Symantec Endpoint Encryption Full Diskorigin-symwisedownload.symantec.com/resources/sites/SYMWISE/cont… · Boot-Time Defragmenters ... Symantec Endpoint Encryption Full Disk ensures

Symantec Endpoint EncryptionFull Disk

Windows Client Administrator GuideVersion 8.2.1

ii

Copyright 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Authenti-Check is a registered trademark of GuardianEdge Technologies Inc. (now part of Symantec). Other names may be trademarks of their respective owners.The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 Commercial Computer Software - Restricted Rights and DFARS 227.7202, et seq. Commercial Computer Software and Commercial Computer Software Documentation, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043http://www.symantec.com

Contents

Chapter 1 IntroductionOverview ....................................................................................................................................................................... 1Symantec Endpoint Encryption Roles ...................................................................................................................... 1

Policy Administrator ........................................................................................................................................... 1Client Administrator ........................................................................................................................................... 2User ........................................................................................................................................................................ 2Client Administrator/Registered User Comparison ....................................................................................... 3

Best Practices ............................................................................................................................................................... 3Partition Changes ................................................................................................................................................ 3Boot-Time Defragmenters .................................................................................................................................. 3System Restore Tools .......................................................................................................................................... 4Trusted Software ................................................................................................................................................. 4Local Administrator Privileges .......................................................................................................................... 4Computer Shutdown ............................................................................................................................................ 4Password Security ............................................................................................................................................... 4Frequent Information Backup ........................................................................................................................... 4

Chapter 2 Registration PromptsOverview ....................................................................................................................................................................... 5The Prompts ................................................................................................................................................................. 5

Grace Restarts Available .................................................................................................................................... 5Registration Mandate .......................................................................................................................................... 5Multiple Users ...................................................................................................................................................... 6

Chapter 3 Pre-Windows AuthenticationOverview ....................................................................................................................................................................... 7The Startup Screen ...................................................................................................................................................... 7Keyboard Selection ...................................................................................................................................................... 8Password Logons ......................................................................................................................................................... 9Token Logons .............................................................................................................................................................10Computer Lockout .....................................................................................................................................................11

About Lockouts ..................................................................................................................................................11Lockout Prevention ...........................................................................................................................................11Lockout Recovery ...............................................................................................................................................12

Chapter 4 Administrator Client ConsoleOverview .....................................................................................................................................................................15Logon ...........................................................................................................................................................................16

Basics ...................................................................................................................................................................16Password Logons ................................................................................................................................................16Token Logons .....................................................................................................................................................17

Home ............................................................................................................................................................................18Navigation ...................................................................................................................................................................18

User Interface Elements ...................................................................................................................................18Mouse Navigation ..............................................................................................................................................19Keyboard Navigation .........................................................................................................................................20

iv Contents

Registered Users ........................................................................................................................................................20Full Disk ......................................................................................................................................................................21

Encryption ..........................................................................................................................................................21Decryption ..........................................................................................................................................................22Check-In ..............................................................................................................................................................24

About ...........................................................................................................................................................................25

Chapter 5 Regaining Access to Unbootable ComputersOverview .....................................................................................................................................................................27Regaining Access to Computers without Opal Boot Drives ................................................................................27

Basics ...................................................................................................................................................................27Recover /A ...........................................................................................................................................................28Full Disk Access Utility .....................................................................................................................................28Hard Disk Consistency Check ..........................................................................................................................29Recover /D ...........................................................................................................................................................29Recover /B ...........................................................................................................................................................30

Regaining Access to Computers with Opal Boot Drives ......................................................................................31Basics ...................................................................................................................................................................31Recover /O ...........................................................................................................................................................31

Appendix A Novell SupportOverview .....................................................................................................................................................................33SSO for Novell Not Enabled .....................................................................................................................................33Turn On Feature Does Not Work .............................................................................................................................34SSO Not Enabled ........................................................................................................................................................34

Appendix B Visually Impaired User SupportOverview .....................................................................................................................................................................35After Client Administrator Logon ...........................................................................................................................35Double Registration ...................................................................................................................................................36Multiple Users, Multiple Domains/Computer Names ..........................................................................................36

Appendix C Keyboard LayoutsOverview .....................................................................................................................................................................37Toggling Keyboard Layouts .....................................................................................................................................37Windows Keyboard Definition .................................................................................................................................37

Windows 7 ...........................................................................................................................................................37Windows Vista ...................................................................................................................................................41Windows XP and Windows 2000 .....................................................................................................................45

Appendix D Token Usage & Error MessagesOverview .....................................................................................................................................................................49Token Usage ...............................................................................................................................................................49

Insertion ..............................................................................................................................................................49Recognition .........................................................................................................................................................49

Error Messages ...........................................................................................................................................................50Pre-Windows Logon ..........................................................................................................................................50Administrator Client Console Logon ..............................................................................................................52

Appendix E Decommissioning and Repurposing Opal DrivesOverview .....................................................................................................................................................................55

Recover /S ...........................................................................................................................................................55

vContents

Glossary ........................................................................................................... 57

Index ................................................................................................................ 59

vi Contents

Chapter
1
Introduction

This chapter includes the following topics:

Overview

Symantec Endpoint Encryption Roles

Best Practices

OverviewSymantec Endpoint Encryption Full Disk ensures that only authorized users can access data stored on hard disks. This safeguards enterprises from the accidental loss or theft of a laptop or PC and eliminates the legal need for public disclosure. As a key component of Symantec Endpoint Encryption, Full Disk offers seamless deployment and operation across increasingly diverse IT infrastructures and environments.

This Guide is intended for Client Administrators of Windows endpoints. It details how to authenticate to Full Disk; use the Administrator Client Console to support registered users and Client Computers; provide support to registered users who have forgotten their password or PIN; and use the Recover Program to recover a hard disks data, if necessary.

