpoint Encryption Full Disk 8

16 Reporting Table 2.2 Client Computer Data Available from Computer Info Tab (Continued) Column Heading Data Displayed Explanation Asset Tag Part Number asset tag time/date stamp The System Management BIOS (SMBIOS) asset tag from WMI_SystemEnclosure class. If the data does not exist on the client, the value will be blank. The System Management BIOS (SMBIOS) asset tag from WMI_SystemEnclosure class. This data may not exist on the client, in which case it will be blank. Framework Tab After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Framework tab. Table 2.3 Client Computer Data Available from Framework Tab Column Heading Data Displayed Explanation FR Version n.n.n The three digit version number of Framework that is currently installed FR Installation Date time/date stamp The time and date on which Framework was installed Last Check-In Time SSL Certificate Expiration Date time/date stamp time/date stamp The time and date of the last connection that the Client Computer made with the Management Server The time and date of the client-side TLS/SSL certificate s expiration Full Disk Tab After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Full Disk tab. Table 2.4 Client Computer Data Available from Full Disk Tab Column Heading Data Displayed Explanation FD Version n.n.n The three digit version number of Full Disk that is currently installed FD Installation Version time/date stamp The time and date on which Full Disk was installed Last Check-in SSL Certificate Expiration Date time/date stamp time/date stamp The time and date of the last connection that the Client Computer made with the Management Server The time and date of the client-side TLS/SSL certificate s expiration Partition drive letter The drive letter of the partition that is encrypted, encrypting, decrypted, or decrypting Encryption start time time/date stamp The date and time that encryption was initiated Encryption end time time/date stamp The date and time that encryption completed Decryption start time time/date stamp The date and time that decryption was initiated Decryption end time time/date stamp The date and time that decryption completed Decryption initiated by user name The user name of the user or Client Administrator that initiated decryption Symantec Endpoint Encryption Full Disk 9

17 Reporting Removable Storage Tab After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Removable Storage tab. Table 2.5 Client Computer Data Available from Removable Storage Tab Column Heading Data Displayed Explanation RS Device Access Control N/A N/A RS Encryption Policy N/A N/A RS On-Demand Encryption N/A N/A RS Encryption Method N/A N/A RS Exempted File Type N/A N/A RS Recovery Certificate N/A N/A RS Workgroup Key N/A N/A RS Device Exclusions N/A N/A RS Passwords N/A N/A RS Password Aging N/A N/A RS Access Utility N/A N/A RS Self-Extracting Archives N/A N/A RS Version N/A N/A RS Last Upgrade Date N/A N/A RS Installation Version N/A N/A Associated Users Tab After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Associated Users tab for Windows endpoints. The Associated Users tab will contain one row of data per registered user or Client Administrator on the Windows Client Computer. If this is a Mac record, no data will be available from the Associated Users tab. Table 2.6 Client Computer Data Available from Associated Users Tab Column Heading Data Displayed Explanation User Name user name The user name of the registered user or Client Administrator account User Type Authentication Method User Domain Reg User Client Admin Password Token Password and Token Unauthenticated name of domain or tree computer name If the account is that of a registered user, Reg User will be displayed. If the account is that of a Client Administrator, Client Admin will be displayed. If the user or Client Administrator uses a password to authenticate, Password will be displayed. If the user or Client Administrator uses a token to authenticate, Token will be displayed. If this is a user and the user has the option to register both a password and a token, Password and Token will be displayed. If the Client Computer has been configured to use automatic authentication, Unauthenticated will be displayed. If the computer is joined to a domain or a part of a Novell tree, the name of the domain or tree will be displayed. If the computer does not belong to either directory service, the name of the computer will be displayed. For Client Administrators, this cell will be blank. Symantec Endpoint Encryption Full Disk 10

18 Reporting Table 2.6 Client Computer Data Available from Associated Users Tab (Continued) Column Heading Data Displayed Explanation Last Logon Time Registration Time time/date stamp time/date stamp If a user, the time and date of the last User Client Console logon. If a Client Administrator, the time and date of the last Administrator Client Console logon. The time and date on which this user registered. If this is a Client Administrator account, the time and date on which the account was created either by MSI or policy update. Fixed Drives Tab After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the Fixed Drives tab will contain one row of data per physical disk drive on the Client Computer. Table 2.7 Fixed Drives Data Column Heading Data Displayed Explanation Disk ID Volume(s) Serial Number digit drive letter number The number of the physical disk, as assigned by the operating system. The operating system will assign a number to each physical disk. The first physical disk will be assigned the number 0 and the rest of the assigned numbers will increment sequentially. The alphabetical letter assigned by the operating system to the logical drive will be identified in this cell. If the drive has been divided into partitions, the letter of each partition will be displayed, separated by commas. The serial number of the physical disk will be displayed. This information is obtained from the device properties. If this data could not be obtained from the device properties, the value will be blank. Directory Services Synchronization Data Your current synchronization parameters are stored in the Symantec Endpoint Encryption database and can be retrieved using the following Symantec Endpoint Encryption Reports: Active Directory Forests Synchronization Status on page 15, and Novell edirectory Synchronization Status on page 16. One row of data per forest or tree will be listed. The following table identifies the data that will be available from these reports. Table 2.8 Directory Services Synchronization Data Column Heading Data Displayed Explanation Forest/Tree Name Administrator Name Administrator Domain* Last Synchronization forest or tree name user name domain time date stamp The name of the forest or tree that you are synchronizing with will be identified in this column. The user name that is being used to authenticate to the directory service server of this forest or tree will be provided in this column. This corresponds to the Active Directory or Novell synchronization account. The Active Directory domain of the Active Directory synchronization account for this forest will be identified. The time and date of the last successful synchronization with this forest or tree will be supplied. Symantec Endpoint Encryption Full Disk 11

19 Reporting Table 2.8 Directory Services Synchronization Data (Continued) Column Heading Data Displayed Explanation Total Computers number The total number of computers in this forest or tree as of the last synchronization will be noted here. This includes all of the computers, not just the Symantec Endpoint Encryption protected endpoints. * This column is not shown in the Novell edirectory Synchronization Status report. Admin Log Data Each time the Policy Administrator makes a change using the Manager Console, the action will be logged. The Admin Log provides a detailed log of all Policy Administrator activities. Log entries can be filtered according to inclusive date and time, user name, and computer name. The following table identifies the data that will be available in the Admin Log report. Table 2.9 Admin Log Data Column Heading Data Displayed Explanation Date-Time User Computer time date stamp user name computer name The time and date on which the activity occurred The Windows user name of the Policy Administrator that initiated the activity The computer name of the Manager Computer from which the activity was initiated Symantec Endpoint Encryption Full Disk 12

20 Reporting Table 2.9 Admin Log Data (Continued) Column Heading Data Displayed Explanation Activity Description Changed Symantec Endpoint Encryption management password Created native policy policy name Renamed native policy old policy name to new policy name Deleted native policy policy name Edited native policy policy name Created new Symantec Endpoint Encryption Managed computer group group name Renamed Symantec Endpoint Encryption Managed computer group old group name to new group name Deleted Symantec Endpoint Encryption Managed computer group group name Assigned native policy policy name to group group name Unassigned native policy policy name from group group name Changed assigned native policy for group group name from native policy old policy name to native policy new policy name Deleted Symantec Endpoint Encryption Managed Computer computer name Moved Symantec Endpoint Encryption Managed Computer computer name from group old group name to new group name Restored Symantec Endpoint Encryption Managed Computer computer name Exported Recover DAT file for computer computer name Initiated One-Time Password online method for user user name on computer computer name Symantec Endpoint Encryption GUID Symantec Endpoint Encryption GUID of computer Initiated One-Time Password offline method for user user name Created Framework client installation package MSI package name Created Full Disk client installation package MSI package name Created Removable Storage client installation package MSI package name Created Autologon MSI package MSI package name Symantec Endpoint Encryption Full Disk 13

21 Reporting Client Events Data A subset of the Windows system events from Windows Client Computers will be available from the Client Events report. The following table identifies the data that will be available in the Client Events report for Windows endpoints. No client events data for Mac clients will be available. Table 2.10 Client Log Data Column Heading Data Displayed Explanation Date-Time time date stamp The time and date on which the activity occurred User user name The Windows user name of the user that initiated the activity Computer Name computer name The computer name of the Windows Client Computer on which the event was logged Event Description description text Framework events 4, 6, 8, 11,14, 15, 16, 18, 19, 21, 124, 183, 184, and 246. Full Disk events 1004, 1008, 1012, 1014, 1015, 1019, 1023, 1027, 1028, 1107, 1108, 1109, 1110, 1111, 1114, 1119, 1120, and Refer to Appendix A System Event Logging on page 57 for the text of each event. Device Exemptions Report Data The following table details the data available from the Device Exemptions report. Table 2.11 Device Exemptions Report Column Heading Data Displayed Explanation Computer Name N/A N/A Last Check-In N/A N/A RS Exempted Product ID N/A N/A RS Exempted Vendor ID N/A N/A RS Device Memo N/A N/A Symantec Endpoint Encryption Users and Computers The Symantec Endpoint Encryption Users and Computers snap-in allows you to obtain data about a specific group. This data can be printed or exported into a comma-delimited format (CSV). This can be useful for generating reports on a per-group basis. You might also want to consider your reporting needs when you create your groups ( Symantec Endpoint Encryption Managed Computer Groups on page 36). Symantec Endpoint Encryption Reports Basics The Symantec Endpoint Encryption Reports snap-in contains a number of reports that will assist you in managing your endpoints and your synchronization(s). After obtaining the data, you can export it into comma-delimited format (CSV) for further manipulations in the tool of your choice. Alternatively, you can print the report directly from the Manager Console. Should you choose to print the report, you can choose which columns to include by right-clicking the report in the console tree and selecting Configure Columns Displayed. Alternatively, select Configure Columns Displayed from the Action menu. Symantec Endpoint Encryption Full Disk 14

22 Reporting Active Directory Forests Synchronization Status The Active Directory Forest Synchronization Status report provides the latest details of your Active Directory synchronization parameters and status ( Directory Services Synchronization Data on page 11). Client Events The Client Events report provides you with a subset of the events logged on the endpoint ( Client Events Data on page 14). Client events can be filtered according to inclusive date and time, user name, and computer name. Computer Status Report The Computer Status Report is used to retrieve the records of specific computers when you know their computer name. This can be useful for Windows clients under the following circumstances: After deploying Windows client installation packages using your third-party deployment tool of choice, run this report to ensure that the deployment was successful and that each client checks in. You should make sure that each Windows client checks in at least once. During the check in process, the Windows Client Computer sends data necessary for the online method of the One-Time Password Program and for the /B method of the Recover Program. Once you have identified Windows Client Computers that have not checked in, you can target them using other tools such as Resultant Set of Policy (RSoP) reports and Windows system event logs to determine if there was a problem during installation. Should a Windows Client Computer fail to boot, you may need to export computer-specific recovery data necessary for Recover /B. Type or paste the computer names in the Enter Computer Names field. Each should be on a separate line. The % character can be used as a wildcard. Once you have entered the computer names that you want to retrieve the records of, click Run. To refresh the data, click Run again. Computers not Encrypting to Removable Storage The Computers not Encrypting to Removable Storage report will retrieve the records of the following computers on your network: Did not have Removable Storage installed as of the time of last check-in. Was not protected by a Removable Storage Encrypt all, Encrypt new, or Encrypt to CD/DVD policy as of the time of last check in. Resides on a forest or tree that is synchronized with the Symantec Endpoint Encryption Management Server and has not checked in. These clients may or may not be allowing users to write unencrypted files to removable devices. Computers with Decrypted Drives The Computers with Decrypted Drives report will retrieve the records of the following computers on your network: Had one or more decrypted or decrypting drives and/or partitions as of the time of last check-in. Resides on a forest or tree that is synchronized with the Management Server and has not checked in. These clients may or may not have a decrypted or decrypting drive or partition. Computers with Expired Certificates The Computers with Expired Certificates report will retrieve the records of the clients with client-side TLS/SSL certificates due to expire within the specified number of days from the current day. Enter the number of days until expiration in the Days the Certificate Will Expire field and click Run. For example, to see all of the clients with certificates due to expire within the next ninety days, type 90 in the Days the Certificate Will Expire field and click Run. Computers with Specified Users The Computers with Specified Users report allows you to find out all of the computers that one or more users have registered on. Type the user names in the Enter User Names field. If you enter more than one user name, they Symantec Endpoint Encryption Full Disk 15

23 Reporting should be separated by carriage returns. The % wildcard character is supported. Once the desired report parameters have been entered, click Run. The records of the computers on which one or more of the specified users has registered will be retrieved and listed in the report results. Computers without Full Disk Installed The Computers without Full Disk Installed report will retrieve the records of the following computers on your network: Did not have Full Disk installed as of the time of last check-in. Resides on a forest or tree that is synchronized with the Management Server and has not checked in. These clients may or may not have Full Disk installed. Computers without Removable Storage Installed The Computers without Removable Storage Installed report will retrieve the records of the following computers on your network: Did not have Removable Storage installed as of the time of last check-in. Resides on a forest or tree that is synchronized with the Management Server and has not checked in. These clients may or may not have Removable Storage installed. Device Exemptions Report The Device Exemptions report allows you to obtain a list of the devices exempted from encryption on a given computer ( Device Exemptions Report Data on page 14). Percentage of Encrypted Endpoints The Percentage of Encrypted Endpoints report provides you with a pie chart display of the percentage of computers that are encrypted versus the percentage that are not. The numerical breakdown is provided beneath the chart. Mac clients will not be included in this report. Full Disk Client Deployment The Full Disk Client Deployment report provides you with a pie chart comparison of the percentage of computers installed with Full Disk versus the percentage that are not. You can filter the results based on date. The numerical breakdown is provided beneath the chart. Mac clients will not be included in this report. Framework Deployment The Full Disk Client Deployment report provides you with a pie chart comparison of the percentage of computers installed with Framework versus the percentage that are not. You can filter the results based on date. The numerical breakdown is provided beneath the chart. Non-Reporting Computers The Non-Reporting Computers report allows you to obtain a list of computers that have not checked in with the Symantec Endpoint Encryption Management Server within a specified number of elapsed days. This report will help you ensure that the data in the Symantec Endpoint Encryption database remains fresh. It is also an essential complement to a lockout policy. Enter the number of elapsed days in the Days Since Last Check-In field and click Run. The records of the computers on your network that have not checked in with the Symantec Endpoint Encryption Management Server within the specified number of days will be retrieved and listed. Novell edirectory Synchronization Status The Novell edirectory Synchronization Status report provides the latest details of your Novell synchronization parameters and status. Symantec Endpoint Encryption Full Disk 16

24 Reporting Custom Reports The custom reports feature allows you to create your own reports that you can run or edit at a later time. You can create subfolders to organize your custom reports. Right-click Custom Report and choose New Report to open the Query Editor. Click Save when you are done and type in a name for the new report. Specify the filter criteria for your custom report in the three tabs of the Query Editor. For a list of all possible filter criteria, see Table 2.1 on page 8. While only Symantec Endpoint Encryption version numbers will be available in the Client Version area, the selection of a Symantec Endpoint Encryption version number will result in the retrieval of not only the records of Client Computers installed with the selected Symantec Endpoint Encryption version, but also the Client Computers installed with the equivalent GuardianEdge Framework version. For example, if you select the check box, the records of clients will be retrieved as well as the records of GuardianEdge Framework and clients. If you have GuardianEdge clients, consult the following table for the full mapping. Table 2.12 Symantec Endpoint Encryption Version Numbers and Equivalent GuardianEdge Version Numbers Symantec Endpoint Encryption Version Number Equivalent GuardianEdge Version Number(s) , , , Patch Resultant Set of Policy (RSoP) The Group Policy Management snap-in features a reporting facility which allows you to verify that the Active Directory policies you assigned to Client Computers or users were actually processed as intended. This report is known as a Resultant Set of Policies (RSoP) or Group Policy Report. The initial Symantec Endpoint Encryption installation settings as deployed using the Framework and Full Disk client MSI packages (even if the MSI packages were deployed as GPOs) will not appear in the RSoP report. Only the results of Active Directory policy updates will be shown in the RSoP report. To generate an RSoP report, perform the following steps: 1. Open the Symantec Endpoint Encryption Manager, and in the left pane, expand Group Policy Management, then expand Group Policy Results. 2. With the Group Policy Results container selected, right-click and choose Group Policy Results Wizard. 3. The Group Policy Results Wizard launches. Click Next, then select the option Another Computer. 4. Browse to or type the name of the computer for which you wish to generate a Group Policy Report. 5. Click Next. Symantec Endpoint Encryption Full Disk 17

25 Reporting Figure 2.1 Group Policy Results Wizard, User Selection 6. To view both user and computer policies, select the user that you want to see the user policies of. If you are only interested in computer policies, select Do not display user policy settings in the results. 7. Click Next. 8. Click Next at the summary screen, then click Finish. 9. The Group Policy Results snap-in connects to the Client Computer, gathers the policy information into a report, and displays the information in several tabs of the content pane on the right. 10. Click on the Settings tab of the Group Policy Results window in the pane on the right. 11. This windows shows a collapsed view representing all the settings for the user/computer pair you selected. The view is divided into two sections: one section named Computer Configuration, and another section beneath it named User Configuration. 12. Within the section named Computer Configuration, locate the subsection named Administrative Templates. Symantec Endpoint Encryption uses registry based policies, and any Symantec Endpoint Encryption computer policies you create and apply will show up within the subsections Computer Configuration, Administrative Templates, Symantec Endpoint Encryption/Framework, and Computer Configuration, Administrative Templates, Symantec Endpoint Encryption/Full Disk. For user settings, this pattern is mirrored in the User Configuration section of the Group Policy Results window. 13. Expand the Administrative Templates and then expand the Symantec Endpoint Encryption/Framework section by clicking on the Show link on the right. That subsection will expand to reveal all Framework policies currently in effect. Symantec Endpoint Encryption Full Disk 18

26 Reporting Figure 2.2 RSoP Report From a Symantec Endpoint Encryption Client Figure 2.2 shows that a Client Administrator policy has been applied. The Client Administrator mbrown authenticates using a password and has a high level of privilege. The Client Administrator mwilliams authenticates using a password and has a high level of privilege. Any level in the report hierarchy can be exported as an HTML file by right-clicking the name (for example, Symantec Endpoint Encryption/Framework), choosing Save Report, and selecting a target location in which to save the HTML report. Some Symantec Endpoint Encryption Active Directory policies create other settings in the client registry that are shown in the RSoP as Extra Registry Settings. These represent internal registry values used by the particular Symantec Endpoint Encryption policy and can be ignored. Windows System Events All security-related system events are logged on the Symantec Endpoint Encryption Client Computer where they may be viewed remotely by an administrator using the Windows System Event viewer. To view Full Disk specific system events logged on a specific Windows computer, perform the following steps: 1. Open a Run dialog from the Windows Start menu. 2. Type eventvwr.msc and click OK. 3. An Event Viewer console window opens showing the events on your local computer. 4. In the navigation pane on the left, right-click the top-level folder named Event Viewer (Local), and choose Connect to another computer. 5. In the Select Computer dialog, make sure that the Another computer option is selected, then click Browse. 6. In the Select Computer dialog, type the name of a computer you wish to inspect the events of, and click OK. Symantec Endpoint Encryption Full Disk 19

27 Reporting 7. In the navigation pane on the left, right-click the item named Application, and choose Connect to another computer. 8. Choose View and click Filter to open the Application Properties window. 9. From the Event Source drop-down list box, choose Symantec and click Apply. 10. This filters the event log for that computer to show Framework and Full Disk events. Drag the Application Properties window away from the Event Viewer window, but leave it open. 11. In the right pane of the Event Viewer window, double-click the top-most event entry to open the Event Properties window for that event. The Description field contains information about that particular Full Disk event. To inspect other events in the log, use the up and down arrow buttons in the upper right of the Event Properties window. To filter out all events other than a desired event, click on the Application Properties window. In the Event ID field, type the number of the event you are interested in, then click Apply. The Event Viewer window will update and filter out all event IDs other than the one you specified. Full Disk System events generated in Windows log the user account information associated with that event in the User field of the Event Properties window, while Full Disk events generated in the pre-windows environment log the user account information in the Description field of the Event Properties window. For a complete list of all Symantec Endpoint Encryption specific system events, their event code numbers, and descriptions of the events, refer to Appendix A System Event Logging on page 57. Symantec Endpoint Encryption Full Disk 20

28 Policy Creation & Editing 3. Policy Creation & Editing Overview Each client will have installation settings in place. Installation settings are created at the time that the client is installed and modified each time an upgrade package is applied. Policy settings will always take precedence over any installation settings on the client. Symantec Endpoint Encryption provides two different types of policies. While each contains identical options, Active Directory policies are created and edited in quite a different manner from native policies. Mac clients will only receive and process native policies. This chapter discusses the following: How to create and/or edit Active Directory policies using Symantec Endpoint Encryption snap-in extensions in the Group Policy Object Editor (GPOE) ( Active Directory Policies on page 21); How to create and/or edit native policies using the Symantec Endpoint Encryption Native Policy Manager ( Native Policies on page 22); and The individual policy options themselves ( Policy Options on page 22). Active Directory Policies To create or edit an Active Directory policy, expand the Group Policy Management snap-in, expand your forest, expand Domains, expand the domain, and expand Group Policy Objects. To edit an existing GPO, right-click the GPO and select Edit. To create a new GPO, right-click Group Policy Objects and select New. The Group Policy Object Editor (GPOE) will launch. To edit or create a computer policy, expand Computer Configuration, expand Software Settings, and expand Symantec Endpoint Encryption. Then expand Framework and/or Full Disk, according to your needs. To edit or create a user policy, expand User Configuration, expand Software Settings, and expand Symantec Endpoint Encryption. Then expand Framework and/or Full Disk, according to your needs. Each Active Directory policy panel features three option buttons at the top: Do not change these settings this option is the default option. It specifies that no changes to existing policies or installation settings will be made. Change these settings click this option if you want to specify a policy update. When this option is selected, the fields below it will become available. These fields will not be defaulted to the policies currently in effect, they will just display generic defaults. Restore the installation settings click this option to apply a policy that instructs the client to disregard any existing policies and return to the settings that were specified in its installation package. When the Change these settings option is selected, your entries are validated when you click away from the panel. Any incorrect entries will be highlighted in red, and the icon for the panel, as shown in the navigation tree of the GPOE window, will change to a warning icon to remind you to return to that panel and make the necessary corrections before closing the GPOE window. Symantec Endpoint Encryption Full Disk 21

29 Policy Creation & Editing For a detailed discussion of the options that will become available when the Change these settings option is selected, refer to Policy Options on page 22. Native Policies To create a native policy, right-click the Symantec Endpoint Encryption Native Policy Manager and select Create New Policy. When naming a policy, observe the following: Each name must be unique and cannot have been assigned to any other native policy. Names are case-insensitive. Leading and trailing spaces will be deleted. To edit a native policy, expand the Symantec Endpoint Encryption Native Policy Manager. Locate the policy that you want to edit and highlight it. For a detailed discussion of the options available for modification within the Symantec Endpoint Encryption Native Policy Manager, continue to the next section. Policy Options Client Administrators When creating a Client Administrator policy, it must contain all Client Administrator accounts that are authorized to access the workstation. Any Client Administrator accounts not listed in this policy will not be able to authenticate to the Client Computer. Figure 3.1 Framework Computer Policy, Client Administrators Options At least one default Client Administrator account must be specified. Only the default Client Administrator account will be sent to Mac clients. No more than 1024 Client Administrators accounts can be added. You can import a list of Client Administrators from a previously created installation settings package. Click Load client administrators from installation settings, select the previously created Framework client installer package, then click Open. The GPO panel will populate with the Client Administrator account information specified when the installation settings package was created. Symantec Endpoint Encryption Full Disk 22

30 Policy Creation & Editing Click Add to add a Client Administrator. Highlight an existing Client Administrator and click Edit to edit the account. Figure 3.2 Add New Client Administrator Dialog Only the names of the Add New Client Administrator and Edit Client Administrator dialogs differ. Each Client Administrator account must have credentials and a specified level of privilege. Leave the Default admin check box selected to designate this Client Administrator as the default Client Administrator account, otherwise deselect the check box. If you deselect the Default admin check box, the Level, Authentication, and Admin Privileges controls become available. The Default admin check box will be deselected and unavailable if you already added a default Client Administrator. The Admin Privileges section is only available if the Default admin check box is deselected. Select the Unregister users check box to allow the Client Administrator to unregister users. Select the Decrypt drives check box to allow the Client Administrator to decrypt encrypted disks and partitions, and to use the Recover /D option. Select the Extend lockout check box to allow the Client Administrator to extend the Client Computer s next communication date. Select the Unlock check box to allow the Client Administrator to unlock Client Computers. Deselect all the check boxes to only allow the Client Administrator to authenticate to Client Computers and the Administrator Client Console. The Level list box is only available if the Default admin check box is deselected. Click Level to set the desired privilege level for the Client Administrator. Note that the privileges you set in the Level list box will be ignored by Client Computers running Symantec Endpoint Encryption The Level settings are provided for compatibility with legacy clients, and are completely independent of the Admin Privileges settings. Use the Admin Privileges settings if your policy will apply exclusively to Symantec Endpoint Encryption or later clients. Use both the Admin Privileges settings and the Level settings if your policy will apply to multiple versions of the Symantec Endpoint Encryption client. The Authentication list box is only available if the Default admin check box is deselected. Click Authentication to set the Client Administrator s authentication method. If this is a native policy and you selected None (password authentication only) when installing the Framework Manager, the list box will display Password and be unavailable. If you selected one of the token types when installing the Framework Manager, the list box will have both Password and Token options available. If you select the Password option, type the desired password for this Client Administrator account in the Password box. The password must be a minimum of two characters and no longer than 32. Type the password a second time in the Confirm password box. If you select the token option, you will be prompted to locate the P7B certificate file associated with that Client Administrator account. The selected P7B file will be validated, and you will be prompted to choose the desired certificate from the list of valid certificates found in the P7B file. Symantec Endpoint Encryption Full Disk 23

31 Policy Creation & Editing Registered Users Basics The Registered Users panel can be used to change the way that users authenticate to, register with, or get unregistered from Symantec Endpoint Encryption. Registered user policy settings will be ignored by Mac clients. Figure 3.3 Framework Computer Policy, Registered Users Options Authentication Method In Authentication Method, select the authentication method you want Symantec Endpoint Encryption to effect. Clicking on Require registered users to authenticate with ensures that Full Disk authentication takes places before Windows loads. Select a password to have users authenticate with a password. Select a token to have users authenticate with a token. Select password or token to allow users authenticate using either a password or a token. Select Do not require registered users to authenticate to SEE to enable automatic authentication. This option is designed for kiosk environments. If it is selected, users will not need to provide valid credentials to Full Disk before Windows loads and your organization will rely on Windows for user authentication. It will reduce the security of the Client Computer but increase the transparency of the user experience. The registration process will be silent and automatic as well unless a registration password is specified. Coupling automatic authentication with a registration password serves to avoid reaching the maximum registered user limit and to limit the number of users that can gain access to the User Client Console. Single-Sign On will be unavailable to users not using the same authentication method for both Windows and Symantec Endpoint Encryption. For Single-Sign On to work, the authentication methods used in both environments must be identical. Symantec Endpoint Encryption Full Disk 24

32 Policy Creation & Editing Once the policy has been processed and the Client Computer has rebooted, the user s experience will vary. Refer to Appendix B Authentication Method Changes on page 81 for details of the user s experience. Registration To allow any Windows user the ability to register, click the option Any Windows user can register for a SEE account. To allow only those users who know a special registration password to be able to register, click Users must know this password to register, and type the password in the adjacent field and again to confirm. Each user will be required to know the administrator-defined registration password before they can register for a Symantec Endpoint Encryption account. Specify the maximum number of Symantec Endpoint Encryption registered user accounts which can be created on each computer. New users will not be permitted to register after the maximum number of accounts has been reached. Specify a custom message users will see when they are forced to register after grace restarts expire. The custom message can be from characters in length, or you can use the default message. Note that the custom registration message field ignores any carriage returns you type or paste in. Specify the number of grace restarts, i.e., the number of times, from 0 99, that the computer can restart before the first user who logs on will be forced to register for a Symantec Endpoint Encryption account and see the custom registration message. This setting can effectively allow users to defer registration. To force the first user to register immediately, set this value to zero. Unregistration Unregistration selects whether to allow users to only be unregistered manually by Client Administrators, or whether to also automatically unregister users who do not log on after a specified period, from days. This setting is useful in a kiosk environment where many infrequent users can fill up the maximum number of available Symantec Endpoint Encryption accounts on a given computer. Use caution with this setting so that users do not have their accounts deleted unexpectedly. Symantec Endpoint Encryption Full Disk 25

33 Policy Creation & Editing Password Authentication Use the Password Authentication panel to set or change the logon delay and/or to set the criteria that new passwords must meet, if Single Sign-On is not enabled. Only the settings in the Password Complexity area will be honored by the Mac client. Figure 3.4 Framework Computer Policy, Password Authentication Options Under Password Attempts, select the Limit password and Authenti-Check attempts check box to set the number of incorrect passwords or Authenti-Check answers a user can type in succession before the system will introduce a one minute delay between further logon attempts. You can also specify the time in minutes that must elapse after the last incorrect attempt occurred, after which the one minute delay behavior is lifted. Password Complexity These include the minimum number of characters users Symantec Endpoint Encryption passwords must contain, the set of non-alphanumeric characters users may have in their passwords, as well as the minimum number of non-alphanumeric characters, uppercase letters, lowercase letters, and digits users must have in their passwords. Maximum Password Age Leave this option at the default to not set an expiration date on user passwords. If you select the option to set an expiration date on user passwords, type the number of days after which users passwords will expire, and type the number of days in advance users will be prompted to change their expiring passwords. Password History allow users to use any previously-used Symantec Endpoint Encryption password, or select the other option and type the number of different passwords users must use before reverting to old passwords. Minimum Password Age Leave this option at the default to allow users to change their Symantec Endpoint Encryption passwords as frequently as they wish, or select the other option and type the minimum number of days that must pass before users can change their passwords. Note that leaving this option at the default will effectively override the password history feature, since a user could quickly cycle through the required number of new passwords in order to keep an old, favorite password. Symantec Endpoint Encryption Full Disk 26

34 Policy Creation & Editing Token Authentication If token authentication is in effect and you want to allow expired certificates, check the Users can authenticate to SEE with expired certificates check box. Token authentication settings will be ignored by Mac clients. Authentication Message To change the message shown to users who are having trouble authenticating, edit the text within the Instructions for users who are having trouble with authentication field. For example, the phone number of your help desk may have been provided in the message and you may need to update it. The authentication message will be honored by Mac clients. Communication Use the Communication panel to modify the interval at which the recipient computers will attempt to make contact with the Management Server. The communication interval will be honored by Mac clients. Single Sign-On Select or deselect the Enable Single Sign-On check box for the desired effect. If Single Sign-On is enabled, password changes must be initiated by the user on the local workstation. Administrators cannot reset users passwords from the server. Third party password change tools such as SSPRM are not supported. Single Sign-On policy settings will be ignored by Mac clients. Consider what type of policy this is when modifying these settings. If this is an Active Directory policy, it can be deployed to individual users. If this is a native policy, it will be applied to all users of the recipient computer(s). Authenti-Check Use the Authenti-Check panel to enable or disable Authenti-Check, and/or to change the question-answer pair requirements. Authenti-Check policy settings will be ignored by Mac clients. Figure 3.5 Framework Computer/User Policy, Authenti-Check Options Select or deselect the Enable Authenti-Check check box according to the policy that you wish to effect. Type a value in the Minimum answer length box to set the minimum number of characters, from 1 99, that users must include when answering Authenti-Check questions. Symantec Endpoint Encryption Full Disk 27

35 Policy Creation & Editing Type one, two, or three Predefined questions, 0 99 characters in length, that a user must correctly answer before the user authenticates. The number displayed in the Number of user-defined questions required drop-down list is dynamically updated based on how many questions you have typed in the Predefined questions boxes. Number of predefined questions shows the number of predefined questions currently specified, while Total shows the combined total of the Number of predefined questions plus the Number of user-defined questions required. Note that at least one question must be defined either by you or by the user. Consider what type of policy this is when modifying these settings. If this is an Active Directory policy, it can be deployed to individual users. If this is a native policy, it will be applied to all users of the recipient computer(s). One-Time Password Use the One-Time Password panel to modify the availability of One-Time Password assistance, change the default method, or adjust the availability of the OTP Communication Unlock feature. One-Time Password policy settings will be ignored by Mac clients. Figure 3.6 Framework Computer/User Policy, One-Time Password Options Select the Enable One-Time Password check box to make this pre-windows authentication assistance method available to Full Disk users. Within the Default method area, select the default method that the Client Computers will begin with when initiating a One-Time Password recovery attempt. Select Online if the clients are configured to connect to the Management Server. Select Offline if the clients are silent. Select the OTP Communication Unlock check box to allow users who have been locked out of their computers for a failure to communicate to regain access using the One-Time Password Program. Consider what type of policy this is when modifying these settings. If this is an Active Directory policy, it can be deployed to individual users. If this is a native policy, it will be applied to all users of the recipient computer(s). Symantec Endpoint Encryption Full Disk 28

36 Policy Creation & Editing Startup Use the Startup panel to revert to the default startup image, change the logon instructions, change the legal notice shown on the Startup screen, or allow registered users to start in safe mode. Policies cannot be used to change a custom image. To change a custom image, create a client installation package with the new image in it. Apply this package to the client as an upgrade. Only the text in the Logon instructions box and Legal notice box will be honored by Mac clients. Custom images and safe mode boot settings will be ignored by Mac clients. Figure 3.7 Full Disk Computer Policy, Startup Options Select The SEE logo to replace a custom image with the default image from Symantec Endpoint Encryption. You can also use the Logon instructions and Legal notice fields to customize the text displayed on the Startup screen. Select the Enable Safe Mode Boot for registered users check box to allow registered users to start their desktop computers in safe mode. Logon History Use the Logon History panel to change whether the Symantec Endpoint Encryption logon is prefilled with the user name and/or domain of the last successfully authenticated user. Selecting the User name check box allows users to see the name and domain of the last user who logged on at the Symantec Endpoint Encryption pre-windows logon screen. This will reduce the security of your Client Computers, so Symantec recommends deselecting both the User name and Domain check boxes. Logon history settings will be ignored by Mac clients. Autologon If this policy will be effected on a computer operated by a visually impaired user who will be using audio cues in pre-windows, ensure that the User name check box is deselected and that the Domain box is selected. This will allow the user to log on using the audio cues. About the Autologon Feature Autologon settings will be ignored by Mac clients. With the Symantec Endpoint Encryption Full Disk Autologon feature, administrators configure Windows Client Computers to bypass the pre-windows user authentication process that Symantec Endpoint Encryption enforces. Administrators specify the time frames when pre-windows user authentication can be bypassed. They also specify Symantec Endpoint Encryption Full Disk 29