This chapter defines the Symantec Endpoint Encryption roles and discusses best practices. The sections are as follows:

Symantec Endpoint Encryption Roles on page 1

Best Practices on page 3

Symantec Endpoint Encryption Roles

Policy AdministratorPolicy Administrators perform centralized administration of Symantec Endpoint Encryption. Using the Manager Console and the Manager Computer, the Policy Administrator:

Updates and sets client policies.

Issues commands to encrypt or decrypt endpoint drives and/or partitions that are not Opal-compliant.

Runs reports.

Changes the Management Password.

Runs the Help Desk Program.

Creates the computer-specific Recover DAT file necessary for Recover /B, Recover /O, and Recover /S.

Access to Symantec Endpoint Encryption snap-ins can be restricted on a per snap-in basis, giving the domain or higher-level administrator flexibility when assigning specific Policy Administrator duties.

2 IntroductionSymantec Endpoint Encryption Roles

Client AdministratorClient Administrators provide local support to Symantec Endpoint Encryption users.

Client Administrator accounts are created and maintained from the Symantec Endpoint Encryption Manager. Client Administrator accounts are managed entirely by Symantec Endpoint Encryption, independent of operating system or directory service, allowing Client Administrators to support a wide range of users.

Client Administrator credentials are managed from the Manager Console and cannot be changed at the Client Computer. This single-source credential management allows Client Administrators to remember only one set of credentials as they move among many Client Computers.

Client Administrators may be configured to authenticate with either a password or a token.

Each Client Administrator account can be assigned any of the following individual administrative privileges:

Unregister usersallows Client Administrators to unregister registered users from the Administrator Client Console;

Decrypt drivesprovides Client Administrators with the right to decrypt drives encrypted by Symantec Endpoint Encryption Full Disk from the Administrator Client Console or through the use of Recover /D;

Extend lockoutpermits Client Administrators to extend the Client Computers next communication date using the Administrator Client Console; and

Unlockenables Client Administrators to unlock Client Computers that have been locked for failure to communicate with the Symantec Endpoint Encryption Management Server.

Client Administrators are always able to authenticate to Client Computers.

Client Administrators should be trusted in accordance with their assigned level of privilege.

Each Client Computer must have one default Client Administrator account. The default Client Administrator account has all administrative privileges and authenticates using a password. Only Client Administrators that authenticate with a password and have all administrative privileges can perform hard disk recovery. Up to 1024 total Client Administrator accounts can exist on each Client Computer.

Client Administrator accounts have the following restrictions:

Client Administrators do not have either of the authentication assistance methods (Authenti-Check and One-Time Password) available.

Client Administrators cannot use Single Sign-On.

UserFull Disk protects the data stored on the Client Computer by requiring valid credentials before allowing the operating system to load. Users set their own Symantec Endpoint Encryption credentials, which allow them to power the machine on from an off state and gain access to the operating system.

At least one user is required to register with Symantec Endpoint Encryption on each Client Computer. A wizard guides the user through the registration process, which involves a maximum of five screens. The registration process can also be configured to occur without user intervention.

Authentication to Full Disk can be configured to occur in one of three ways:

Single Sign-On enabledThe user will be prompted to authenticate once each time they restart their computer.

Single Sign-On not enabledThe user must log on twice: once to Full Disk and then separately to Windows.

Automatic authentication enabledThe user is not prompted to provide credentials to Full Disk; the authentication process is transparent. This option relies on Windows to validate the users credentials.

3IntroductionBest Practices

A maximum of 1024 users can be allowed during the creation of the installation package and can be changed by policy.

To ensure the success of this product in securing your encrypted assets, do not define users as local administrators or give users local administrative privileges.

Client Administrator/Registered User ComparisonTable 1.1 shows a comparison between registered users and Client Administrators on Windows endpoints.

Best Practices

Partition ChangesOnce Full Disk has been installed, no changes to the partition table are supported. Changes to the drive letters of encrypted disks and partitions are not supported. Before repartitioning, reformatting, resizing, or renaming any partitions on the Client Computer, you must first uninstall Full Disk.

Boot-Time DefragmentersFull Disk relies on its client database files. Boot-time defragmenters can scramble the client database files. If used, they will cause the Client Computer to fail to boot.

Table 1-1 Client Account Comparison

Client Features Registered User Client Administrator

Account Creation Created when user registers. Created by installation settings, upgrade settings, and/or policy updates.

Account name / User name

User name must be a valid Windows account, either domain or local.

Account name is independent of any Windows user account.

Account Deletion Deleted manually by Client Administrator through unregister function, if allowed. Also may be deleted according to policy when account is unused for a specified period.

Deleted by upgrade package or policy update.

Password Changes Can change their password. Changed by upgrade package or policy update.

Single Sign-On (SSO) Enabled by installation setting, upgrade package, or policy update.

Not available.

Logon Assistance Authenti-Check and One-Time Password (OTP) may be enabled by installation settings, upgrade package, or policy update. Client Administrators can always provide logon assistance.

Not available.

Decryption Decryption rights assigned by installation settings and policy updates.

Decryption rights assigned by installation settings, upgrade package, or policy update.

Lockout Can become locked out of Client Computer if computer is required to check in with the Symantec Endpoint Encryption Management Server at a required interval but does not, and lockout is used for enforcement. Some users can unlock their computer with help desk assistance, if allowed by policy.

Cannot become locked out. Removes and prevents lockout conditions.

4 IntroductionBest Practices

System Restore ToolsFull Disk encryption relies on the Client Computers master boot record (MBR). System restore tools that replace the MBR, such as IBMs Rescue and Recovery, can cause the Client Computer to fail to boot.

Trusted SoftwareFirewalls and anti-virus software should be installed on Client Computers to protect against viruses and secure computers against invasive software that arrives over the network, such as a Trojan horse. File sharing, peer-to-peer networks, and FTP servers are not recommended. Network logon scripts must be approved scripts. If remote access to stored data is allowed, users with remote access must be required to authenticate.

Local Administrator PrivilegesUsers should not be defined as local administrators or given local administrative privileges.

Computer ShutdownIt is best not to leave a computer unattended, particularly in an insecure location, such as a cafe. If you must step away, you should at least press the Windows logo key+L to invoke the Windows logon. For Full Disk protection, the computer must be powered down.

Password SecurityClient Administrators and users that authenticate using a password should not share their passwords with anyone else and should avoid writing them down. They should be aware of others watching over his/her shoulder as they type their password. If this has happened, the password should be changed.

Frequent Information BackupUser data as well as log files should be backed up on a regular basis. This will allow users to recover from theft or hard disk failure. The user data backups should be physically protected or encrypted.

Chapter
2
Registration Prompts


Overview

The Prompts

OverviewOne of the first signs that Full Disk has been installed is a prompt for account registration.

If at least one user has registered, you do not need to register and can dismiss any registration prompts. Your Client Administrator credentials are sufficient to authenticate you to Symantec Endpoint Encryption, to launch the Administrator Client Console, and to allow you to move among Client Computers to support registered users.

You may want to register as a user to increase the security of the computer if no other user has registered.

If you register for a registered user account, you will have two valid accounts for accessing Full Disk: your Client Administrator account and your registered user account.

You can unregister your registered user account later using the Administrator Client Console, if your privilege level permits. Each Client Computer has a maximum number of registered users allowed. By unregistering your account you free up a slot for someone else to register.

See the User Guide for information on the registration process, on using the User Client Console, and on performing other registered user tasks.

The Prompts

Grace Restarts AvailableGrace restarts are the number of times users can reboot without having to register. The message displayed informs you of the number of times you can restart without registering. Choose to register or, to dismiss the message, click Cancel. If you cancel the message, you remain in Windows and can launch the Administrator Client Console, if necessary.

Registration MandateOnce grace restarts expire, or if no grace restarts were provided, you are forced to register if no users have registered yet. When there are no more grace restarts, someone must register as a user. Each time Windows loads, the same registration requirement occurs, preventing you from performing any other Windows action. To begin the registration process, click Register. See the User Guide for registration instructions.

6 Registration PromptsThe Prompts

Multiple UsersIf at least one user has already registered to Symantec Endpoint Encryption, you are prompted to register on an optional basis. Choose whether you want to register, you want to be reminded later, or you do not want to be reminded at all. If you select Dont Ask Me Again, you are notprompted to register again unless you attempt to launch the User Client Console.

Chapter
3
Pre-Windows Authentication


Overview

The Startup Screen

Keyboard Selection

Password Logons

Token Logons

Computer Lockout

OverviewPre-Windows authentication prevents unauthorized users from accessing encrypted partitions. This important feature takes full effect after the first user registers with Symantec Endpoint Encryption. The first user is forced to register after any grace restarts expire.

Once the first user has registered, Full Disk will begin to display the Symantec Startup screen each time the machine is powered onunless an automatic authentication or Autologon policy is in effect.

This chapter details the pre-Windows authentication process. If an automatic authentication or Autologon policy is in effect, skip to Computer Lockout on page 11.

Note: Audio cues in the form of system beeps are available during pre-Windows authentication for visually impaired users. If you are supporting these users, refer to Appendix B Visually Impaired User Support on page 35.

The Startup ScreenThe Policy Administrator may have configured the Startup screen to contain:

The default image and text,

The default image with changed logon instructions,

The default image with a changed legal notice,

The default image with both changed instructions and changed legal notice, or

A custom image.

Figure 3-1 shows the default Startup screen.

8 Pre-Windows AuthenticationKeyboard Selection

Figure 3-1 Pre-Windows Startup, Default

To authenticate at the default startup screen

1 Do one of the following:

If you authenticate with a password, press CTRL+ALT+DEL.

If you authenticate with a token and the token is already inserted, you may not see the Startup screen, or you may see it flash briefly. If you do see the Startup screen, insert your token. For proper insertion of your token and for a description of token behavior when the token is being read, refer to Appendix D Token Usage & Error Messages on page 49.

2 If you need to change the keyboard with which you enter your credentials, continue to the next section.

3 Otherwise, if you authenticate with a token, skip to Token Logons on page 10. If you authenticate with a password, skip to Password Logons on page 9.

Keyboard SelectionOnce the Logon screen appears, Full Disk shows the active keyboard layout in a bar displayed in the lower right-hand corner of your computer screen.If your system administrator defined multiple keyboards and you need a keyboard layout different than the one identified in the bar, use the key sequences listed in Table 3.1 to toggle to another keyboard layout.

To toggle the keyboard

1 Before toggling, be sure to click on the Keyboard Layout bar, to place the focus there (the title bar becomes dark)

Table 3-1 Pre-Windows Key Sequences for Toggling Among Keyboards

Key Sequence Toggle To Description

SHIFT+F6 Default keyboard layout The default keyboard layout set up in Windows.

CTRL+F6 US English (101) keyboard layout The US English keyboard always available and independent of the Windows layout setup.

F6 Next layout The list of layouts available based on the Windows setup.

9Pre-Windows AuthenticationPassword Logons

2 Once you have toggled to the desired keyboard, click on the Logon window and proceed to the appropriate section:

Password Logons on page 9, or

Token Logons on page 10.

Password LogonsOnce you have pressed CTRL+ALT+DEL, the pre-Windows password Logon screen appears.