37 Policy Creation & Editing how many times during a time frame that a Client Computer can bypass pre-windows user authentication. (Bypassing pre-windows user authentication is called authentication bypass. Pre-Windows user authentication is also called pre-boot authentication.) Administrators use the Autologon feature to remotely deploy software to computers protected by Full Disk. Many software installation packages require multiple restarts of the target computer. Administrators configure the Autologon feature through settings in Autologon MSIs or policies. They use the Autologon Manager Console snap-in to create Autologon MSIs, and they use Full Disk to specify Autologon settings in policies. Policies include Active Directory Group Policy Objects (GPOs) or native policies. The Autologon feature s behavior for a single Client Computer can be controlled by an Autologon MSI and a policy. The cumulative effect of these methods is defined by a strict order of precedence, which is described later in this document. In addition to limiting the time frames and incidences for authentication bypass, the Autologon feature also protects Client Computers with these precautions: Prevents authentication bypass when the Client Computer is disconnected from the Symantec Endpoint Encryption Management Server. This feature applies only for settings that bypass pre-windows authentication during a non-recurring time frame (called non-recurring authentication bypass). Permanently disables authentication bypass when the Client Computer is disconnected from the Management Server for too long. This feature applies only to non-recurring authentication bypass. Disables authentication bypass when the Client Computer is powered down longer than a specific period of time. During software installation, computers are restarted immediately between installations. For computers that remain powered down, installation is most likely finished and authentication bypass is no longer necessary. This feature applies only to non-recurring authentication bypass. Checks for time tampering. Disables Single Sign-On after bypassing pre-windows authentication. After pre-windows authentication is bypassed, users must still provide credentials to the Windows Security logon window. That is, the Client Computer does not provide Microsoft Windows with Single Sign-On credentials if it has not verified the user s credentials or if policies prevent it. Client Computers with an Autologon MSI installed or having a policy with Autologon settings are in a state of heightened vulnerability. To minimize the associated risks, carefully review the number of restarts allowed and the inclusive dates and times that Autologon remains active before deploying an Autologon MSI or policy. After an Autologon MSI is installed on a Client Computer, the Autologon settings in policies that apply to the computer or user are ignored. Symantec Endpoint Encryption Full Disk 30

38 Policy Creation & Editing This section explains how to set Autologon features in GPOs and native policies. For information on setting Autologon features in an Autologon MSI, see Symantec Endpoint Encryption Full Disk Autologon Utility. Figure 3.8 Full Disk Computer Policy, Autologon Options Administrators specify one of these Autologon settings: Always Require User Authentication on page 31 Never Require User Authentication on page 31 Bypass Pre-Windows User Authentication During a Single Time Frame on page 31 Bypass Pre-Windows User Authentication During a Recurring Time Frame on page 32 Always Require User Authentication During the pre-windows authentication process, the Client Computer always ensures connectivity with the Management Server and authenticates the user. To always require user authentication, select Boot only after user authentication to the SEE. Never Require User Authentication This setting entirely bypasses the Client Computer pre-windows authentication process. It does not verify that the Client Computer can connect with the Management Server, and it does not authenticate the user. As a result, this setting provides little protection to Client Computers. To never require user authentication, select Do not require user authentication to the SEE. Bypass Pre-Windows User Authentication During a Single Time Frame This setting bypasses pre-windows user authentication during a non-recurring time frame. A time frame is a time period on specific days of the week, for example from 8:00AM to 9AM on Monday and Wednesday. This setting limits the time frame to specific dates, for example between 1/1/2010 and 1/5/2010. The Autologon feature verifies Symantec Endpoint Encryption Full Disk 31

39 Policy Creation & Editing that it can connect with the Symantec Endpoint Encryption Management Server and then determines whether conditions are satisfied for authentication bypass. If it determines that either condition is unsatisfied, it enforces pre- Windows user authentication. To bypass pre-windows user authentication during a non-recurring time frame, perform the following steps: 1. Select Boot up to times without user authentication. Specify the number of times the Symantec Endpoint Encryption client can bypass authentication. 2. In the Single Use panel, specify a start time and date and an end time and date. The end date is the last date when authentication bypass is considered. 3. Select Disengage if power lost for minutes to limit exposure should the computer be stolen while authentication bypass is in effect. If the Client Computer remains shut down for more than the specified interval, the next time it powers on, authentication bypass is permanently deactivated and authentication is mandatory. 4. Select Disengage if network connectivity lost for minutes to suspend authentication bypass should the computer lose connectivity. The Client Computer checks connectivity every N minutes, where N is the value in the minutes field. If the Client Computer loses connectivity with the Management Server for longer than the specified number of minutes, authentication bypass is temporarily suspended and authentication becomes mandatory. After the next successful pre-windows authentication and after the Client Computer re-establishes connectivity with the Management Server, the Client Computer resumes authentication bypass. The resumption requires that the current Autologon MSI or policy allows more authentication bypasses and the specified time period has not elapsed. Autologon may fail on Windows 7 endpoints after the computer goes into hibernation if Disengage if power lost for minutes is selected. To make sure that your Autologon settings succeed, ensure that only complete shut downs and restarts are performed for the duration of the authentication bypass time frame used in conjunction with the Disengage if power lost for minutes selection. To re-enable authentication bypass after it has been disabled due to a failure to communicate with the Management Server, push a new high-priority policy to the Client Computer that specifies Autologon.This workaround ensures that a communication lockout condition does not disrupt an installation process that requires multiple restarts. Bypass Pre-Windows User Authentication During a Recurring Time Frame This setting enables authentication bypass during time frames within a start date and end condition. A time frame is a time period on specific days of the week, for example from 8:00AM to 9AM on Monday and Wednesday. The end condition for recurring logon is one of these: (a) no end date, which means that recurring authentication bypass never ends; (b) a specific number of time frames from the start date has elapsed; or (c) an end date has passed. To bypass pre-windows user authentication during a recurring time frame, perform the following steps: 1. Select Boot up to times without user authentication. Type the number of times the Client Computer can bypass the normal pre-windows user authentication process on days when authentication bypass is enabled. The value of the Boot up to field applies to individual days. For example, if this field is 3 and Monday and Tuesday are selected, then authentication bypass is allowed up to 3 times every Monday and up to 3 times every Tuesday. 2. Select Recurring. 3. In the Time window panel, specify start and end times. 4. In the Recurrence pattern panel, select the days of the week when authentication bypass can recur. 5. In the Range of recurrence panel, select the start date and specify one of these end conditions: To specify indefinite recurring authentication bypass, select No end date. Symantec Endpoint Encryption Full Disk 32

40 Policy Creation & Editing To specify that recurring authentication bypass ends after authentication bypass is enabled on a certain number of days, select End after occurrences and type the number of days. The count of the number of days begins on the first day when authentication bypass is enabled after the start date. It is independent of the installation date. For example, consider these settings: The Boot up to field is 3, the start date is January 1, 2010, every day of the week is selected, and the End after field is 8. In this case, the Client Computer can bypass authentication 3 times per day between January 1, 2010 and January 7, 2010 (8 days). To specify that recurring authentication bypass ends after a particular date, select End by and select the end date. When the Autologon Settings in a Policy Take Effect The Autologon settings in a policy take effect approximately five minutes after the Client Computer receives it. In the case of authentication bypass during a single time frame, considerations for connectivity and shutdown durations begin when the policy takes effect. Resetting the Number of Authentication Bypasses Administrators can reset the count of authentication bypasses by pushing a new high-priority policy to the Client Computer, where the new policy specifies Autologon settings. Order of Precedence When an Autologon MSI and multiple policies that suppress pre-boot authentication are in effect, their precedence on a Client Computer is defined according to the following order, from highest to lowest: 1. Autologon MSI 2. Autologon settings from a policy. These settings are considered only if there is no Autologon MSI installed on the Client Computer. 3. Grace restarts (lowest precedence) Remote Decryption Create a remote decryption policy to decrypt all encrypted disks and partitions on one or more computers protected by Full Disk. Client Computers receiving this policy will commence decryption once the policy has been processed. Processing of the policy takes approximately five minutes. Remote decryption policies will be ignored by Mac clients. Client Monitor Use the Client Monitor panel to modify the enforcement of client communication with the Symantec Endpoint Encryption Management Server. Figure 3.9 Full Disk Computer Policy, Client Monitor Options Click Do not enforce a minimum contact period with the SEE Management Server if you do not want to enforce regular contact with the Management Server. Click Lock computer after to force a computer lockout after a specified number of days without network contact. If you select this option, you can specify the number of days a computer may remain without network contact, from 0 Symantec Endpoint Encryption Full Disk 33

41 Policy Creation & Editing 365. You can also specify how many days in advance, from 0 365, that users will be warned to connect to the network and avoid a lockout. Note that the values you type in these two box are validated to ensure that users will always be warned prior to a lockout. For example, you will be prevented from specifying that the computer should be locked after five days without contact, and that the users should be warned 15 days before being locked out. If this case were allowed, the user could run the risk of being locked out 10 days before the warning is displayed. Client Monitor settings will be ignored by Mac clients. Local Decryption Select the Registered users can decrypt disks and partitions check box if you want to permit registered users to use the User Client Console to decrypt encrypted disks and partitions. Consider what type of policy this is when modifying these settings. If this is an Active Directory policy, it can be deployed to individual users. If this is a native policy, it will be applied to all users of the recipient computer(s). Local decryption policy settings will be ignored by Mac clients. Symantec Endpoint Encryption Full Disk 34

42 Policy Deployment 4. Policy Deployment Overview Policy deployment differs according to the type of policy that you are deploying. Deployment of Active Directory policies is discussed in the next section. Deployment of native policies is discussed in Native Policies on page 36. Active Directory Policies Basics Active Directory policies are deployed using the Group Policy Management Console (GPMC) snap-in of the Manager Console. Order of Precedence When a single computer or user object has two or more policies assigned to it, the Local, Site, Domain, OU (LSDOU) order of precedence and link order will be considered. Policies specific to a single computer or user object are considered local and have the highest order of precedence in the LSDOU chain. If the policies are at the same LSDOU level, they will then be applied according to their link order. Those lowest in the link order will have the highest order of precedence. Forcing a Policy Update Basics Active Directory policy changes take approximately 90 minutes and no more than 120 minutes to push out to Client Computers. To accelerate this, you can force an immediate policy update. Windows XP Clients 1. On the Client Computer, open a command prompt. Click Start, then Run. Type cmd and press ENTER. A command prompt will open. 2. Type the following command at the command prompt: gpupdate /force and press ENTER. 3. A message will appear in the command prompt window after a few seconds indicating that the update has taken place. The message will prompt you to confirm a restart. Type Y and press ENTER to restart the Client Computer. Windows 2000 Clients 1. On the Client Computer, open a command prompt. Click Start, then Run. Type cmd and press ENTER. A command prompt will open. 2. Type the following command at the command prompt: secedit /refreshpolicy machine_policy /enforce and press ENTER. 3. The secedit command will not prompt you to restart. If the policy you are updating includes any computer policies, you will have to restart the computer manually to complete the update. Symantec Endpoint Encryption Full Disk 35

43 Policy Deployment Native Policies Basics Native policies are applied at the computer level: they cannot be assigned on a per user basis. Each policy will be comprehensive and contain all of the possible configurable settings. Only one policy can be applied to a computer at a time. If no policy is assigned to a computer, it will revert to the settings specified in its original installation package. Native policies are applied at the time that the Client Computer checks in with the Management Server. An immediate check-in can be performed by the user from the User Client Console on the endpoint computer. If synchronization with Novell is enabled, the Novell computers will already be organized within the Novell edirectory Computers container, just as they are organized within the Novell edirectory tree. Native policies can be assigned to Novell computers, even if they have not checked in. Clients in the Symantec Endpoint Encryption Managed Computers container cannot be assigned policies until they have checked in with the Management Server. The following section discusses the process of creating groups and placing Client Computers inside of them. Symantec Endpoint Encryption Managed Computer Groups Basics Before you can assign policies to your Symantec Endpoint Encryption managed computers, they need to be organized into groups. This can be done from any Manager Computer. The structure will be saved in the Symantec Endpoint Encryption database and available to all other Manager Computers. The Symantec Endpoint Encryption Managed Computers container will only have two groups in by default: SEE Unassigned and Deleted Computers. Clients located within the SEE Unassigned group do not have any policies assigned to them. Clients will be placed in the SEE Unassigned group if: Synchronization with its directory service is not enabled. The computer does not reside within the Active Directory forest/domain or Novell tree that you are synchronizing with. In general, the Client Computer will appear in SEE Unassigned at the time that it checks in. However, if the Client Computer is manually deleted from the Active Directory domain or Novell tree, it will not appear in SEE Unassigned until the time of the next synchronization. Client Computers within the SEE Unassigned group do not have any policies assigned to them. Such Client Computers are enforcing the settings specified within their original installation package. Symantec Endpoint Encryption Full Disk 36

44 Policy Deployment Group Creation The first step in organizing your Symantec Endpoint Encryption managed computers is to create the groups that they will reside in. To add a group, right-click Symantec Endpoint Encryption Managed Computers. Figure 4.1 Symantec Endpoint Encryption Managed Computers, Add New Group Select Add New Group. Figure 4.2 Name New Group Dialog Enter the name of the new group. This name must be unique within its group. For example, the Finance group can have two subgroups named Laptops and Desktops and the Human Resources group can also have two subgroups named Laptops and Desktops. But there cannot be two top-level groups just below Symantec Endpoint Encryption Managed Computers named Human Resources. Each name must be at least one character. Leading and trailing spaces will be deleted. Enter the desired name of the group and click OK. Continue to add groups and subgroups until you have the desired structure. Move Computers Client Computers can be moved from any Symantec Endpoint Encryption Managed Computers group to another Symantec Endpoint Encryption Managed Computers group. This section will discuss the process of moving a Client Computer out of the SEE Unassigned group and into one of the manually created groups. Symantec Endpoint Encryption Full Disk 37

45 Policy Deployment Highlight SEE Unassigned. Locate the computer that you want to move and highlight it. Figure 4.3 SEE Unassigned, Computer Highlighted Click Move. Figure 4.4 Symantec Endpoint Encryption Managed Computers Groups Dialog Navigate to the desired destination group of the Client Computer. Highlight it and click OK. Each Client Computer can only reside in one group at a time. Policy Assignment Native policies can be assigned to individual computers, subgroups, or groups located within either the Symantec Endpoint Encryption Managed Computers container or the Novell edirectory Computers container. This section describes how to assign a policy to a group within the Symantec Endpoint Encryption Managed Computers container, but the instructions are fully extensible to your individual circumstance. Symantec Endpoint Encryption Full Disk 38

46 Policy Deployment Begin by locating the recipient computer, subgroup, or group of the policy. Highlight the name of the recipient. Figure 4.5 Symantec Endpoint Encryption Managed Computers Group Selected Click Policy. Figure 4.6 Policy Selection Dialog Locate the native policy to be assigned to this group within the dialog and highlight it. Click OK. Figure 4.7 Native Policy Assignment Confirmation A confirmation message will be displayed. Click OK. Symantec Endpoint Encryption Full Disk 39

47 Policy Deployment Figure 4.8 Symantec Endpoint Encryption Managed Computers Policy Assigned Following the successful assignment of the policy, the Manager Console will display the name of the policy now assigned to the group. The next time the Client Computers in this group check in with the Management Server, they will download this policy and apply it. Order of Precedence Each computer can only have one policy assigned to it at any given time. Policies can be assigned to individual computers, subgroups, or entire groups. The rules of precedence are as follows: (1) Computer, (2) Subgroup, and (3) Group. Computer policies have the highest precedence. For example, if a policy is applied to computer D9HCPD3, and another policy is applied to the Laptops subgroup in which it resides, the policy applied to the computer will take precedence over the policy that was applied to the Laptops subgroup. Forcing a Policy Update Registered users can force an immediate policy update by launching the User Client Console, opening the Check-In panel, and clicking Check in Now. Symantec Endpoint Encryption Full Disk 40

48 Endpoint Support 5. Endpoint Support The Management Password Basics The Management Password controls administrator access to Recover /B and the Help Desk Program. Symantec Endpoint Encryption Policy Administrators or other support personnel who have access to the Management Password snap-in must type the Management Password before they can export computer-specific hard disk recovery files ( Recover DAT File Generation on page 54), run the One-Time Password Program ( One-Time Password Program on page 42), or run Whole Disk Recovery Token (). Because of the importance of the Management Password, you should establish a protocol for all Management Password changes. This will avoid the situation of one administrator changing the Management Password and preventing other administrators from performing help desk functions which require the Management Password. The Management Password should be stored in a safe location, as there is no mechanism available for recovering a lost Management Password. Changing the Management Password To change the Management Password, perform the following steps: 1. Open the Symantec Endpoint Encryption Manager. 2. In the navigation pane on the left, click on Symantec Endpoint Encryption Management Password. Figure 5.1 Management Password Snap-in 3. In the pane on the right, type the existing Management Password, type a new Management Password of at least two and no more than 32 characters in length. Then type the new Management Password again to confirm. Symantec Endpoint Encryption Full Disk 41

49 Endpoint Support 4. Click OK. A confirmation message will be displayed. Figure 5.2 Management Password Changed, Confirmation Message 5. Click OK. One-Time Password Program Basics The One-Time Password (OTP) Program allows Windows users to recover from a forgotten password, PIN, or token with help desk assistance. It also allows users to regain access to their Windows computer after it has been locked for a failure to communicate with the Symantec Endpoint Encryption Management Server. This assistance provides the user with a one-time password called a response key which allows the user to temporarily authenticate. A password-based user is then prompted to enter a new password. To run the help desk side of the utility, you must: Use a Manager Computer that has the Help Desk Program snap-in installed. Log on to that computer using a Windows account that has been provisioned with read access to the Symantec Endpoint Encryption database, or log on to the Manager Console using SQL database credentials that will allow you to read the Symantec Endpoint Encryption database. Know the Management Password. Be certain of a user s identity prior to assisting the user with OTP. If the user requesting help is contacting you from their desk, a simple way to help establish their identity is to call them back at the phone number listed in the organization s phone directory. Symantec Endpoint Encryption Full Disk 42

50 Endpoint Support Launch When a user calls for One-Time Password recovery, open the Symantec Endpoint Encryption Manager, expand SEE Help Desk, and click on the SEE OTP Program snap-in. Figure 5.3 One-Time Password, Welcome Click Next to begin. Symantec Endpoint Encryption Full Disk 43

51 Endpoint Support Management Password If you haven t already provided the Management Password this Manager Console session, the One-Time Password Program will request the Management Password. Figure 5.4 One-Time Password, Management Password Enter the Management Password and click Next. Method Basics Two methods are available for assisting users: online and offline. The online method is easier and more secure, but will not succeed unless the Client Computer has made contact with the Symantec Endpoint Encryption Management Server at least once following the registration of the user requiring assistance. Ask the user what method is displayed on their screen. If it is online, continue to the next section. If it is offline, skip to Offline on page 47. Symantec Endpoint Encryption Full Disk 44

52 Endpoint Support Online After entering the Management Password, you will be prompted to select the method. Figure 5.5 One-Time Password, Method Selection, Online Select the Online option. Click Next. Figure 5.6 One-Time Password, Online Method, Identifying Information Ask the user to tell you their user name, domain, computer name, and the code that appears on their screen. Enter this data in the corresponding fields, then click Next. Symantec Endpoint Encryption Full Disk 45

53 Endpoint Support The One-Time Password Program will confirm that the information you have entered corresponds to that stored in the Symantec Endpoint Encryption database. Figure 5.7 One-Time Password, Online Method, Response Key Read the response key to the user from left to right and ask the user to type those numbers into the corresponding blank data-entry fields that appear on the user s screen. Under each box is a checksum. Once the user has typed in the entire response key, ask the user to read back to you the checksums. If the user s checksums agree with your checksums, the user has correctly entered the data. If a checksum is not in agreement, the user entered one or more response key digits incorrectly. Read the response key to the user again and determine the incorrect portion. Once the user has entered the response key and the checksums agree, ask the user to click Next. Remain in contact with the user. If the user gains access to Windows, click Yes. If the user fails to gain access to Windows, click No. The wizard will initiate the offline method if you have not already tried it. Skip to Offline on page 47. If the user correctly entered the response key, when the user clicks Next, they will gain access to Windows. If this is a user that forgot their password, remain in contact with the user to make sure they change their password. They should be prompted to do so either before or after Windows loads. If they don t get prompted and SSO is enabled, they are not connecting to the domain and this is a Windows issue. If they don t get prompted and SSO is not enabled, have them open the User Client Console and change their password. Symantec Endpoint Encryption Full Disk 46

54 Endpoint Support Offline The offline method can be used if the online method fails or if the Client Computer has never checked in with the Management Server. Figure 5.8 One-Time Password, Method Selection, Offline Select the Offline option. Click Next. Figure 5.9 One-Time Password, Offline Challenge Key Symantec Endpoint Encryption Full Disk 47

55 Endpoint Support Ask the user to tell you each character of the OTP personal identifier that is displayed on their screen. Type this value in the Personal identifier box. Double-check the value with the user, as an incorrect entry here could cause the OTP process to fail. Then ask the user to provide you with the challenge key displayed on their screen. Type the digits into the fields on your screen from left to right. Under each field is a checksum. It is internally generated and uniquely represents in shorter form the digits entered in each field. As you enter the challenge key, checksums appear under their fields. To verify that you have entered the correct challenge key, ask the user to read back to you the checksums. If the checksums agree with your checksums, you have correctly entered the data. If a checksum is not in agreement, ask the user to provide you with the challenge key again and check it against what you have typed. Under each box is a checksum. Once you have typed in the entire challenge key, ask the user to read back to you the checksums. If the user s checksums agree with your checksums, you have correctly entered the data. If a checksum is not in agreement, you entered one or more challenge key digits incorrectly. Ask the user to read you the challenge key again and determine the incorrect portion. Most likely, the first mismatching checksum will be below the incorrect portion of the challenge key. Once you have verified and entered the correct challenge key, click Next. Figure 5.10 One-Time Password, Offline Response Key Read the response key to the user from left to right and ask the user to type those numbers into the corresponding blank data-entry fields that appear on the user s screen. Under each box is a checksum. Once the user has typed in the entire response key, ask the user to read back to you the checksums. If the user s checksums agree with your checksums, the user has correctly entered the data. If a checksum is not in agreement, the user entered one or more response key digits incorrectly. Read the response key to the user again and determine the incorrect portion. Symantec Endpoint Encryption Full Disk 48

56 Endpoint Support Once the user has entered the response key and the checksums agree, ask the user to click Next. If they entered the response key correctly, they will gain access to Windows. If this is a password user, stay on the phone with the user to make sure they change their password. They should be prompted to do so either before or after Windows loads. If they don t get prompted and SSO is enabled, they are not connecting to the domain and this is a Windows issue. If they don t get prompted and SSO is not enabled, have them open the User Client Console and change their password. Accept the default option button selection of Yes and click Next. If the user fails to gain access to Windows, select the No option button and click Next. Error Messages User Record Not Found This error is applicable to the online method only. After entering the user s identifying information and clicking Next (Figure 5.6 on page 45), if the computer record is found in the Symantec Endpoint Encryption database, but not the user record, the following message will be displayed. Figure 5.11 One-Time Password, User Record Not Found This error indicates that the Client Computer in question has succeeded in making contact with the Management Server at least once, but that the user in question was not registered as of the last point of contact. You should proceed with caution because although human or computer error could have caused this condition, it is also possible that the person you are speaking to is trying to exploit these possibilities to gain access to a computer that s/he is not authorized to access. Use the Symantec Endpoint Encryption Reports to help you determine the root cause of the situation. Ask the user if they have registered and when and cross-check their claims with the data stored in the Symantec Endpoint Encryption database. If you are sure that the user is authorized, try the offline method. If not, send a Client Administrator to help the user in person. Invalid Code Synchronization This error is applicable to the online method only. If the user record exists, but the code stored in the Symantec Endpoint Encryption database does not agree with the code that the user read to you, an error dialog box appears, similar to the following: Figure 5.12 One-Time Password, Invalid Code Synchronization Symantec Endpoint Encryption Full Disk 49

57 Endpoint Support The code on the Client Computer has digits that are incremented each time the One-Time Password Program runs to completion on the Client Computer. When the Client Computer checks in with the Symantec Endpoint Encryption Management Server, these codes are synchronized. There are two possible causes of this error: The user has completed the One-Time Password process multiple times without reconnecting to the Management Server. This is an unauthorized party attempting to guess the response key by triggering the One-Time Password Program over and over. You can proceed with the recovery assistance process, even when codes are out of sync between the Client Computer and the Management Server; but you should consider taking extra precautions to identify the user. If you decide to proceed, from the error message box click OK, and then from the Client Computer information screen, click Next; otherwise, click Cancel. Whole Disk Recovery Token (WDRT) Basics The Whole Disk Recovery Token (WDRT) snap-in allows you to assist Mac users that have forgotten their passwords. This assistance provides the user with a string of characters which will allow the user to authenticate once. To run the help desk side of the utility, you must: Use a Manager Computer that has the Help Desk Program snap-in installed. Log on to that computer using a Windows account that has been provisioned with read access to the Symantec Endpoint Encryption database, or log on to the Manager Console using SQL database credentials that will allow you to read the Symantec Endpoint Encryption database. Know the Management Password. Be certain of a user s identity prior to assisting the user with WDRT. If the user requesting help is contacting you from their desk, a simple way to help establish their identity is to call them back at the phone number listed in the organization s phone directory. Symantec Endpoint Encryption Full Disk 50

58 Endpoint Support Launch When a user calls for WDRT recovery, open the Symantec Endpoint Encryption Manager, expand SEE Help Desk, and click on the SEE Whole Disk Recovery Token (WDRT) snap-in. Figure 5.13 Whole Disk Recovery Token, Welcome Click Next to begin. Symantec Endpoint Encryption Full Disk 51

59 Endpoint Support Management Password If you haven t already provided the Management Password this Manager Console session, the Whole Disk Recovery Token program will request the Management Password. Figure 5.14 Whole Disk Recovery Token Program, Management Password Type the Management Password and click Next. User Identity You will be requested to provide the user s identifying information. Figure 5.15 Whole Disk Recovery Token Program, Identify User Ask the user to read you the digits that appear next to UUID on their screen and type them into the Machine/Disk ID box. Symantec Endpoint Encryption Full Disk 52

60 Endpoint Support Ask the user their user name and type it into the User Name box. Click Next once you have completed your entries. Token If the identifying information is correct, you will be provided with the recovery token. Figure 5.16 Whole Disk Recovery Token Program, Token Characters If the data provided by the user and typed into the previous panel is valid, the Manager Console will generate a set of characters. Provide the characters to the user. The user must type these characters into the Token box on their screen. Stay in contact with the user to verify that they have succeeded in regaining access to their Mac. Then accept the default option button selection of Yes and click Next. If the user fails to gain access to the Mac, select the No option button and click Next. Hard Disk Recovery for Windows Computers Basics The Recover Program tries to regain access to the hard disk of Windows computers. It runs with three options: The /A option attempts to repair damaged client database files. The /D option attempts to repair damaged client database files and then to decrypt the hard disk. The /B option is performed only if all other previous steps have failed and requires the assistance of Symantec technical support. This option reads from a computer-specific recovery file that contains an important cryptographic key. You create this data file for a particular Client Computer, usually when requested to do so by a Client Administrator. This option is not available for silent clients that have never checked in with the Management Server. Symantec Endpoint Encryption Full Disk 53

61 Endpoint Support Recover DAT File Generation Should the Recover /A and /D options fail, you may be called upon to locate and export recovery data sent by a specific Client Computer and stored in the Symantec Endpoint Encryption database. All Client Computer reports offer the option to export recovery data. This option will only be available if Full Disk is installed on the Client Computer. As long as you have all or some of the computer name, you may find the Computer Status Report to be the most convenient. Immediately after Full Disk is installed on a Client Computer, Client Computers that are not silent try to contact the Management Server to store Client Computer specific files necessary for hard disk recovery. If this contact does not occur, the only recovery options available will be Recover /A and /D. Recover /A and /D do not require computer-specific recovery information stored in the Management Server. For this reason, it is critical to make sure that each Client Computer succeeds in checking in at least once. 1. Open the Manager Console. 2. Expand the Symantec Endpoint Encryption Reports snap-in. 3. Highlight the Computer Status Report. Figure 5.17 Manager Console, Computer in Need of Recovery Highlighted 4. Type the name of the computer in need of recovery in the Enter Computer Names field. 5. Click Run. 6. Highlight the computer. 7. Click Recover. 8. You will be prompted to enter the Management Password. Figure 5.18 Management Password Prompt 9. Enter the Management Password and click OK. Symantec Endpoint Encryption Full Disk 54

62 Endpoint Support 10. You will be prompted to enter a password to protect the Recover DAT file. Figure 5.19 Recovery Password Prompt 11. Enter a Recovery Password of at least 16 characters and no more than 32 characters. The Client Administrator must enter this password before they can run Recover Program /B on that computer. Symantec recommends a high entropy password containing mixed case, numbers, and special characters not found in a dictionary. 12. Enter the same password again in the Confirm password field. Then click OK. 13. You will be presented with a browse dialog. Figure 5.20 Recovery Data Export Dialog 14. Navigate to the desired destination of the Recover DAT file. Because the Client Administrator will need this file while running the Recover Program CD/DVD, you should either save the file to a network location that will be accessible from the Client Computer or to removable media other than CD. 15. Assign an informative name to the file. Because the file is computer-specific, you might consider using the name of the computer in need of recovery. Because the recover data will change following a successful recovery, consider using the current date and time. 16. Click OK. Symantec Endpoint Encryption Full Disk 55

63 Endpoint Support Figure 5.21 Recovery Data Export Success Message 17. Click OK on the confirmation message. 18. Provide the media containing the file or the network location of the file to the Client Administrator. Also inform the Client Administrator of the Recovery Password. Due to the sensitive nature of the Recovery Password, consider using a secure channel. Symantec Endpoint Encryption Full Disk 56

64 System Event Logging Appendix A. System Event Logging Basics This appendix itemizes the events logged by Symantec Endpoint Encryption on Windows Client Computers. The events are available from the Windows System Event Viewer. Framework System Events List The following table lists the individual Framework generated Windows system events logged on the Client Computer. The column headings indicate the Event ID, the severity of the event (Error, Info, or Warning), and a description of the event indicating the type, source, or policy that generated the event (Internal, Program Action, Initial Setting, Settings Change, or Utility). Table A.1 Framework System Events Event Severity Description Explanation ID 0 Error Internal: Cannot map event ID to string. Framework The Framework event ID cannot be mapped to the string in the Framework. 1 Info Internal: Audit functions started. Framework The Framework audit functions have started. 2 Info Internal: Audit functions ended. Framework The Framework audit functions have ended. 3 Info 4 Warning 5 Info 6 Warning 7 Info 8 Warning 9 Info 10 Warning 11 Warning 12 Info 13 Info 14 Warning 15 Info Program Action: Successful client logon/authentication attempted with password. Framework user name Program Action: Unsuccessful client logon/ authentication attempted with password. Framework user name Program Action: Successful client logon/authentication attempted with token. Framework user name Program Action: Unsuccessful client logon/ authentication attempted with token. Framework Program Action: Successful logon/authentication attempted with One-Time Password. Framework Program Action: Unsuccessful logon/authentication attempted with One-Time Password. Framework Program Action: Successful logon/authentication attempted with Authenti-Check. Framework Program Action: Unsuccessful logon/authentication attempted with Authenti-Check. Framework Program Action: Number of client logon attempts exceeded the maximum allowed. Framework Program Action: User password changed successfully. Framework user name Program Action: User password changed unsuccessfully. Framework Program Action: User program uninstallation attempted. Framework Program Action: User changed Authenti-Check questions and answers successfully. Framework An attempt to log on at pre-windows with a password has succeeded. An attempt to log on at pre-windows with a password has failed. An attempt to log on at pre-windows with a token has succeeded. An attempt to log on at pre-windows with a token has failed. The One-Time Password process has succeeded in authenticating the user. The One-Time Password process has failed to authenticate the user. The Authenti-Check process has succeeded in authenticating the user. The Authenti-Check process has failed to authenticate the user. The number of pre-windows logon attempts allowed before a delay has been exceeded. The user has successfully changed their Symantec Endpoint Encryption password. The user attempted to change their Symantec Endpoint Encryption password, but failed. This could be because it did not meet the password requirements. An attempt to uninstall Framework has been made. The user has succeeded in changing their Authenti- Check question(s) and/or answer(s). Symantec Endpoint Encryption Full Disk 57

65 System Event Logging Table A.1 Framework System Events (Continued) Event ID 16 Info 17 Info 18 Warning Program Action: User user name has been unregistered. Framework Program Action: User password resynchronized with Windows password. Framework Program Action: Computer locked due to failure to communicate with SEE server. Framework 19 Warning Program Action: User password expired. Framework 20 Info Program Action: User registration completed. Framework user name 21 Warning Program Action: Final grace logon reached. Framework 22 Info 23 Info Program Action: User logged on after Hibernation or/ and Stand by. Framework user name Program Action: Client program installation attempted. Framework The user has successfully been unregistered. The user s Symantec Endpoint Encryption password has been resynchronized with their Windows password to enable the Single Sign-On feature. The Client Computer has failed to communicate with the Symantec Endpoint Encryption Management Server within the mandatory interval and, as a result, has been locked. The user s Symantec Endpoint Encryption password has expired. The user has successfully completed the registration process. The number of grace restarts is now zero and the next user to log on to Windows will be forced to register. A hibernation or standby process was initiated and ended when the user logged on to Windows. An attempt to install Framework was made. 24 Info Program Action: Client program upgrade attempted. Framework An attempt to upgrade Framework was made. 25 Info Program Action: Grace logon attempted. Framework An attempt to exercise a grace restart was made. 26 Info 27 Info 28 Info 29 Info 30 Error 31 Info 32 Error 33 Info 34 Error 35 Info Severity Description Explanation Program Action: Authenti-Check questions and answers created. Framework Program Action: User password created. Framework user name Program Action: Token account created. Framework user name Initial Setting: One-Time Password online offline method enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance. Initial Setting: One-Time Password online offline method enabled; policy failed. Framework Installation Settings - Authentication Assistance. Initial Setting: One-Time Password not enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance. Initial Setting: One-Time Password not enabled; policy failed. Framework Installation Settings - Authentication Assistance. Initial Setting: Authenti-Check enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance. Initial Setting: Authenti-Check enabled; policy failed. Framework Installation Settings - Authentication Assistance. Initial Setting: Authenti-Check not enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance. The user has set their Authenti-Check questions and answers as a part of the registration process. The user has set their Symantec Endpoint Encryption password as a part of the registration process. A token user has created their Symantec Endpoint Encryption account during the registration process. The One-Time Password recovery method has been enabled as an installation setting. The default method will be online offline, as indicated in the audit event. The installation package specified that the One-Time Password recovery method should be enabled, but this setting failed to be applied. The One-Time Password recovery method is not enabled for this workstation, as per the installation setting. The installation package specified that the One-Time Password recovery method should not be enabled, but this setting failed to be applied. The Authenti-Check recovery method has been enabled as an installation setting. The installation package specified that the Authenti- Check recovery method should be enabled, but this setting failed to be applied. The Authenti-Check recovery method is not enabled for this workstation, as per the installation setting. Symantec Endpoint Encryption Full Disk 58