Figure 3-2 Pre-Windows Logon, Password

To log on to Full Disk, type your Client Administrator account name into the User name box and type your Symantec Endpoint Encryption password into the Password box. Select client administrator from the Account type drop-down list box. The Domain drop-down list box becomes unavailable. The Safe Mode Reboot check box is displayed. Select the Safe Mode Reboot check box if this is a desktop that you want to start in safe mode.

If the Novell Client software is installed on this workstation, the Do not login to the Novell Server (Workstation Only) check box will be displayed. Once you select client administrator from the Account type drop-down list box, the Do not login to the Novell Server (Workstation Only) check box will become unavailable.

Once you have entered your credentials, click OK.

If your account name and password are correct, one of the following will occur:

If you did not select the Safe Mode Reboot check box because you dont want to start in safe mode, simply wait for Windows to load.

If you did not select the Safe Mode Reboot check box because this is a laptop that you want to start in safe mode, start pressing F8 on the internal laptop keyboard repeatedly.

If you selected the Safe Mode Reboot check box and this is a desktop, a message will be displayed, notifying you that the computer will be restarted to provide you with the safe mode option. Click Restart Computer. The computer will power down and power back on. The behavior then varies per operating system.

On Windows Vista or later, you will be presented with the safe mode option screen.

On Windows XP or earlier, you will be presented with an operating system selection screen. Press F8. Then you will be presented with the safe mode option screen.

If your account does not exist or you mistyped your credentials, the logon fails. Review your user name and correct it if necessary. Type your password again and click OK.

10 Pre-Windows AuthenticationToken Logons

Note: Computers without Opal-compliant drives require a reboot to add the 129th, 257th, 385th, 513th, 641st, 769th, and 897th Client Administrator account. If your credentials fail repeatedly, ask another Client Administrator to complete the pre-boot authentication. Your credentials should begin to work as soon as the computer boots up into Windows. Confirm that your account has been added by logging on to the Administrator Client Console.

Your Policy Administrator may have implemented a logon delay to occur when one or more incorrect password attempts are made. This delay helps protect the Client Computer against unwanted password-guessing attacks. If such a setting or policy is in place and you trigger that restriction, a message informs you that the number of allowed logon attempts has been exceeded. A countdown displays the number of minutes until you can try again.

Figure 3-3 Pre-Windows Logon, Delay for Incorrect Logon

Logon assistance is not available to Client Administrators. If you click Logon Assistance, you will be informed that logon assistance methods do not exist for this user name.

After the countdown, you return to the Logon screen (Figure 3-3), where you can enter your credentials again.

Token LogonsMake sure your token is recognized before you proceed and do not remove your token until authentication is complete.

Once you have inserted your token, the pre-Windows token Logon screen appears.

Figure 3-4 Pre-Windows Logon, Token

Type your PIN into the PIN box. Select the Safe Mode Reboot check box if this is a desktop that you want to start in safe mode. Click OK. Do not remove your token until processing completes.

Note: The first time this Logon screen appears and you enter your PIN and click OK, this message may appear, Full Disk has detected an unrecognized token. Please wait while it is evaluated. This short delay occurs because the system is recording the token ID and certificate information.

11Pre-Windows AuthenticationComputer Lockout

If your PIN is correct, one of the following will occur:






If your account does not exist or you mistyped your PIN, the logon fails. Type your PIN again and click OK. If it fails again, contact the appropriate administrator.


You can also reference Appendix D Pre-Windows Logon on page 50.

Computer Lockout

About LockoutsIf lockouts are used to force a Client Computer to check in with the Symantec Endpoint Encryption Management Server according to a prescribed schedule, when a computer fails to check in, registered users will not be able to boot to Windows.

Note: If Autologon is activated while a computer is in a lockout state, the Autologon policy preempts the lockout condition for as long as the Autologon policy is in effect.

Lockout PreventionIf a Client Computer is about to be locked, a Server Communication Required warning message appears before the Startup screen loads.

12 Pre-Windows AuthenticationComputer Lockout

Figure 3-5 Pre-Windows Lockout Warning

The message identifies the number of days left before the lockout and advises the user to contact a Client Administrator. After the user clicks OK, they can log on to the computer as normal.

If a user contacts you about this warning, you can prevent the lockout in one or more of the following ways:

Resolve the problem that is preventing the Client Computer from connecting to the Symantec Endpoint Encryption Management Server.

Ask the user to launch the User Client Console, go to the Full Disk - Check-In panel, and click the Check In Now button. The Client Computer will try to communicate with the Symantec Endpoint Encryption Management Server. If communication is successful, lockout is prevented and the Next Communication Due By date is extended by the check-in interval.

Go to the users computer. Either log on at the pre-Windows logon prompt or, if the user is logged into Windows, launch the Administrator Client Console, go to the Full Disk - Check-In panel, and click the Extend Due Date button. Either action updates the Next Communication Due By date by the check-in interval.

Lockout Recovery

BasicsIf the Client Computer is already locked, an Access Denied error message appears immediately upon reboot.

Figure 3-6 Pre-Windows Lockout Message

The HelpDesk Assisted Unlock button is for users who have been provisioned with the OTP unlock feature and is not relevant to Client Administrators.

Click Administrator Login Unlock.

The Startup screen will be displayed.

13Pre-Windows AuthenticationComputer Lockout

If you log on with a token, insert your token and skip to Token Lockout Recovery Logon on page 14.

If you log on with a password, press CTRL+ALT+DEL and continue to the next section.

Password Lockout Recovery LogonAfter pressing CTRL+ALT+DEL from the Startup screen when a lockout condition is in place, the Client Administrator password lockout recovery logon is displayed.

Figure 3-7 Pre-Windows Client Administrator Lockout Recovery Logon, Password

Enter your credentials.

Select the Safe Mode Reboot check box if this is a desktop that you want to start in safe mode.

Once you have entered your credentials, click OK.

If your account name and password are correct, the computer will be unlocked and the next communication due date extended.


If you did not select the Safe Mode Reboot check box because this is a laptop that you want to start in safe mode, start pressing F8 repeatedly on the internal laptop keyboard.




If your account does not exist or you mistyped your credentials, the logon fails. Review your user name and correct it if necessary. Type your password again and click OK.


Your Policy Administrator may have implemented a logon delay to occur when one or more incorrect password attempts are made. This delay helps protect the Client Computer against unwanted password-guessing attacks. If such a setting or policy is in place and you trigger that restriction, a message informs you that the number of allowed logon attempts has been exceeded. A countdown displays the number of minutes until you can try again.

14 Pre-Windows AuthenticationComputer Lockout

Token Lockout Recovery LogonAfter inserting your token at the Startup screen when a lockout condition is in place, the Client Administrator token lockout recovery logon is displayed.

Figure 3-8 Pre-Windows Client Administrator Lockout Recovery Logon, Token

Type your PIN into the PIN box. Select the Safe Mode Reboot check box if this is a desktop that you want to start in safe mode. Click OK. Do not remove your token until processing completes.

If your PIN is correct, the computer will be unlocked and the next communication due date extended.






If your account does not exist or you mistyped your PIN, the logon fails. Type your PIN again and click OK. If it fails again, contact the appropriate administrator.


You can also reference Appendix D Pre-Windows Logon on page 50.

Chapter
4
Administrator Client Console


Overview

Logon

Home

Navigation

Registered Users

Full Disk

About

OverviewAll Client Administrators can use the Administrator Client Console to:

View drive encryption status.

Encrypt one or more non-Opal-compliant drives.

View and extend the date the computer must next check in with the Symantec Endpoint Encryption Management Server, if check-in is required.

View the Symantec Endpoint Encryption registered user accounts on the computer.

Client Administrators with the Decrypt drives privilege can use the console to decrypt drives encrypted by Symantec Endpoint Encryption Full Disk.

Client Administrators with the Unregister users privilege can use the console to unregister users.

Client Administrators with the Extend lockout privilege can use the console to extend the Client Computers next communication date.

To start the Administrator Client Console, on the Start menu, click All Programs, click Symantec Endpoint Encryption Client, and then click SEE Administrator Client.

If the User Client Console is open, you will be prompted to close it, as both consoles cannot be running simultaneously.

Note: If you are assisting a visually impaired user, who uses JAWS to navigate Windows, turn off JAWS prior to launching the Administrator Client Console.

16 Administrator Client ConsoleLogon

Logon

BasicsWhen the Administrator Client Console launches, it prompts you for your Symantec Endpoint Encryption credentials.

If you log on with a token, see Token Logons on page 17. If you log on with a password, see the next section.

Password LogonsThe Logon screen prompts you for your Client Administrator password.

Figure 4-1 Administrator Client Console Logon, Password

To log on to the Administrator Client Console with a password, select Password from the Authentication method drop-down menu, if it is not already selected. In the Account name field, type your account name. In the Password field, type your Client Administrator password.

Click Log On.

If the account name and/or password does not match with any existing accounts, the logon will fail. Check the account name that you provided and retype your password. You may be forced to wait before you can log on. Logon delays protect against automated password-guessing attacks. The length of the delay and the maximum number of incorrect logon attempts are set in the client installation package or by policy update.

Note: Computers without Opal-compliant drives require a reboot to add the 129th, 257th, 385th, 513th, 641st, 769th, and 897th Client Administrator account. If your credentials fail repeatedly, ask another Client Administrator to reboot the computer and complete pre-boot authentication. Your credentials should begin to work as soon as the computer boots up into Windows. Confirm that your account has been added by logging on to the Administrator Client Console.

If your authentication succeeds, you will be given access to the Administrator Client Console. Skip to the section Home on page 18.

17Administrator Client ConsoleLogon

Token Logons

Token InsertionThe Logon panel prompts you to insert your token.

Figure 4-2 Administrator Client Console Logon, Token

If your token is already inserted, skip to the next section; otherwise, insert your token. For proper insertion of your token and for a description of token behavior when the token is being read, refer to Appendix D Token Usage & Error Messages on page 49. Make sure the token has been read before you proceed with authentication.

PIN EntryTo log on to the Administrator Client Console with a token, select Token from the Authentication method drop-down menu, if it is not already selected. In the Account name field type the account name given to you by your Policy Administrator. In the PIN field, type your PIN.

Click Log On. Do not remove the token until authentication completes.

If your authentication succeeds, you are given access to the Administrator Client Console. Skip to the section Home on page 18.

If your authentication fails or if you encounter token, certificate, or PIN errors during logon, refer to Appendix D Administrator Client Console Logon on page 52 for possible causes and resolution.

Note: Computers without Opal-compliant drives require a reboot to add the 129th, 257th, 385th, 513th, 641st, 769th, and 897th Client Administrator account. If your credentials fail repeatedly, ask another Client Administrator to reboot the computer and complete pre-boot authentication. Your credentials should begin to work as soon as the computer boots up into Windows. Confirm that your account has been added by logging on to the Administrator Client Console.

Certificate SelectionIf the Select Certificate dialog appears, continue reading; otherwise, skip to the next section Home on page 18.

18 Administrator Client ConsoleHome

Figure 4-3 Select Certificate

Select your Symantec Endpoint Encryption certificate by clicking on the appropriate row, then clicking OK.

If you dont know which certificate to choose, contact the appropriate administrator.

If you receive an error message, refer to Appendix D Administrator Client Console Logon on page 52 for possible causes and resolution.

HomeThe Administrator Client Console opens to the Home panel, which appears with an enabled navigation pane.

Figure 4-4 Administrator Client Console Home

Navigation

User Interface ElementsThe Administrator Client Console is divided into several sections.