66 System Event Logging Table A.1 Framework System Events (Continued) Event ID 36 Error 37 Info 38 Error 39 Info 40 Error 41 Info 42 Error 43 Info 44 Error 45 Info 46 Error 47 Info 48 Error 49 Info 50 Error 55 Info 56 Error Severity Description Explanation Initial Setting: Authenti-Check not enabled; policy failed. Framework Installation Settings - Authentication Assistance. Initial Setting: Authentication Assistance message; policy applied successfully. Framework Installation Settings - Authentication Assistance. Initial Setting: Authentication Assistance message; policy failed. Framework Installation Settings - Authentication Assistance. Initial Setting: Client Administrator account name account created with low medium high privileges; policy applied successfully. Framework Installation Settings - Client Administrators. Initial Setting: Client Administrator account name account created with low medium high privileges; policy failed. Framework Installation Settings - Client Administrators. Initial Setting: the SEE Management Server communication interval was set successfully. Framework Installation Settings - Communication. Initial Setting: the SEE Management Server communication interval failed to be set. Framework Installation Settings - Communication. Initial Setting: the user name of the SEE Management Server client account was set successfully. Framework Installation Settings - Communication. Initial Setting: the user name of the SEE Management Server client account failed to be set. Framework Installation Settings - Communication. Initial Setting: the SEE Management Server client account password was set successfully. Framework Installation Settings - Communication. Initial Setting: the SEE Management Server client account password failed to be set. Framework Installation Settings - Communication. Initial Setting: Limit password attempts enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Limit password attempts enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Limit password attempts not enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Limit password attempts not enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Maximum password age enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Maximum password age enabled; policy failed. Framework Installation Settings - Password Authentication. The installation package specified that the Authenti- Check recovery method should not be enabled, but this setting failed to be applied. The authentication assistance message specified in the installation package was set successfully. The authentication assistance message specified in the installation package failed to be set. The Client Administrator account specified in the installation package and described in the audit log description was created successfully. The Client Administrator account specified in the installation package and described in the audit log description failed to be created. The Symantec Endpoint Encryption Management Server communication interval specified in the installation package was set successfully. The Symantec Endpoint Encryption Management Server communication interval specified in the installation package failed to be set. The user name of the Symantec Endpoint Encryption Management Server client IIS account specified in the installation package was set successfully. The user name of the Symantec Endpoint Encryption Management Server client IIS account specified in the installation package failed to be set. The Symantec Endpoint Encryption Management Server client IIS account password specified in the installation package was set successfully. The Symantec Endpoint Encryption Management Server client IIS account password specified in the installation package failed to be set. The limitation on the number of password authentication attempts specified in the installation package has been set successfully. The limitation on the number of password authentication attempts specified in the installation package failed to be set. No limitation to the number of password authentication attempts, as specified in the installation package, has been set successfully. No limitation to the number of password authentication attempts, as specified in the installation package, failed to be set. The user s passwords will expire at the interval designated in the installation package; this was set successfully. The user s passwords will not expire at the interval designated in the installation package; this failed to be set. Symantec Endpoint Encryption Full Disk 59

67 System Event Logging Table A.1 Framework System Events (Continued) Event ID 57 Info 58 Error 59 Info 60 Error 61 Info 62 Error 63 Info 64 Error 65 Info 66 Error 67 Info 68 Error 69 Info 70 Error Severity Description Explanation Initial Setting: Maximum password age not enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Maximum password age not enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password history (any previous password can be reused) enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password history (any previous password can be reused) enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password history (limit password reuse and days between changes) enabled; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password history (limit password reuse and days between changes) enabled; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum password length met; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum password length met; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Non-alphanumeric characters allowed in password setting; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Non-alphanumeric characters allowed in password setting; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of non-alphanumeric characters met; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of non-alphanumeric characters not met; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of uppercase characters met; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of uppercase characters not met; policy failed. Framework Installation Settings - Password Authentication. The user s passwords will not expire. This was set successfully, as specified in the installation package. Although the installation package specified that the user s passwords would not expire, this failed to be set. The user will be able to reuse previous passwords, this installation setting was applied successfully. The installation package specified that the user should be able to reuse previous passwords, but this setting failed to be applied. The user will not be able to use previous passwords, the limitations specified in the installation package were applied successfully. Even though the installation package specified certain limitations on the ability of users to use previous passwords, these settings failed to be applied. The installation package specified that users must set their passwords to be of a minimum length. This was set successfully. The installation package specified that users must set their passwords to be of a minimum length. This setting failed to be applied. The installation package specified that users will be able to use non-alphanumeric characters in their passwords. This was set successfully. The installation package specified that users should be able to use non-alphanumeric characters in their passwords. This setting failed to be applied. The installation package specified that a minimum number of non-alphanumeric characters must be present in the user s passwords. This was set successfully. The installation package specified that a minimum number of non-alphanumeric characters must be present in the user s passwords. This setting failed to be applied. The installation package specified that a minimum number of uppercase characters must be present in the user s passwords. This was set successfully. The installation package specified that a minimum number of uppercase characters must be present in the user s passwords. This setting failed to be applied. Symantec Endpoint Encryption Full Disk 60

68 System Event Logging Table A.1 Framework System Events (Continued) Event ID 71 Info 72 Error 73 Info 74 Error 75 Info 76 Error 77 Info 78 Error 79 Info 80 Error 81 Info 82 Error 83 Info 84 Error 85 Info 86 Error Severity Description Explanation Initial Setting: Password complexity requirements for minimum number of lowercase characters met; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of lowercase characters not met; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of digits met; policy applied successfully. Framework Installation Settings - Password Authentication. Initial Setting: Password complexity requirements for minimum number of digits not met; policy failed. Framework Installation Settings - Password Authentication. Initial Setting: Require registration password enabled; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: Require registration password enabled; policy failed. Framework Installation Settings - Registered Users. Initial Setting: Require registration password not enabled; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: Require registration password not enabled; policy failed. Framework Installation Settings - Registered Users. Initial Setting: Number of allowed user accounts setting; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: Number of allowed user accounts setting; policy failed. Framework Installation Settings - Registered Users. Initial Setting: User authentication with password only setting enabled; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: User authentication with password only setting enabled; policy failed. Framework Installation Settings - Registered Users. Initial Setting: User authentication with token only setting enabled; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: User authentication with token only setting enabled; policy failed. Framework Installation Settings - Registered Users. Initial Setting: User can select authentication method setting enabled; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: User can select authentication method setting enabled; policy failed. Framework Installation Settings - Registered Users. The installation package specified that a minimum number of lowercase characters must be present in the user s passwords. This was set successfully. The installation package specified that a minimum number of lowercase characters must be present in the user s passwords. This setting failed to be applied. The installation package specified that a minimum number of digits must be present in the user s passwords. This was set successfully. The installation package specified that a minimum number of digits must be present in the user s passwords. This setting failed to be applied. The installation package specified that the user must provide the registration password to be able to register. This was set successfully. The installation package specified that the user must provide the registration password to be able to register. This setting failed to be applied. The installation package specified that no registration password is required to allow a user to register. This was set successfully. The installation package specified that no registration password is required to allow a user to register. This setting failed to be applied. The installation package specified the maximum number of user accounts allowed on the Client Computer. This was set successfully. The installation package specified the maximum number of user accounts allowed on the Client Computer. This setting failed to be applied. The installation package specified that users will authenticate only using passwords. This was set successfully. The installation package specified that users will authenticate only using passwords. This setting failed to be applied. The installation package specified that users will authenticate only using tokens. This was set successfully. The installation package specified that users will authenticate only using tokens. This setting failed to be applied. The installation package specified that users will authenticate using the method of their choice. This was set successfully. The installation package specified that users will authenticate using the method of their choice. This setting failed to be applied. Symantec Endpoint Encryption Full Disk 61

69 System Event Logging Table A.1 Framework System Events (Continued) Event ID 87 Info 88 Error 89 Info 90 Error 91 Info 92 Error 93 Info 94 Error 95 Info 96 Error 97 Info 98 Error 99 Info 100 Error 101 Info 102 Error 103 Info Severity Description Explanation Initial Setting: Registration Wizard custom message; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: Registration Wizard custom message; policy failed. Framework Installation Settings - Registered Users. Initial Setting: Grace restarts before registration setting; policy applied successfully. Framework Installation Settings - Registered Users. Initial Setting: Grace restarts before registration setting; policy failed. Framework Installation Settings - Registered Users. Initial Setting: User can authenticate with expired certificates setting enabled; policy applied successfully. Framework Installation Settings - Token Authentication. Initial Setting: User can authenticate with expired certificates setting enabled; policy failed. Framework Installation Settings - Token Authentication. Initial Setting: User can authenticate with expired certificates setting not enabled; policy applied successfully. Framework Installation Settings - Token Authentication. Initial Setting: User can authenticate with expired certificates setting not enabled; policy failed. Framework Installation Settings - Token Authentication. Initial Setting: Single Sign-On enabled; policy applied successfully. Framework Installation Settings - Single Sign-On. Initial Setting: Single Sign-On enabled; policy failed. Framework Installation Settings - Single Sign-On. Initial Setting: Single Sign-On not enabled; policy applied successfully. Framework Installation Settings - Single Sign-On. Initial Setting: Single Sign-On not enabled; policy failed. Framework Installation Settings - Single Sign-On. Initial Setting: Encryption strength setting; policy applied successfully. Framework Installation Settings - Encryption. Initial Setting: Encryption strength setting; policy failed. Framework Installation Settings - Encryption. Initial Setting: Default log file location enabled; policy applied successfully. Framework Installation Settings - Installer Customization. Initial Setting: Default log file location enabled; policy failed. Framework Installation Settings - Installer Customization. Initial Setting: Custom log file location enabled; policy applied successfully. Framework Installation Settings - Installer Customization. The installation package specified that users will see a custom message during registration. This was set successfully. The installation package specified that users will see a custom message during registration. This setting failed to be applied. The installation package specified the number of grace restarts that users will have before being forced to register. This was set successfully. The installation package specified the number of grace restarts that users will have before being forced to register. This setting failed to be applied. The installation package specified that users with expired certificates will be allowed to authenticate. This was set successfully. The installation package specified that users with expired certificates will be allowed to authenticate. This setting failed to be applied. The installation package specified that users with expired certificates will not be allowed to authenticate. This was set successfully. The installation package specified that users with expired certificates will not be allowed to authenticate. This setting failed to be applied. The installation package specified that users will authenticate using Single Sign-On. This was set successfully. The installation package specified that users will authenticate using Single Sign-On. This setting failed to be applied. The installation package specified that users will not authenticate using Single Sign-On. This was set successfully. The installation package specified that users will not authenticate using Single Sign-On. This setting failed to be applied. The installation package specified the encryption strength. This was set successfully. The installation package specified the encryption strength. This setting failed to be applied. The installation package specified that the client database files will be stored in the default location. This was set successfully. The installation package specified that the client database files will be stored in the default location. This setting failed to be applied. The installation package specified that the client database files will be stored in a custom location. This was set successfully. Symantec Endpoint Encryption Full Disk 62

70 System Event Logging Table A.1 Framework System Events (Continued) Event ID 104 Error 105 Info 106 Error 107 Info 108 Error 109 Info 110 Error 111 Info 112 Error 113 Info 114 Error 115 Info 116 Error 117 Info 118 Error 119 Info Severity Description Explanation Initial Setting: Custom log file location enabled; policy failed. Framework Installation Settings - Installer Customization. Settings Change: Authentication Assistance message modified; policy applied successfully. Framework Computer Policy - Authentication Assistance. Settings Change: Authentication Assistance message modified; policy failed. Framework Computer Policy - Authentication Assistance. Settings Change: One-Time Password online offline method enabled; policy applied successfully. Framework User Policy - Authentication Assistance. Settings Change: One-Time Password online offline method enabled; policy failed. Framework User Policy - Authentication Assistance. Settings Change: One-Time Password not enabled; policy applied successfully. Framework User Policy - Authentication Assistance. Settings Change: One-Time Password not enabled; policy failed. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check enabled; policy applied successfully. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check enabled; policy failed. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check not enabled; policy applied successfully. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check not enabled; policy failed. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check settings modified; policy applied successfully. Framework User Policy - Authentication Assistance. Settings Change: Authenti-Check settings modified; policy failed. Framework User Policy - Authentication Assistance. Settings Change: Client Administrator account name account modified, privileges changed from low medium high to low medium high; policy applied successfully. Framework Computer Policy - Client Administrators. Settings Change: Client Administrator account name account modified, privileges changed from low medium high to low medium high; policy failed. Framework Computer Policy - Client Administrators. Settings Change: the SEE Management Server communication interval was modified successfully. Framework Computer Policy - Communication. The installation package specified that the client database files will be stored in a custom location. This setting failed to be applied. A policy specified that users will see a modified message when requesting authentication assistance. This was set successfully. A policy specified that users will see a modified message when requesting authentication assistance. This setting failed to be applied. A policy specified the One-Time Password method that users see when requesting authentication assistance: either online or offline. This was set successfully. A policy specified the One-Time Password method that users see when requesting authentication assistance: either online or offline. This setting failed to be applied. A policy specified that the One-Time Password method will not be available to users requesting authentication assistance. This was set successfully. A policy specified that the One-Time Password method will not be available to users requesting authentication assistance. This setting failed to be applied. A policy specified that Authenti-Check will be available to users requesting authentication assistance. This was set successfully. A policy specified that Authenti-Check will be available to users requesting authentication assistance. This setting failed to be applied. A policy specified that Authenti-Check will not be available to users requesting authentication assistance. This was set successfully. A policy specified that Authenti-Check will not be available to users requesting authentication assistance. This setting failed to be applied. A policy specified that the Authenti-Check settings were modified. This was set successfully. A policy specified that the Authenti-Check settings were modified. This setting failed to be applied. A policy specified that the privileges of Client Administrator account account name were changed from low medium high to low medium high. This was set successfully. A policy specified that the privileges of Client Administrator account account name were changed from low medium high to low medium high. This setting failed to be applied. A policy specified a change in how often the Client Computer reports its status to the Symantec Endpoint Encryption Management Server. This was set successfully. Symantec Endpoint Encryption Full Disk 63

71 System Event Logging Table A.1 Framework System Events (Continued) Event ID 120 Error 121 Info 122 Error 123 Info 124 Error 125 Info 126 Error 127 Info 128 Error 129 Info 130 Error 135 Info 136 Error 137 Info Severity Description Explanation Settings Change: a policy modifying the SEE Management Server communication interval failed to be applied. Framework Computer Policy - Communication. Settings Change: the SEE Management Server client account was modified successfully. Framework Computer Policy - Communication. Settings Change: a policy modifying the SEE Management Server client account failed to be applied. Framework Computer Policy - Communication. Settings Change: the SEE Management Server client account password was modified successfully. Framework Computer Policy - Communication. Settings Change: a policy modifying the SEE Management Server client account password failed to be applied. Framework Computer Policy - Communication. Settings Change: Limit password attempts enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Limit password attempts enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Limit password attempts not enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Limit password attempts not enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Limit password attempts settings modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Limit password attempts settings modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age not enabled; policy applied successfully. Framework Computer Policy - Password Authentication. A policy specified a change in how often the Client Computer reports its status to the Symantec Endpoint Encryption Management Server. This setting failed to be applied. A policy specified a change to the credentials of the Symantec Endpoint Encryption Management Server Client account that the Client Computer uses when reporting status to the Symantec Endpoint Encryption Management Server. This was set successfully. A policy specified a change to the credentials of the Symantec Endpoint Encryption Management Server Client account that the Client Computer uses when reporting status to the Symantec Endpoint Encryption Management Server. This setting failed to be applied. A policy specified a change to the password of the Symantec Endpoint Encryption Management Server Client account that the Client Computer uses when reporting status to the Symantec Endpoint Encryption Management Server. This was set successfully. A policy specified a change to the password of the Symantec Endpoint Encryption Management Server Client account that the Client Computer uses when reporting status to the Symantec Endpoint Encryption Management Server. This setting failed to be applied. A policy was specified that limits the number of times a user can attempt to authenticate with an incorrect password. This was set successfully. A policy was specified that limits the number of times a user can attempt to authenticate with an incorrect password. This setting failed to be applied. A policy was specified that does not limit the number of times a user can attempt to authenticate with an incorrect password. This was set successfully. A policy was specified that does not limit the number of times a user can attempt to authenticate with an incorrect password. This setting failed to be applied. A policy was specified that modified the settings controlling how often a user can attempt to authenticate with an incorrect password. This was set successfully. A policy was specified that modified the settings controlling how often a user can attempt to authenticate with an incorrect password. This setting failed to be applied. A policy was specified that forces the user s passwords to expire at the designated interval. This was set successfully. A policy was specified that forces the user s passwords to expire at the designated interval. This setting failed to be applied. A policy was specified that does not force the user s passwords to expire. This was set successfully. Symantec Endpoint Encryption Full Disk 64

72 System Event Logging Table A.1 Framework System Events (Continued) Event ID 138 Error 139 Info 140 Error 141 Info 142 Error 143 Info 144 Error 145 Info 146 Error 147 Info 148 Error 149 Info 150 Error 151 Info 152 Error Severity Description Explanation Settings Change: Maximum password age not enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age settings modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Maximum password age settings modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Password history (any previous password can be reused) enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Password history (any previous password can be reused) enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Password history (limit password reuse and days between changes) enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Password history (limit password reuse and days between changes) enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Password history (limit password reuse and days between changes) settings modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Password history (limit password reuse and days between changes) settings modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Minimum password length setting modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Minimum password length setting modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Non-alphanumeric characters allowed in password setting modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Non-alphanumeric characters allowed in password setting modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of non-alphanumeric characters; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of non-alphanumeric characters; policy failed. Framework Computer Policy - Password Authentication. A policy was specified that does not force the user s passwords to expire. This setting failed to be applied. A policy was specified that modified the settings controlling how often a user s passwords will expire. This was set successfully. A policy was specified that modified the settings controlling how often a user s passwords will expire. This setting failed to be applied. A policy was specified that allows the user to reuse previous passwords. This was set successfully. A policy was specified that allows the user to reuse previous passwords. This setting failed to be applied. A policy was specified that prevents the user from using previous passwords. This was set successfully. A policy was specified that prevents the user from using previous passwords. This setting failed to be applied. A policy was specified that modified the settings controlling how often the user is prevented from using previous passwords. This was set successfully. A policy was specified that modified the settings controlling how often the user is prevented from using previous passwords. This setting failed to be applied. A policy was specified that modified the minimum length for user passwords. This was set successfully. A policy was specified that modified the minimum length necessary for user passwords. This setting failed to be applied. A policy was specified that modified the number of nonalphanumeric characters allowed in user passwords. This was set successfully. A policy was specified that modified the number of nonalphanumeric characters allowed in user passwords. This setting failed to be applied. A policy was specified that changed the minimum number of non-alphanumeric characters that must be present in the user s passwords. This was set successfully. A policy was specified that changed the minimum number of non-alphanumeric characters that must be present in the user s passwords. This setting failed to be applied. Symantec Endpoint Encryption Full Disk 65