19Administrator Client ConsoleNavigation

Figure 4-5 Administrator Client Console User Interface Elements

The sections are as follows:

The banner displays the product logo and the account name of the Client Administrator logged on to this console.

The navigation pane contains hyperlinks to all panels. A panel loads into the main pane when its link is clicked. The links include those for Registered Users, the panels under Full Disk, and an About panel.

The main pane changes in response to your clicking a link in the navigation pane. For example, if you click Registered Users, the main pane displays the Registered Users panel.

The Quick Help pane provides context-sensitive help based on the location of your mouse. See the next section for how to display Quick Help.

Standard visual indicators are used to identify the user interface element that has focus. A dotted line outlines the link, button, check box, or icon having focus. Highlighting or a blinking cursor indicates the input field that has focus. In Figure 4-5, Registered Users has focus.

You may navigate the Administrator Client Console using a mouse or using the keyboard.

Mouse NavigationIf you are using a mouse to navigate the Administrator Client Console:

To load a panel, click the desired hyperlink in the navigation pane; the panel loads into the main pane.

To display Quick Help, click the help icon. The Quick Help pane appears. To close the Quick Help pane, click the help icon again.

Banner

NavigationPane

Quick HelpPane

MainPane

20 Administrator Client ConsoleRegistered Users

Keyboard Navigation

Direct AccessUse the keys listed in Table 4.1 to directly access Administrator Client Console panels.

TAB Key AccessTo navigate the Administrator Client Console:

Press the TAB key to move among the screen elements. A dotted line surrounds the link, input field, button, or icon, indicating which element has the focus (Figure 4-5). In the example, Registered Users has focus.

To load a panel, press the TAB key to the desired link in the navigation pane, then press ENTER. The panel loads into the main pane and focus moves to the panel.

To display Quick Help, press the TAB key until the focus is on the help icon , then press ENTER or the SPACEBAR. To close the Quick Help pane, press ENTER or the SPACEBAR again. Note that Quick Help applies at the panel level; context-sensitive Quick Help is available only when using a mouse.

To select a check box, press the TAB key to place focus on the box, then press the SPACEBAR. To toggle off the selection, press the SPACEBAR again.

To activate a button, press the TAB key to place focus on the button, then press ENTER or the SPACEBAR.

The TAB key follows standard user-interface behavior:

Tabbing order within each panel is top to bottom, left to right.

To move down, press the TAB key; to move up, press SHIFT+TAB.

To scroll, use the UP ARROW key and the DOWN ARROW key.

When you use the TAB key to navigate, you may need to press the key more than once to place the focus on the next desired link, input field, button, or icon, depending on the location of the current focus.

Registered UsersUse the Registered Users panel to view Symantec Endpoint Encryption registered user accounts on a Client Computer, and if your privilege level permits, to unregister users.

To open the Registered Users panel, click Registered Users in the navigation pane. The Registered Users panel appears, populated with the registered user accounts on that computer.

Table 4-1 Access Keys

To Go To This Panel Press This Key

Registered Users ALT+U

Full Disk Encryption ALT+E

Decryption ALT+D

Check-In ALT+C

About ALT+B

21Administrator Client ConsoleFull Disk

Figure 4-6 Administrator Client Console Registered Users Panel

When you unregister a user, the users Symantec Endpoint Encryption account is deleted and that user can no longer log on in pre-Windows.

Reasons for unregistering a user include:

Employee departure;

Workstation or laptop reallocation;

Registered user account maximum approaching or reached;

Logon assistance methods (Authenti-Check and/or OTP) do not succeed or are not available.

To unregister a registered user, select the check box next to the user account(s) that you want to unregister. The Unregister Selected Users button becomes available. If you do not have the privileges necessary to unregister users, the check boxes are not available and this message appears: Your Symantec Endpoint Encryption policy administrator has not granted you the right to unregister users. Click Unregister Selected Users. The account is removed and the Number of registered users is decremented.

If you chose to register, your registered user account could be shown in the list. You can unregister your registered user account without any effect on your Client Administrator account.

Full Disk

EncryptionThe full encryption of the Client Computer is usually set up to begin immediately after installation. It is unlikely that you will need to use the Administrator Client Console to start this process manually.

Use the Encryption panel to view the encryption status of the partitions on the hard disk(s) or to manually begin the encryption of one or more hard disk partitions. To open the Encryption panel, click Encryption. The Encryption panel appears.

22 Administrator Client ConsoleFull Disk

Figure 4-7 Administrator Client Console Encryption Panel

Should you need to encrypt the disk or partition, you should first connect to an uninterruptible power source, since an interruption of power could cause data corruption. For example, if you are encrypting a laptop, plug the laptop in before you start.

In the Status column, one of the following will be displayed for each partition: Encryption Pending, Encrypting, Encrypted, Decryption Pending, Decrypting, Decrypted, or Unknown.

The check boxes beside partitions with statuses of Decryption Pending, Decrypting, and Decrypted will be available for selection. The check boxes beside partitions with statuses of Encryption Pending, Encrypting, and Encrypted will not be available.

Once you select the check box beside one or more partitions, the Encrypt Selected Partitions button becomes available. Click Encrypt Selected Partitions to begin encrypting the selected partition(s). The partitions will be encrypted one at a time in alphabetical order.

The partition(s) waiting to be encrypted will have a status of Encryption Pending. While encryption is running, the panel shows the percentage of encryption, such as Encrypting (80 %). When encryption completes, no percentage is shown; a lock icon accompanies the Encrypted status for easy visual confirmation that this disk or partition is fully encrypted.

Users can continue to work normally while disks or partitions are encrypting.

The Partitions not managed by SEE area will be displayed if multiple disks exist on the computer and:

One or more of the additional drives connects through an eSATA port. Full Disk does not manage eSATA drives.