73 System Event Logging Table A.1 Framework System Events (Continued) Event ID 153 Info 154 Error 155 Info 156 Error 157 Info 158 Error 159 Info 160 Error 161 Info 162 Error 163 Info 164 Error 165 Info 166 Error 167 Info Severity Description Explanation Settings Change: Change password complexity requirements for minimum number of uppercase characters; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of uppercase characters; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of lowercase characters; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of lowercase characters; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of digits; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Change password complexity requirements for minimum number of digits; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Require registration password enabled; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Require registration password enabled; policy failed. Framework Computer Policy - Registered Users. Settings Change: Require registration password not enabled; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Require registration password not enabled; policy failed. Framework Computer Policy - Registered Users. Settings Change: Registration password modified; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Registration password modified; policy failed. Framework Computer Policy - Registered Users. Settings Change: Number of allowed user accounts setting modified; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Number of allowed user accounts setting modified; policy failed. Framework Computer Policy - Registered Users. Settings Change: User authentication with password only setting enabled; policy applied successfully. Framework Computer Policy - Registered Users. A policy was specified that changed the minimum number of uppercase characters that must be present in the user s passwords. This was set successfully. A policy was specified that changed the minimum number of uppercase characters that must be present in the user s passwords. This setting failed to be applied. A policy was specified that changed the minimum number of lowercase characters that must be present in the user s passwords. This was set successfully. A policy was specified that changed the minimum number of lowercase characters that must be present in the user s passwords. This setting failed to be applied. A policy was specified that changed the minimum number of digits that must be present in the user s passwords. This was set successfully. A policy was specified that changed the minimum number of digits that must be present in the user s passwords. This setting failed to be applied. A policy was specified that the user must provide the registration password to be able to register. This was set successfully. A policy was specified that the user must provide the registration password to be able to register. This setting failed to be applied. A policy was specified that no registration password is required to allow a user to register. This was set successfully. A policy was specified that no registration password is required to allow a user to register. This setting failed to be applied. A policy was specified that modified the registration password users must know to be able to register. This was set successfully. A policy was specified that modified the registration password users must know to be able to register. This setting failed to be applied. A policy was specified that modified the maximum number of user accounts allowed on the Client Computer. This was set successfully. A policy was specified that modified the maximum number of user accounts allowed on the Client Computer. This setting failed to be applied. A policy was specified that users will authenticate only using passwords. This was set successfully. Symantec Endpoint Encryption Full Disk 66

74 System Event Logging Table A.1 Framework System Events (Continued) Event ID 168 Error 169 Info 170 Error 173 Info 174 Error 175 Info 176 Error 177 Info 178 Error 179 Info 180 Error 181 Info 182 Error 183 Info 184 Info 185 Info 186 Info Severity Description Explanation Settings Change: User authentication with password only setting enabled; policy failed. Framework Computer Policy - Registered Users. Settings Change: User authentication with token only setting enabled; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: User authentication with token only setting enabled; policy failed. Framework Computer Policy - Registered Users. Settings Change: Registration Wizard custom message modified; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Registration Wizard custom message modified; policy failed. Framework Computer Policy - Registered Users. Settings Change: User can authenticate with expired certificates setting enabled; policy applied successfully. Framework User Policy - Token Authentication. Settings Change: User can authenticate with expired certificates setting enabled; policy failed. Framework User Policy - Token Authentication. Settings Change: User can authenticate with expired certificates setting not enabled; policy applied successfully. Framework User Policy - Token Authentication. Settings Change: User can authenticate with expired certificates setting not enabled; policy failed. Framework User Policy - Token Authentication. Settings Change: Single Sign-On enabled; policy applied successfully. Framework User Policy - Single Sign-On. Settings Change: Single Sign-On enabled; policy failed. Framework User Policy - Single Sign-On. Settings Change: Single Sign-On not enabled; policy applied successfully. Framework User Policy - Single Sign-On. Settings Change: Single Sign-On not enabled; policy failed. Framework User Policy - Single Sign-On. Program Action: The user was provided access to Windows using cached credentials and was not required to change their Windows password following successful completion of the password recovery process because there was no connectivity to a domain controller. Program Action: Client Administrator account name unregistered user user name. Framework Settings Change: Client Administrator account name created with low medium high privileges; policy applied successfully. Framework Installation Settings - Client Administrators. Initial Setting: Minimum password age enabled; policy applied successfully. Framework Computer Policy - Password Authentication. A policy was specified that users will authenticate only using passwords. This setting failed to be applied. A policy was specified that users will authenticate only using tokens. This was set successfully. A policy was specified that users will authenticate only using tokens. This setting failed to be applied. A policy was specified that modified the custom message users will see during registration. This was set successfully. A policy was specified that modified the custom message users will see during registration. This setting failed to be applied. A policy was specified that users with expired certificates will be allowed to authenticate. This was set successfully. A policy was specified that users with expired certificates will be allowed to authenticate. This setting failed to be applied. A policy was specified that users with expired certificates will not be allowed to authenticate. This was set successfully. A policy was specified that users with expired certificates will not be allowed to authenticate. This setting failed to be applied. A policy was specified that users will authenticate using Single Sign-On. This was set successfully. A policy was specified that users will authenticate using Single Sign-On. This setting failed to be applied. A policy was specified that users will not authenticate using Single Sign-On. This was set successfully. A policy was specified that users will not authenticate using Single Sign-On. This setting failed to be applied. After a user successfully completes the password recovery process in pre-windows, they will be forced to select a new password when they log on to Windows. If the Client Computer was offline and cached credentials were used, this password synchronization is deferred until after the Client Computer regains network connectivity. The Client Administrator account name has unregistered the user user name on the Client Computer. A policy was specified that added account name as a Client Administrator having low medium high privileges. This was set successfully. The installation package specified that users must wait the designated interval before changing their passwords. This was set successfully. Symantec Endpoint Encryption Full Disk 67

75 System Event Logging Table A.1 Framework System Events (Continued) Event ID 187 Error 188 Info 189 Error 190 Info 191 Error 192 Info 193 Error 194 Info 195 Error 196 Info 197 Error 198 Info 199 Error 200 Info 201 Error Severity Description Explanation Initial Setting: Minimum password age enabled; policy failed. Framework Computer Policy - Password Authentication. Initial Setting: Minimum password age not enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Initial Setting: Minimum password age not enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age not enabled; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age not enabled; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age settings modified; policy applied successfully. Framework Computer Policy - Password Authentication. Settings Change: Minimum password age settings modified; policy failed. Framework Computer Policy - Password Authentication. Settings Change: Do not require registered users to authenticate to SEE; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Do not require registered users to authenticate to SEE; policy failed. Framework Computer Policy - Registered Users. Settings Change: Require registered users to authenticate to SEE; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Require registered users to authenticate to SEE; policy failed. Framework Computer Policy - Registered Users. Settings Change: Users can only be unregistered manually by client administrators; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Users can only be unregistered manually by client administrators; policy failed. Framework Computer Policy - Registered Users. The installation package specified that users must wait the designated interval before changing their passwords. This setting failed to be applied. The installation package specified that users will not be forced to wait before changing their passwords. This was set successfully. The installation package specified that users will not be forced to wait before changing their passwords. This setting failed to be applied. A policy was specified that forces users to wait the designated interval before allowing them to change their passwords. This was set successfully. A policy was specified that forces users to wait the designated interval before allowing them to change their passwords. This setting failed to be applied. A policy was specified that users will not be forced to wait before changing their passwords. This was set successfully. A policy was specified that users will not be forced to wait before changing their passwords. This setting failed to be applied. A policy was specified that modified whether users must wait the designated interval before being allowed to change their passwords. This was set successfully. A policy was specified that modified whether users must wait the designated interval before being allowed to change their passwords. This setting failed to be applied. A policy was specified that automatically authenticates Symantec Endpoint Encryption users. If Full Disk has been installed, the pre-windows authentication will be bypassed. This was set successfully. A policy was specified that automatically authenticates Symantec Endpoint Encryption users. If Full Disk has been installed, the pre-windows authentication will be bypassed. This setting failed to be applied. A policy was specified that Symantec Endpoint Encryption users will authenticate normally. If Full Disk has been installed, the pre-windows authentication will not be bypassed. This was set successfully. A policy was specified that Symantec Endpoint Encryption users will authenticate normally. If Full Disk has been installed, the pre-windows authentication will not be bypassed. This setting failed to be applied. A policy was specified that users will not be automatically unregistered, but can only be unregistered manually by a suitable level Client Administrator who logs on at the Client Computer. This was set successfully. A policy was specified that users will not be automatically unregistered, but can only be unregistered manually by a suitable level Client Administrator who logs on at the Client Computer. This setting failed to be applied. Symantec Endpoint Encryption Full Disk 68

76 System Event Logging Table A.1 Framework System Events (Continued) Event ID 202 Info 203 Error 204 Info 205 Error 206 Info 207 Error 208 Info 209 Error 210 Info 211 Error 212 Info 213 Error Severity Description Explanation Settings Change: Users who do not log on for number days will be automatically unregistered; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: Users who do not log on for number days will be automatically unregistered; policy failed. Framework Computer Policy - Registered Users. Initial Setting: Do not require registered users to authenticate to SEE; policy applied successfully. Framework Computer Policy - Registered Users. Initial Setting: Do not require registered users to authenticate to SEE; policy failed. Framework Computer Policy - Registered Users. Initial Setting: Require registered users to authenticate to SEE; policy applied successfully. Framework Computer Policy - Registered Users. Initial Setting: Require registered users to authenticate to SEE; policy failed. Framework Computer Policy - Registered Users. Initial Setting: Users can only be unregistered manually by client administrators; policy applied successfully. Framework Computer Policy - Registered Users. Initial Setting: Users can only be unregistered manually by client administrators; policy failed. Framework Computer Policy - Registered Users. Initial Setting: Users who do not log on for number days will be automatically unregistered; policy applied successfully. Framework Computer Policy - Registered Users. Initial Setting: Users who do not log on for number days will be automatically unregistered; policy failed. Framework Computer Policy - Registered Users. Initial Setting: the client will not communicate with the SEE Management Server and is a silent client; installation setting applied successfully. Framework Installation Settings. Initial Setting: the installation setting dictated that the client would not attempt to communicate with the SEE Management Server and was a silent client, but this failed to be applied. Framework Installation Settings. A policy was specified that inactive user accounts will be automatically unregistered after number days. This was set successfully. A policy was specified that inactive user accounts will be automatically unregistered after number days. This setting failed to be applied. The installation package specified that Symantec Endpoint Encryption users will be automatically authenticated. If Full Disk has been installed, the pre-windows authentication will be bypassed. This was set successfully. The installation package specified that Symantec Endpoint Encryption users will be automatically authenticated. If Full Disk has been installed, the pre-windows authentication will be bypassed. This setting failed to be applied. The installation package specified that Symantec Endpoint Encryption users will authenticate normally. If Full Disk has been installed, the pre-windows authentication will not be bypassed. This was set successfully. The installation package specified that Symantec Endpoint Encryption users will authenticate normally. If Full Disk has been installed, the pre-windows authentication will not be bypassed. This setting failed to be applied. The installation package specified that users will not be automatically unregistered, but can only be unregistered manually by a suitable level Client Administrator who logs on at the Client Computer. This was set successfully. The installation package specified that users will not be automatically unregistered, but can only be unregistered manually by a suitable level Client Administrator who logs on at the Client Computer. This setting failed to be applied. The installation package specified that inactive user accounts will be automatically unregistered after number days. This was set successfully. The installation package specified that inactive user accounts will be automatically unregistered after number days. This setting failed to be applied. The installation package specified that the Client Computer will not communicate with the Symantec Endpoint Encryption Management Server. This was set successfully. The installation package specified that the Client Computer will not communicate with the Symantec Endpoint Encryption Management Server. This setting failed to be applied. Symantec Endpoint Encryption Full Disk 69

77 System Event Logging Table A.1 Framework System Events (Continued) Event ID 214 Info 215 Error 216 Info 217 Error 218 Info 219 Error 220 Info 221 Error 222 Info 223 Info 224 Error 225 Info 226 Error 227 Info Severity Description Explanation Settings Change: this client will no longer attempt to communicate with the SEE Management Server and is now a silent client; policy applied successfully. Framework Computer Policy. Settings Change: a policy dictating that this client would no longer communicate with the SEE Management Server and would become a silent client failed to be applied. Framework Computer Policy. Program Action: User user name successfully modified their One-Time Password personal identifier. Framework user name Program Action: User user name failed to modify their One-Time Password personal identifier. Framework user name Settings Change: Client Administrator account name password modified; policy applied successfully. Framework Computer Policy - Client Administrators. Settings Change: Client Administrator account name password modified; policy failed. Framework Computer Policy - Client Administrators. Settings Change: Client Administrator account name certificate modified; policy applied successfully. Framework Computer Policy - Client Administrators. Settings Change: Client Administrator account name certificate modified; policy failed. Framework Computer Policy - Client Administrators. Settings Change: Client Administrator account name has unregistered. Framework Computer Policy. Initial Setting: the address of the SEE Management Server was set successfully. Framework Installation Settings - Communication. Initial Setting: the address of the SEE Management Server failed to be set. Framework Installation Settings - Communication. Initial Setting: the domain of the SEE Management Server client account was set successfully. Framework Installation Settings - Communication. Initial Setting: the domain of the SEE Management Server client account failed to be set. Framework Installation Settings - Communication. Initial Setting: the certificate to be used for HTTPS communications with the SEE Management Server was set successfully. Framework Installation Settings - Communication. A policy was specified that a Client Computer previously able to contact an Symantec Endpoint Encryption Management Server will now have all Symantec Endpoint Encryption Management Server communications suppressed. This was set successfully. A policy was specified that a Client Computer previously able to contact an Symantec Endpoint Encryption Management Server will now have all Symantec Endpoint Encryption Management Server communications suppressed. This setting failed to be applied. A user has successfully modified their One-Time Password personal identifier. This was set successfully. A user has successfully modified their One-Time Password personal identifier. This setting failed to be applied. A policy was specified that modified the Symantec Endpoint Encryption password of one or more Client Administrator accounts. This was set successfully. A policy was specified that modified the Symantec Endpoint Encryption password of one or more Client Administrator accounts. This setting failed to be applied. A policy was specified that modified the certificate associated with the token used to authenticate to one or more Client Administrator accounts. This was set successfully. A policy was specified that modified the certificate associated with the token used to authenticate to one or more Client Administrator accounts. This setting failed to be applied. A policy or installation setting was specified that unregistered the Client Administrator account name on the Client Computer. The address of the Symantec Endpoint Encryption Management Server was successfully set during installation. The address of the Symantec Endpoint Encryption Management Server was not set during installation. The domain of the Symantec Endpoint Encryption Management Server client account was successfully set during installation. The domain of the Symantec Endpoint Encryption Management Server client account was not set during installation. The certificate for HTTPS communication with the Symantec Endpoint Encryption Management Server was successfully set. Symantec Endpoint Encryption Full Disk 70

78 System Event Logging Table A.1 Framework System Events (Continued) Event ID 228 Error 229 Info 230 Info 231 Info 232 Info 233 Info 234 Info 235 Info 236 Error 237 Info 238 Error 239 Info 240 Error 241 Info 242 Error 243 Info Severity Description Explanation Initial Setting: the certificate to be used for HTTPS communications with the SEE Management Server failed to be set. Framework Installation Settings - Communication. Program Action: User token changed successfully. Framework Program Action: User token changed unsuccessfully. Framework Program Action: User token registered successfully. Framework Program Action: User token registered unsuccessfully. Framework Program Action: User password registered successfully. Framework Program Action: User password registered unsuccessfully. Framework Settings Change: Client Administrator account name authentication method modified; policy applied successfully. Framework Computer Policy - Client Administrators. Settings Change: Client Administrator account name authentication method modified; policy failed. Framework Computer Policy - Client Administrators. Settings Change: One-Time Password communication unlock enabled; policy applied successfully. Framework Computer Policy - Authentication Assistance. Settings Change: One-Time Password communication unlock enabled; policy failed. Framework Computer Policy - Authentication Assistance. Settings Change: One-Time Password communication unlock not enabled; policy applied successfully. Framework Computer Policy - Authentication Assistance. Settings Change: One-Time Password communication unlock not enabled; policy failed. Framework Computer Policy - Authentication Assistance. Settings Change: User authentication with password or token setting enabled; policy applied successfully. Framework Computer Policy - Registered Users. Settings Change: User authentication with password or token setting enabled; policy failed. Framework Computer Policy - Registered Users. Program Action: User account name has been unregistered due to applying new authentication method policy. Framework The certificate for HTTPS communication with the Symantec Endpoint Encryption Management Server was not set during installation. A user has successfully changed their token using the User Client Console. A user was unable to change their token using the User Client Console. A user registered a token using the Registration wizard. A user was unable to register a token using the Registration wizard. A user registered a password using the Registration wizard. A user was unable to register a password using the Registration wizard. A policy was applied that resulted in a change to the authentication method used by the specified Client Administrator. A policy that would have resulted in a change to the authentication method used by the specified Client Administrator failed to be applied. A policy specified that one or more users will have access to the One-Time Password Program as a means for regaining access to the computer after it has been locked for a failure to communicate. This was set successfully. A policy specified that one or more users will have access to the One-Time Password Program as a means for regaining access to the computer after it has been locked for a failure to communicate. This policy failed to be applied. A policy specified that one or more users will not have access to the One-Time Password Program as a means for regaining access to the computer after it has been locked for a failure to communicate. This was set successfully. A policy specified that one or more users will not have access to the One-Time Password Program as a means for regaining access to the computer after it has been locked for a failure to communicate. This policy failed to be applied. A policy specifying that users on this computer should be able to authenticate with either a password or a token has been set successfully. A policy specifying that users on this computer should be able to authenticate with either a password or a token failed to be applied. Automatic authentication is no longer in place on this computer, as the result of either an upgrade or a policy update. The account that was automatically created for the specified user has been deleted. Symantec Endpoint Encryption Full Disk 71