The primary boot drive is Opal-compliant. Only primary Opal-compliant drives can be managed by Full Disk.

The Encrypt boot disk only option was selected during the creation of the original installation package. The partitions on the additional disk(s) cannot be encrypted or decrypted.

Each partition listed in the Partitions not managed by SEE area will have a status of Unknown.

DecryptionIf you have decryption privileges and no Opal-compliant drives, you can use the Decryption panel to:

View drive decryption status

Decrypt drives

23Administrator Client ConsoleFull Disk

To open the Decryption panel, click Decryption. The Decryption panel appears.

Figure 4-8 Administrator Client Console Decryption Panel

Before Full Disk can be uninstalled, all partitions must be decrypted. You must uninstall Full Disk if:

The operating system is about to be upgraded.

A major physical change in the core hardware is about to occur. For example, an upgraded processor or motherboard is going to be installed. Changes to the partition table are not possible until Full Disk has been uninstalled.

Should you need to decrypt the disk, first connect to an uninterruptible power source, since an interruption of power could cause data corruption. For example, if you are decrypting a laptop, plug in the laptop before you start.

Each partition will be listed with one of the following statuses: Encryption Pending, Encrypting, Encrypted, Decryption Pending, Decrypting, Decrypted, or Unknown.

If a partition is listed with a status of Encryption Pending, Encrypting, or Encrypted you can select the check box beside it. Upon the selection of a check box, the Decrypt Selected Partitions button becomes available. Click Decrypt Selected Partitions to begin decrypting the selected partition(s). You will be prompted to confirm that you want to decrypt. The partitions will be decrypted one at a time in alphabetical order.

The partition(s) waiting to be decrypted will have a status of Decryption Pending. While decryption is running, the panel shows the percentage of partition decryption, such as Decrypting (20 %). When decryption completes, no percentage is shown; an unlock icon accompanies the Decrypted status for easy visual confirmation that this partition is fully decrypted.

If a partition has a status of Decryption Pending, Decrypting, or Decrypted, its check box will not be available.

Users can continue to work while partitions are decrypting.

The Partitions not managed by SEE area will be displayed if multiple disks exist on the computer and:

One or more of the additional drives connects through an eSATA port. Full Disk does not manage eSATA drives.

The primary boot drive is Opal-compliant. Only primary Opal-compliant drives can be managed by Full Disk.

The Encrypt boot disk only option was selected during the creation of the original installation package. The partitions on the additional disk(s) cannot be encrypted or decrypted.

24 Administrator Client ConsoleFull Disk

Each partition listed in the Partitions not managed by SEE area will have a status of Unknown.

Check-InClient Computers may be configured to connect with the Symantec Endpoint Encryption Management Server. During these check-ins, the Client Computer sends status information and the following important recovery information:

Data necessary for the online method of the One-Time Password Program; and

Information required for Recover /B, Recover /O, and Recover /S.

The Policy Administrator optionally can add a policy to enforce check-in by locking out users when a computer is required to check in but does not. If lockout occurs, the Client Computer remains in a pre-Windows state after restart so that no registered user can log on and a Client Administrator must log on to allow the user to boot into Windows.

Use the Check-In panel:

To find out what check-in policy is in place;

To obtain the date and time of the last communication;

To see the next communication date information, if check-in is enforced by lockout;

To extend the next communication date, if check-in is enforced by lockout and a network problem or a users or computers known circumstance is preventing communication.

To access the panel, from the navigation pane click Check-In. The Check-In panel appears.

Figure 4-9 Administrator Client Console Check-In Panel, Unenforced Communication

Figure 4-9 shows an example of a computer that has checked in and is not subject to a lockout enforcement policy.

25Administrator Client ConsoleAbout

The information displayed in the Check-In panel varies as described in the following table.

The Extend Due Date button is available only under the following circumstances:

At least one user has registered,

The Client Computer is configured to communicate with the Symantec Endpoint Encryption Management Server, and

A lockout enforcement policy is in effect.

If lockouts are used for enforcement of check-in and the computer fails to check in, then registered users will not be able to boot to Windows. If the Policy Administrator pushes a policy that enables one or more users to have the OTP unlock capability, those users can attempt to unlock their computers with assistance from the help desk.

If the Check-In panel indicates that a lockout is imminent, click Extend Due Date. The Next communication due by field will be incremented from todays date and time by the required communication interval.

Separately, you should ensure that the issue preventing the Client Computer from connecting to the Symantec Endpoint Encryption Management Server is resolved. The lockout experience is discussed further in Computer Lockout on page 11.

AboutUse the About panel to find out which version of Framework and Full Disk the Client Computer is running. To open the About panel, click About. The About panel appears. The build number is accessible as a Tooltip, when you hover your mouse over the version number. The build number can be used to see whether patches have been applied.

Table 4-2 Check-In Panel Information

Field Label Value Meaning

Last communication with the SEE Management Server

Date and time Communication with the Symantec Endpoint Encryption Management Server occurred on the specified date at the specified time.

never connected This Client Computer has never connected to the Symantec Endpoint Encryption Management Server. The user will not be able to use the online method of the OTP Program. You will not have the Recover /B, /O, or /S options available for the Recover Program.

Next communication due by

Future date and time A lockout enforcement policy is in effect and this Client Computer must make contact with the Symantec Endpoint Encryption Management Server no later than the specified date and time.

Past date and time in red with a warning icon . Tooltip message, Communication is overdue, appears.

A lockout enforcement policy is in effect and this Client Computer has failed to connect within the mandatory interval. A lockout is imminent, upon the next reboot.

not applicable until the first user registers

The first user has not yet registered.

not applicable A lockout enforcement policy is not in effect.