79 System Event Logging Table A.1 Framework System Events (Continued) Event ID 244 Info 245 Info 246 Warning 247 Info 248 Error 249 Info 250 Error Severity Description Explanation Program Action: User account name has been unregistered due to account expiration. Framework Program Action: Successful Client Console logon/ authentication attempted with Authenti-Check. Framework account name Program Action: Unsuccessful Client Console logon/ authentication attempted with Authenti-Check. Framework account name Initial Setting: One-Time Password communication unlock enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance Initial Setting: One-Time Password communication unlock enabled; policy failed. Framework Installation Settings - Authentication Assistance. Initial Setting: One-Time Password communication unlock not enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance. Initial Setting: One-Time Password communication unlock not enabled; policy failed. Framework Installation Settings - Authentication Assistance. The account of the specified user has been deleted because the user failed to log on within the number of days specified in the Unregistration area of the Registered Users panel. The specified user successfully authenticated using Authenti-Check. The specified user failed to successfully authenticate using Authenti-Check. A policy specified that one or more users will have access to the One-Time Password Program as a means for regaining access to the computer after it has been locked for a failure to communicate. This was set successfully. A policy specified that one or more users will have access to the One-Time Password Program as a means for regaining access to the computer after it has been locked for a failure to communicate. This policy failed to be applied. A policy specified that one or more users will not have access to the One-Time Password Program as a means for regaining access to the computer after it has been locked for a failure to communicate. This was set successfully. A policy specified that one or more users will not have access to the One-Time Password Program as a means for regaining access to the computer after it has been locked for a failure to communicate. This policy failed to be applied. Symantec Endpoint Encryption Full Disk 72

80 System Event Logging Full Disk System Events List The following table lists the individual Full Disk generated Windows system events logged on the Client Computer. The column headings indicate the Event ID, the severity of the event (Error, Info, or Warning), and a description of the event indicating the type, source, or policy that generated the event (Internal, Program Action, Initial Setting, Settings Change, or Utility). Table A.2 Full Disk System Events Event Severity Description Explanation ID 1000 Error Internal: Cannot map event ID to string. Full Disk The Full Disk event ID cannot be mapped to the string in the hard disk Info Internal: Audit functions started. Full Disk The Full Disk audit functions have started Info Internal: Audit functions ended. Full Disk The Full Disk audit functions have ended Info 1004 Warning 1007 Info 1008 Warning 1011 Info 1012 Warning 1013 Info 1014 Warning 1015 Warning 1017 Info 1018 Info 1019 Warning 1020 Info 1021 Info 1022 Info Program Action: Successful pre-windows logon/ authentication attempted with password. Full Disk user name Program Action: Unsuccessful pre-windows logon/ authentication attempted with password. Full Disk user name Program Action: Successful pre-windows logon/ authentication attempted with token. Full Disk user name Program Action: Unsuccessful pre-windows logon/ authentication attempted with token. Full Disk user name Program Action: Successful logon/authentication attempted with One-Time Password. Full Disk Program Action: Unsuccessful pre-windows logon/ authentication attempted with One-Time Password. Full Disk Program Action: Successful logon/authentication attempted with Authenti-Check. Full Disk Program Action: Unsuccessful pre-windows logon/ authentication attempted with Authenti-Check. Full Disk Program Action: Number of pre-windows logon attempts exceeded the maximum allowed. Full Disk Program Action: User password changed successfully. Full Disk Program Action: User password changed unsuccessfully. Full Disk Program Action: User program uninstallation attempted. Full Disk Program Action: User changed Authenti-Check questions and answers successfully. Full Disk Program Action: Client Administrator has unregistered user. Full Disk Program Action: User password resynchronized with Windows password. Full Disk An attempt to logon at pre-windows with a password has succeeded. An attempt to logon at pre-windows with a password has failed. An attempt to logon at pre-windows with a token has succeeded. An attempt to logon at pre-windows with a token has failed. The One-Time Password process has succeeded in authenticating the user. The One-Time-Password process has failed to authenticate the user. The Authenti-Check process has succeeded in authenticating the user. The Authenti-Check process has failed to authenticate the user at pre-windows. The number of pre-windows logon attempts allowed before a delay has been exceeded. The user has successfully changed their Symantec Endpoint Encryption password. The user attempted to change their Symantec Endpoint Encryption password, but failed. this could be because the password did not meet the password requirements. An attempt to uninstall Full Disk has been made. The user has succeeded in changing their Authenti- Check question(s) and/or answer(s). The Client Administrator has successfully unregistered a user. The user s Symantec Endpoint Encryption password has been resynchronized with their Windows password to enable the Single Sign-On feature. Symantec Endpoint Encryption Full Disk 73

81 System Event Logging Table A.2 Full Disk System Events (Continued) Event ID 1023 Warning Program Action: Computer locked due to failure to communicate with SEE Management Server. Full Disk 1024 Warning Program Action: User password expired. Full Disk 1025 Info Program Action: User registration completed. Full Disk user name 1026 Warning Program Action: Final grace logon reached. Full Disk 1027 Warning 1028 Warning 1029 Info 1030 Info 1032 Info Program Action: Disk/partition decryption initiated. Full Disk Program Action: Disk/partition decryption completed. Full Disk Program Action: Disk/partition encryption initiated. Full Disk Program Action: Disk/partition encryption completed. Full Disk Program Action: Client program installation attempted. Full Disk The Client Computer has failed to communicate with the Symantec Endpoint Encryption Management Server within the mandatory interval and, as a result, has been locked. The user s Symantec Endpoint Encryption password has expired. The user has successfully completed the registration process. The number of grace restarts is now zero and the next user to log on to Windows will be forced to register. The user has initiated decryption of one or more partitions on the hard disk. Decryption of one or more partitions on the hard disk has been completed. The user has initiated encryption of one or more partitions on the hard disk. Encryption of one or more partitions on the hard disk has been completed. An attempt to install Full Disk was made Info Program Action: Client program upgrade attempted. Full Disk An attempt to upgrade Full Disk was made Info Program Action: Grace logon attempted. Full Disk An attempt to exercise a grace restart was made Info Program Action: Authenti-Check questions and answers created. Full Disk 1036 Info Program Action: User password created. Full Disk 1037 Info Program Action: Token account created. Full Disk 1038 Info 1039 Error 1040 Info 1041 Error 1042 Info 1043 Error Severity Description Explanation Initial Setting: a minimum contact period with the SEE Management Server will not be enforced, policy applied successfully. Full Disk Installation Settings - Client Monitor. Initial Setting: an installation setting dictating that a minimum contact period with the SEE Management Server would not be enforced failed to be applied. Full Disk Installation Settings - Client Monitor. Initial Setting: a minimum contact period with the SEE Management Server will be enforced; policy applied successfully. Full Disk Installation Settings - Client Monitor. Initial Setting: an installation setting dictating that a minimum contact period with the SEE Management Server should be enforced failed to be applied. Full Disk Installation Settings - Client Monitor. Initial Setting: Encrypt all partitions upon installation enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Encrypt all partitions upon installation enabled; policy failed. Full Disk Installation Settings - Encryption. The user has set their Authenti-Check questions and answers as a part of the registration process. The user has set their Symantec Endpoint Encryption password as a part of the registration process. A token user has created their Symantec Endpoint Encryption account during the registration process. An attempt to apply an installation setting not to enforce a minimum contact period with the Symantec Endpoint Encryption Management Server has succeeded. An attempt to apply an installation setting not to enforce a minimum contact period with the Symantec Endpoint Encryption Management Server has failed. An attempt to apply an installation setting enforcing a minimum contact period with the Symantec Endpoint Encryption Management Server has succeeded. An attempt to apply an installation setting enforcing a minimum contact period with the Symantec Endpoint Encryption Management Server has failed. An attempt to apply an installation setting that all partitions be encrypted upon installation has succeeded. An attempt to apply an installation setting that all partitions be encrypted upon installation has failed. Symantec Endpoint Encryption Full Disk 74

82 System Event Logging Table A.2 Full Disk System Events (Continued) Event ID 1044 Info 1045 Error 1046 Info 1047 Error 1048 Info 1049 Error 1050 Info 1051 Error 1052 Info 1053 Error 1054 Info 1055 Error 1056 Info 1057 Error 1058 Info 1059 Error 1060 Info Severity Description Explanation Initial Setting: Encrypt specified partitions enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Encrypt specified partitions enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Let users choose partitions and start the encryption enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Let users choose partitions and start the encryption enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Custom Encryption Method enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Custom Encryption Method enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Fastest Encryption Method enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Fastest Encryption Method enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Allow data recovery in case of power failure enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Allow data recovery in case of power failure enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Allow data recovery in case of power failure not enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Allow data recovery in case of power failure not enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Include unused disk space when encrypting enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Include unused disk space when encrypting enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Include unused disk space when encrypting not enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Include unused disk space when encrypting not enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Protection against cold boot attack enabled; policy applied successfully. Full Disk Installation Settings - Encryption. An attempt to apply an installation setting that only specified partitions be encrypted upon installation has succeeded. An attempt to apply an installation setting that only specified partitions be encrypted upon installation has failed. An attempt to apply an installation setting that users be allowed to choose partitions to be encrypted and start the encryption process has succeeded. An attempt to apply an installation setting that users be allowed to choose partitions to be encrypted and start the encryption process has failed An attempt to apply an installation setting enabling a Custom Encryption Method has succeeded. An attempt to apply an installation setting enabling a Custom Encryption method has failed. An attempt to apply an installation setting enabling a Fastest Encryption Method has succeeded. An attempt to apply an installation setting enabling a Fastest Encryption Method has failed. An attempt to apply an installation setting allowing data recovery in case of power failure has succeeded. An attempt to apply an installation setting allowing data recovery in case of power failure has failed. An attempt to apply an installation setting disallowing data recovery in case of power failure has succeeded. An attempt to apply an installation setting disallowing data recovery in case of power failure has failed. An attempt to apply an installation setting including unused disk space when encrypting disks and partitions has succeeded. An attempt to apply an installation setting including unused disk space when encrypting disks and partitions has failed. An attempt to apply an installation setting excluding unused disk space when encrypting disks and partitions has succeeded. An attempt to apply an installation setting excluding unused disk space when encrypting disks and partitions has failed. An attempt to apply an installation setting that enables protection against the Princeton cold boot attack has succeeded. Symantec Endpoint Encryption Full Disk 75

83 System Event Logging Table A.2 Full Disk System Events (Continued) Event ID 1061 Error 1062 Info 1063 Error 1064 Info 1065 Error 1066 Info 1067 Error 1068 Info 1069 Error 1070 Info 1071 Error 1072 Info 1073 Error 1074 Info 1075 Error 1076 Info 1077 Error Severity Description Explanation Initial Setting: Protection against cold boot attack enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Protection against cold boot attack not enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Protection against cold boot attack not enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Registered users can decrypt disk enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Registered users can decrypt disk enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Registered users can decrypt disk not enabled; policy applied successfully. Full Disk Installation Settings - Encryption. Initial Setting: Registered users can decrypt disk not enabled; policy failed. Full Disk Installation Settings - Encryption. Initial Setting: Default client database file location enabled; policy applied successfully. Full Disk Installation Settings - Installer Customization. Initial Setting: Default client database file location enabled; policy failed. Full Disk Installation Settings - Installer Customization. Initial Setting: Custom client database file location enabled; policy applied successfully. Full Disk Installation Settings - Installer Customization. Initial Setting: Custom client database file location enabled; policy failed. Full Disk Installation Settings - Installer Customization. Initial Setting: Prefill the logon form with the most recent user name and domain enabled; policy applied successfully. Full Disk Installation Settings - Logon. Initial Setting: Prefill the logon form with the most recent user name and domain enabled; policy failed. Full Disk Installation Settings - Logon. Initial Setting: Prefill the logon form with the most recent user name and domain not enabled; policy applied successfully. Full Disk Installation Settings - Logon. Initial Setting: Prefill the logon form with the most recent user name and domain not enabled; policy failed. Full Disk Installation Settings - Logon. Initial Setting: Custom logon image selected; policy applied successfully. Full Disk Installation Settings - Logon. Initial Setting: Custom logon image selected; policy failed. Full Disk Installation Settings - Logon. An attempt to apply an installation setting that enables protection against the Princeton cold boot attack has failed. An attempt to apply an installation setting that does not enable protection against the Princeton cold boot attack has succeeded. An attempt to apply an installation setting that does not enable protection against the Princeton cold boot attack has failed. An attempt to apply an installation setting permitting registered users to decrypt the hard disk has succeeded. An attempt to apply an installation setting permitting registered users to decrypt the hard disk has failed. An attempt to apply an installation setting not permitting registered users to decrypt the hard disk has succeeded. An attempt to apply an installation setting not permitting registered users to decrypt the hard disk has failed. An attempt to apply an installation setting locating the client database files in the default location has succeeded. An attempt to apply an installation setting locating the client database files in the default location has failed. An attempt to apply an installation setting locating the client database files in a custom location has succeeded. An attempt to apply an installation setting locating the client database files in a custom location has failed. An attempt to apply an installation setting that prefills the logon form with the most recent user name and domain has succeeded. An attempt to apply an installation setting that prefills the logon form with the most recent user name and domain has failed. An attempt to apply an installation setting that does not prefill the logon form with the most recent user name and domain has succeeded. An attempt to apply an installation setting that does not prefill the logon form with the most recent user name and domain has failed. An attempt to apply an installation setting to display a custom image when the computer starts up has succeeded. An attempt to apply an installation setting to display a custom image when the computer starts up has failed. Symantec Endpoint Encryption Full Disk 76

84 System Event Logging Table A.2 Full Disk System Events (Continued) Event ID 1078 Info 1079 Error 1080 Info 1081 Error 1082 Info 1083 Error 1084 Info 1085 Error 1090 Info 1091 Error 1092 Info 1093 Error 1094 Info 1095 Error 1096 Info Severity Description Explanation Initial Setting: Custom logon image not selected; policy applied successfully. Full Disk Installation Settings - Logon. Initial Setting: Custom logon image not selected; policy failed. Full Disk Installation Settings - Logon. Settings Change: no minimum contact period with the SEE Management Server will be enforced; policy applied successfully. Full Disk Computer Policy - Client Monitor. Settings Change: a policy dictating that no minimum contact period with the SEE Management Server would be enforced failed to be applied. Full Disk Computer Policy - Client Monitor. Settings Change: a minimum contact period with the SEE Management Server will be enforced; policy applied successfully. Full Disk Computer Policy - Client Monitor. Settings Change: a policy dictating that a minimum contact period with the SEE Management Server should be enforced failed to be applied. Full Disk Computer Policy - Client Monitor. Settings Change: the minimum SEE Management Server contact period and/or the number of days before lockout that a warning will be displayed was modified; policy applied successfully. Full Disk Computer Policy - Client Monitor. Settings Change: a policy changing the minimum SEE Management Server contact period and/or the number of days before lockout that a warning will be displayed failed to be applied. Full Disk Computer Policy - Client Monitor. Settings Change: Registered users can decrypt disk enabled; policy applied successfully. Full Disk User Policy - Local Decryption. Settings Change: Registered users can decrypt disk enabled; policy failed. Full Disk User Policy - Local Decryption. Settings Change: Registered users can decrypt disk not enabled; policy applied successfully. Full Disk User Policy - Local Decryption. Settings Change: Registered users can decrypt disk not enabled; policy failed. Full Disk User Policy - Local Decryption. Settings Change: Prefill the logon form with the most recent user name and domain enabled; policy applied successfully. Full Disk Computer Policy - Logon. Settings Change: Prefill the logon form with the most recent user name and domain enabled; policy failed. Full Disk Computer Policy - Logon. Settings Change: Prefill the logon form with the most recent user name and domain not enabled; policy applied successfully. Full Disk Computer Policy - Logon. An attempt to apply an installation setting not to display a custom image when the computer starts up has succeeded. An attempt to apply an installation setting not to display a custom image when the computer starts up has failed. An attempt to apply a settings change not to enforce a minimum contact period with the Symantec Endpoint Encryption Management Server has succeeded. An attempt to apply a settings change not to enforce a minimum contact period with the Symantec Endpoint Encryption Management Server has failed. An attempt to apply a settings change to enforce a minimum contact period with the Symantec Endpoint Encryption Management Server has succeeded. An attempt to apply a settings change to enforce a minimum contact period with the Symantec Endpoint Encryption Management Server has failed. An attempt to apply a settings change that modifies contact settings with the Symantec Endpoint Encryption Management Server has succeeded. An attempt to apply a settings change that modifies contact settings with the Symantec Endpoint Encryption Management Server has failed. An attempt to apply a settings change enabling registered users to decrypt the hard disk has succeeded. An attempt to apply a settings change enabling registered users to decrypt the hard disk has failed. An attempt to apply a settings change not enabling registered users to decrypt the hard disk has succeeded. An attempt to apply a settings change not enabling registered users to decrypt the hard disk has failed. An attempt to apply a settings change to prefill the logon form with the most recent user name and domain has succeeded. An attempt to apply a settings change to prefill the logon form with the most recent user name and domain has failed. An attempt to apply a settings change not to prefill the logon form with the most recent user name and domain has succeeded. Symantec Endpoint Encryption Full Disk 77

85 System Event Logging Table A.2 Full Disk System Events (Continued) Event ID 1097 Error 1098 Info 1099 Error 1100 Info Settings Change: Prefill the logon form with the most recent user name and domain not enabled; policy failed. Full Disk Computer Policy - Logon. Special Policy: Autologon (bypass user authentication to SEE) enabled; policy applied successfully. Full Disk Computer Policy - Logon. Special Policy: Autologon (bypass user authentication to SEE) enabled; policy failed. Full Disk Computer Policy - Logon. Special Policy: Autologon (boot as specified) enabled; policy applied successfully. Full Disk Computer Policy - Logon. An attempt to apply a settings change not to prefill the logon form with the most recent user name and domain has failed. An Autologon policy is in effect and as a result, pre-boot authentication was successfully bypassed. An Autologon policy is in effect but pre-boot authentication was not successfully bypassed. An Autologon policy was successfully applied Error Special Policy: Autologon (boot as specified) enabled; policy failed. Full Disk Computer Policy - Logon. An attempt to apply an Autologon policy failed Info Special Policy: Autologon terminated. Autologon has terminated Info Special Policy: Pre-Windows Autologon success. Pre-Windows Autologon has succeeded Error Special Policy: Pre-Windows Autologon failure. Pre-Windows Autologon has failed Info 1106 Error Special Policy: Remote decryption of all disks and partitions enabled; policy applied successfully. Full Disk Computer Policy - Remote Decryption. Special Policy: Remote decryption of all disks and partitions enabled; policy failed. Full Disk Computer Policy - Remote Decryption. An attempt to apply a special policy enabling remote decryption of all hard disks and partitions has succeeded. An attempt to apply a special policy enabling remote decryption of all hard disks and partitions has failed Warning Utility: Access.exe initiated. The Full Disk Access Utility has been initiated Warning Utility: Recover /a attempted. Recover /A has been attempted Warning Utility: Recover /b attempted. Recover /B has been attempted Warning Utility: Windows recovery process attempted. A Windows recovery process has been attempted Warning Utility: Recover /d attempted. Recover /D has been attempted Warning Utility: Recover /a successfully completed. Recover /A has been successfully completed 1113 Error Utility: Recover /a failed. Recover /A has failed Warning Utility: Recover attempted. An attempt to use the Recover Program has occurred Info Program Action: Logon delay of sixty seconds instituted. A logon delay of sixty seconds has been instituted Info Program Action: Logon delay of sixty seconds lifted. A logon delay of sixty seconds has been lifted Info 1118 Info 1119 Warning 1120 Warning 1121 Info 1122 Error Severity Description Explanation Program Action: Normal operations resumed: logon delays will be instituted after number attempts, as per policy. Program Action: Client Administrator successfully extended the check-in due date. Program Action: A Pre-Windows token logon failed because the PIN is blocked. Program Action: Failed token logon - The token has no remaining PIN attempts. Settings Change: Prefill the logon form with the most recent domain enabled; policy applied successfully. Full Disk Computer Policy - Logon. Settings Change: Prefill the logon form with the most recent domain enabled; policy failed. Full Disk Computer Policy - Logon. Normal operations have resumed: logon delays will be instituted after number of unsuccessful logon attempts, as set by policy. A Client Administrator has successfully extended the check-in due date. A pre-windows token logon attempt has failed because the PIN is blocked. A token logon attempt has failed because the token has no remaining PIN attempts An attempt to apply a settings change to prefill the logon form with the most recent domain has succeeded. An attempt to apply a settings change to prefill the logon form with the most recent domain has failed. Symantec Endpoint Encryption Full Disk 78

86 System Event Logging Table A.2 Full Disk System Events (Continued) Event ID 1123 Error 1124 Info 1125 Info 1126 Info 1127 Error 1128 Info 1129 Error 1130 Info 1131 Error 1132 Info 1133 Info 1134 Info 1135 Error 1136 Info 1137 Error 1138 Info 1139 Error 1140 Info Severity Description Explanation Settings Change: Unsuccessful unlock on locked computer attempted with One-Time Password. user name. Full Disk Settings Change: Successful unlock on locked computer attempted with One-Time Password. user name. Full Disk Settings Change: Client Administrator account name has unregistered. Full Disk Computer Policy. Special Policy: Autologon (bypass user authentication to SEE Full Disk) disabled; policy applied successfully. Full Disk Computer Policy - Logon. Special Policy: Autologon (bypass user authentication to SEE Full Disk) disabled; policy failed. Full Disk Computer Policy - Log on. Special Policy: Autologon (disengage if power lost for minutes minutes) enabled; policy applied successfully. Full Disk Computer Policy - Logon Special Policy: Autologon (disengage if power lost for minutes minutes) enabled; policy failed. Full Disk Computer Policy - Logon. Special Policy: Autologon (disengage if power lost) disabled; policy applied successfully. Full Disk Computer Policy - Logon. Special Policy: Autologon (disengage if power lost) disabled; policy failed. Full Disk Computer Policy - Logon. Settings Change: Encrypt boot disk only enforced by installer. Settings Change: Pending changes to user or policy settings were not applied prior to Windows standby or hibernation. Settings Change: the logon instructions were modified; policy applied successfully. Full Disk Computer Policy - Startup. Settings Change: a policy changing logon instructions failed to be applied. Full Disk Computer Policy - Startup. Settings Change: the legal notice was modified; policy applied successfully. Full Disk Computer Policy - Startup. Settings Change: a policy changing legal notice failed to be applied. Full Disk Computer Policy - Startup. Initial Setting: Registered users can boot in Safe Mode enabled; policy applied successfully. Full Disk Installation Settings - Startup. Initial Setting: Registered users can boot in Safe Mode enabled; policy failed. Full Disk Installation Settings - Startup. Initial Setting: Registered users can boot in Safe Mode not enabled; policy applied successfully. Full Disk Installation Settings - Startup. The specified user attempted to unlock a locked computer using the One-Time Password method, but the attempt did not succeed. The specified user succeeded in using the One-Time Password method to unlock a locked computer. The specified Client Administrator unregistered a user. An Autologon policy was lifted: pre-boot authentication will no longer be bypassed. A policy that would have removed Autologon failed to be applied. A policy was applied to deactivate Autologon if the power remains off for more than a specified number of minutes. A policy to deactivate Autologon if the power remains off for more than a specified number of minutes failed to be applied. A policy was applied to not deactivate Autologon if the power remains off. A policy to not deactivate Autologon if the power remains off. An installation setting was applied to ensure that only the boot disk of the computer can/will be encrypted. The computer entered standby or hibernation mode before pending user or policy changes could be applied. A policy with changed logon instructions was successfully applied. A policy with changed logon instructions failed to be applied. A policy with a modified legal notice was applied successfully. A policy with a modified legal notice failed to be applied. A policy that allows registered users to boot in Safe Mode was successfully applied. A policy that allows registered users to boot in Safe Mode failed to be applied. A policy that does not allow registered users to boot in Safe Mode was successfully applied. Symantec Endpoint Encryption Full Disk 79

87 System Event Logging Table A.2 Full Disk System Events (Continued) Event ID 1141 Error 1142 Info 1143 Error 1144 Info 1145 Error 1146 Info 1147 Error 1148 Info 1149 Error 1150 Info 1151 Info 1152 Error 1153 Error 1154 Info 1155 Error Severity Description Explanation Initial Setting: Registered users can boot in Safe Mode not enabled; policy failed. Full Disk Installation Settings - Startup. Settings Change: Registered users can boot in Safe Mode enabled; policy applied successfully. Full Disk Computer Policy - Startup. Settings Change: Registered users can boot in Safe Mode enabled; policy failed. Full Disk Computer Policy - Startup. Settings Change: Registered users can boot in Safe Mode not enabled; policy applied successfully. Full Disk Computer Policy - Startup. Settings Change: Registered users can boot in Safe Mode not enabled; policy failed. Full Disk Computer Policy - Startup. Special Policy: Autologon (disengage if connectivity lost for minutes minutes) enabled; policy applied successfully. Full Disk Computer Policy - Logon. Special Policy: Autologon (disengage if connectivity lost for minutes minutes) enabled; policy failed. Full Disk Computer Policy - Logon. Special Policy: Autologon (disengage if connectivity lost) disabled; policy applied successfully. Full Disk Computer Policy - Logon. %1 Special Policy: Autologon (disengage if connectivity lost) disabled; policy failed. Full Disk Computer Policy - Logon. Special Policy: Autologon (new recurring Autologon policy setting) enabled; policy applied successfully. Full Disk Computer Policy - Logon. Special Policy: Autologon (new recurring Autologon policy setting) disabled; policy applied successfully. Full Disk Computer Policy - Logon. Special Policy: Autologon (new recurring Autologon policy setting) enabled; policy failed. Full Disk Computer Policy - Logon. Special Policy: Autologon (new recurring Autologon policy setting) disabled; policy failed. Full Disk Computer Policy - Logon. Special Policy: Autologon (end of recurrence); policy applied successfully. Full Disk Computer Policy - Logon. Special Policy: Autologon (end of recurrence); policy failed. Full Disk Computer Policy - Logon. A policy that does not allow registered users to boot in Safe Mode failed to be applied. A policy that allows registered users to boot in Safe Mode was successfully applied. A policy that allows registered users to boot in Safe Mode failed to be applied. A policy that does not allow registered users to boot in Safe Mode was successfully applied. A policy that does not allow registered users to boot in Safe Mode failed to be applied. A policy was applied to deactivate Autologon if connectivity is lost for more than a specified number of minutes. A policy to deactivate Autologon if connectivity is lost for more than a specified number of minutes failed to be applied. A policy was applied to not deactivate Autologon if connectivity is lost. A policy to not deactivate Autologon if connectivity is lost failed to be applied. A policy with a new recurring Autologon setting has been successfully applied. A policy that disables a recurring Autologon setting has been successfully applied. A policy with a new recurring Autologon setting has failed to be applied. A policy that disables a recurring Autologon setting has failed to be applied A policy that specifies the end of theautologon recurrence period has been successfully applied. A policy that specifies the end of theautologon recurrence period has failed to be applied. Symantec Endpoint Encryption Full Disk 80

88 Authentication Method Changes Appendix B. Authentication Method Changes Overview Each client will effect a single method of authentication for all of its users. This method of authentication is established in three different Manager Console locations: The selection made in the Token Authentication page of the Manager Console InstallShield wizard, The selection made in the Authentication Method area of the Registered Users panel (Symantec Endpoint Encryption Software Setup, Symantec Endpoint Encryption Native Policy Manager, or Active Directory policy). Either an upgrade of the client or a policy update can be used to cause a change to the user s method of authentication. Since policy settings will always take precedence, the use of a policy is more certain to achieve your desired ends. User Experience The following table details the effects of a change to the user s authentication method mandated using the Authentication Method area of the Registered Users panel. Table B.1 Effect of a Change in Authentication Method on Existing User Accounts Previous Authentication Method New Authentication Method Authentication Method(s) User Has Registered a password a token Password Yes a password password or token Password No a password a token password or token Automatic Password, Token, Password and Token a token a password Token Yes a token password or token Token No User Must Re-register? No Details The user will have the option to add a token in the User Client Console. The user will have the option to add a password in the User Client Console. Automatic a password a token password or token Automatic Yes password or token a password Password and Token No The token is deleted. password or token a password Token Yes password or token a token Password and Token No The password is deleted. password or token a token Password Yes Symantec Endpoint Encryption Full Disk 81

89 Policy Settings Honored by Mac Clients Appendix C. Policy Settings Honored by Mac Clients Refer to the following table for the policy settings that are honored by Mac clients. Table C.1 Policy Settings Honored by Mac Clients Policy Panel Ignored Honored Partially Honored Notes Client Administrator Only the default Client Administrator account. Registered Users Password Authentication Only the settings in the Password Complexity area Token Authentication Authentication Message Communication Single Sign-On Authenti-Check One-Time Password Startup Only the text in the Logon instructions and Legal notice boxes Logon History Autologon Remote Decryption Client Monitor Local Decryption Symantec Endpoint Encryption Full Disk 82

90 Glossary Glossary Active Directory Policies One of two types of policies that can be created and deployed from the Symantec Endpoint Encryption Manager. They feature seamless integration with well-known Active Directory toolsets and include user as well as computer policies. Authentication Method Specifies how registered users and Client Administrators authenticate to Symantec Endpoint Encryption. Methods include password, token, password and token, or automatic. If Single Sign-On is enabled, the authentication method used for Symantec Endpoint Encryption and Windows must be the same method. If the Policy Administrator changes the authentication method, registered users may be forced to reregister. Authenti-Check Allows users on Windows endpoints to recover from forgotten credentials without help desk assistance. The user authenticates with a set of up to three question-answer pairs. Authenti-Check is not available to Client Administrators or Mac users. Automatic Authentication If a Client Computer is set for automatic authentication, Full Disk will not require a user to provide Symantec Endpoint Encryption credentials before allowing Windows to load. This option relies on Windows to authenticate users. In addition, users will be registered automatically unless a registration password is required. Requiring a registration password serves to avoid reaching the maximum registered user limit and to limit the number of users that can gain access to the User Client Console. The automatic authentication feature is not available for Mac endpoints. Client Administrator Provides local support to Symantec Endpoint Encryption users. The Policy Administrator assigns each Client Administrator account individual administrative privileges: Unregister users allows Client Administrators to unregister registered users; Decrypt drives provides Client Administrators with the right to decrypt encrypted disks and partitions; Extend lockout permits Client Administrators to extend the Client Computer s next communication date; and Unlock enables Client Administrators to unlock Client Computers that have been locked for failure to communicate with the Symantec Endpoint Encryption Management Server. Client Administrators are always able to authenticate to Client Computers. Client Administrators cannot change their own passwords or use any passwordrecovery methods. Management Password The Management Password controls administrator access to two Full Disk help desk functions: Recover /B and the One-Time Password Program. Symantec Endpoint Encryption Full Disk 83

91 Glossary Management Password Snap-in The Management Password snap-in allows you to change the Management Password. Native Policies One of two types of policies that can be created and deployed from the Symantec Endpoint Encryption Manager. Native policies do not rely on any existing directory service and apply to computers only. One-Time Password (OTP) Program The One-Time Password (OTP) Program allows Full Disk users on Windows endpoints to recover from a forgotten password, PIN, or token with help desk assistance. Users can also use the OTP program to regain access to their Windows computer after it has been locked for a failure to communicate with the Symantec Endpoint Encryption Management Server. To complete the OTP process the user must contact the help desk. OTP Key A critical value used to ensure the identity of Client Computers during communication with the Symantec Endpoint Encryption Management Server and for the One-Time Password password recovery feature. When the Symantec Endpoint Encryption Manager is installed for the first time, it populates the Symantec Endpoint Encryption database with the OTP key. Policy Administrator Performs centralized administration of Symantec Endpoint Encryption. Using the Manager Console and the Manager Computer, the Policy Administrator: Updates and sets client policies. Runs reports. Changes the Management Password. Runs the Help Desk Program. Creates the computer-specific Recover DAT file necessary for Recover /B. Domain or higher-level administrators can restrict access to Symantec Endpoint Encryption snap-ins when assigning specific Policy Administrator duties. Recover Program Used when a Windows Client Computer encounters a serious error and cannot load Windows. The program attempts to regain access to hard disk data by repairing the Symantec Endpoint Encryption client database files (Recover /A), performing an emergency decryption of the hard disk (Recover /D), or restoring the encryption keys (Recover /B). Re-Registration Symantec Endpoint Encryption users may be required to re-register if a Policy Administrator issues a computer policy or installs an upgrade package that requires them to change their authentication method. Symantec Endpoint Encryption Full Disk 84

92 Glossary Silent Client A silent client is a Client Computer installed from a Framework Client package created from a Symantec Endpoint Encryption Manager Console whose installation mode does not require connection to Symantec Endpoint Encryption Management Server. Silent clients do not communicate with the Symantec Endpoint Encryption Management Server. If the computer has never checked in, the online method of the One-Time Password recovery method and the Recover /B hard disk recovery option which requires computer-specific data stored in the database during check-in are not available. Single Sign-On (SSO) If SSO is enabled, the user logs on once in pre-windows and is then authenticated to Windows. Symantec Endpoint Encryption Framework Provides Symantec Endpoint Encryption wide features, such as authentication methods and settings, as well as registered user and Client Administrator accounts and information. Symantec Endpoint Encryption Software Setup Snap-in Allows Symantec Endpoint Encryption client software to be customized before deployment. User At least one user must register with Symantec Endpoint Encryption on each Client Computer. A wizard guides the user through the registration process, which involves a maximum of five screens. The registration process can also be configured to occur without user intervention. Users authenticate to Full Disk in one of three ways: Single Sign-On enabled The user is prompted to authenticate each time they restart their computer. Single Sign-On not enabled The user must log on twice: once to Full Disk and then separately to Windows. Automatic authentication enabled The user is not prompted for Full Disk credentials; the authentication process is transparent. This option relies on Windows to validate the user s credentials. On Mac endpoints, the first user account is created at the time that encryption of the disk is manually initiated. Additional user accounts can be added later. Symantec Endpoint Encryption Full Disk 85

93 Index Index A Active Directory policies 2, 17, 19, 21, 27, 28, 34, 35 Authenti-Check 27 autologon policy options 29 automatic authentication 6, 24, 83, 85 C Client Administrator authentication method (password or token) 23 policy 22 privilege levels 23 single-source passwords 5 Client Computers communication with 27, 33 lockouts and 33 G gpupdate /force 35 grace restarts 25, 33, 58, 62 Group Policy Object Editor (GPOE) 3, 21 L Local, Site, Domain, OU (LSDOU) 2, 35 M Management Password changing 41 snap-in 3 use of 3, 41, 42, 44, 50, 52, 54, 83, 84 Manager Console endpoint containers 4 location of 1 SQL prompt 3 N native policies 2, 22, 36, 38 names of 22 Native Policy Manager 3, 21, 22 O One-Time Password about 3, 42 offline method 28, 44, 46, 47, 48, 49, 63 online method 15, 28, 44, 45, 46, 47, 49, 63 policy options 28 using 43, 51 OTP communication unlock policy 28 P P7B files 23 policy update forcing an immediate update 2, 35, 36 R Recover Program 15, 53 /A option 54, 78 /B option 3, 15, 41, 55, 78, 83, 85 Recover DAT file 3, 54, 55 Recovery Password 55 /D option 54, 78 remote decryption policy 33 Resultant Set of Policy (RSoP) 17, 19 S Safe Mode Boot for registered users installation setting 29 startup image changing 29 Symantec Endpoint Encryption administrator roles 5 Symantec Endpoint Encryption Framework about 1 Symantec Endpoint Encryption Managed Computers 5, 36 synchronization about 2, 7, 36 timing of 2 with both Active Directory and Novell 4 U users automatic unregistration of 25 forcing re-registration of 24 local administrative rights and 6 local decryption rights 34 registration password and 25 W Windows system events 57 Symantec Endpoint Encryption Full Disk 86