26 Administrator Client ConsoleAbout

Note: From time to time, a service pack number (SPn) is appended to the build string, indicating that this is not a major release but an update that fixes existing problems and in some cases delivers product enhancements.

Click Show legal notice to see the legal notices associated with a product.

Chapter
5
Regaining Access to Unbootable Computers


Overview

Regaining Access to Computers without Opal Boot Drives

Regaining Access to Computers with Opal Boot Drives

OverviewSymantec provides the Full Disk Access Utility and the Recover Program on bootable CDs to assist you in the event that a Client Computer fails to boot. Each allows you to access the data on the hard disk using the Microsoft Windows Preinstallation Environment (Windows PE) operating system. While both can be run by a qualified Client Administrator, we recommend that you contact Symantec technical support for assistance with the process.

The steps for regaining access differ according to whether the boot drive is Opal-compliant or not.

To regain access to a computer without an Opal-compliant drive, see Regaining Access to Computers without Opal Boot Drives on page 27.

To regain access to a computer with an Opal-compliant drive, see Regaining Access to Computers with Opal Boot Drives on page 31).

Contact Symantec technical support at your earliest convenience when dealing with a technical issue that involves critical data. Document all events that preceded the problem, list any actions taken, and identify any error messages encountered. Depending on your situation, technical support personnel may walk you through one or more of the following steps as you attempt recovery.

Before you begin, identify the version number of the Client Computer. Ensure that the Recover Program and Full Disk Access Utility have the same version number.

Regaining Access to Computers without Opal Boot Drives

Basics

The following steps should be performed in sequence:

1 Recover /A

2 Full Disk Access Utility

3 Hard Disk Consistency Check

4 Recover /D

28 Regaining Access to Unbootable ComputersRegaining Access to Computers without Opal Boot Drives

5 Recover /B

Recover /AIf your computer has encountered a serious error and you cannot load Windows, first run the Recover Program with the /A option. The /A option attempts to repair damaged client database files.

After Recover /A runs, the Audit Trail is reset and all events logged in pre-Windows that have not been moved to the Windows Event Log are lost.

To run Recover with the /A option, you will need the Recover Program CD.

To run Recover with the /A option:

1 Remove all bootable media.

2 Insert the Recover Program CD into the appropriate drive.

3 Restart the computer, booting from the Recover Program CD. You may need to modify the BIOS to boot from CD/DVD. A command line window is displayed, and the Recover Program launches automatically.

Note: To save the output of the Recover Program to removable media, exit the Recover Program after its initial launch by clicking Exit. At the command-line prompt, type SEERecoverWinPE and press Enter to relaunch the Recover Program. At the command-line prompt, type Notepad and press Enter to launch Notepad. When the Recover Program completes, copy the contents of the Recover Programs document window and paste it into the Notepad document, which you can then save to a USB thumb drive or other removable media.

4 Follow the instruction to make sure the computer is connected to an uninterruptible power supply, then click Next.

5 The Choose a physical drive to process menu will be populated with a list of all physical drives connected to the Client Computer. Each entry in the menu will show the physical disk number and size in MB, and will be marked Bootable SEE Full Disk, Secondary SEE Full Disk, or Unknown to indicate whether the drive is bootable, secondary, or unmanaged. A client computer with only one managed disk will show a single bootable entry, while a client computer with multiple managed disks will show a bootable entry and one or more secondary entries. If more than one disk is shown, ensure that you select the bootable disk for this initial recover /A procedure. After recover /A completes on the bootable drive, perform recover /A again on each secondary drive.

From the drop-down menu, select the physical drive to process, then click Next.

6 A verification screen will scroll pairs of volume files being read as part of an integrity check. When it completes, click Next.

7 If the integrity check fails, recover /A will be one of the three recover options available. Ensure that the recover /A option button is selected, then click Next.

If the selected physical drive passes the integrity check, the recover /A option will be unavailable, and the recover /D option will be selected. Skip ahead to Recover /D on page 29.

8 You will be asked to authenticate with a Client Administrator account name and password, after which you follow the program prompts. If you enter incorrect credentials three times, you will be required to wait one minute before attempting to authenticate again.

If the /A option succeeds in repairing the client database files and you are able to boot, you once again have access to the computer. If the /A option does not succeed, exit the Recover Program and proceed to the next step: Full Disk Access Utility.

Full Disk Access UtilityThe Full Disk Access Utility may indicate Windows problems. It allows you to map to a network drive and pull off your critical files to a safe location, before you attempt to work on the Windows operating system.

29Regaining Access to Unbootable ComputersRegaining Access to Computers without Opal Boot Drives

Note: The Full Disk Access Utility cannot be run while encryption or decryption is in progress.

Once you have copied off your data, take a look at your Windows operating system.

If the Full Disk Access Utility does not succeed, proceed to the next step: Hard Disk Consistency Check.

Hard Disk Consistency CheckIf running Recover /A fails and if the Full Disk Access Utility is not able to see the hard disk or to authenticate the person running the utility, then the possibility exists that the drive has physically failed.

If the hardware manufacturer provided a bootable repair CD with a read-only consistency check option, locate and utilize this CD.

A failed consistency check will allow you to determine that physical problems exist.

The next step depends on the specifics of your situation. One step may be for you to send the disk to a data recovery house. Or Symantec technical support may try a sector-by-sector image copy to back up your data onto another disk.

Recover /DIf your disk passed the consistency check and you have the Decrypt drives privilege, run the Recover Program with the /D option once, to attempt to regain access to the data on your hard disk. The /D option attempts to repair the Full Disk client database files, then tries to decrypt the hard disk. After Recover /D runs, the Audit Trail is reset and all events logged in pre-Windows that have not been moved to the Windows Event Log are lost.

Note: Never run this option more than once, whether it succeeds or fails. Running Recover /D twice will cause double decryption and permanent loss of data.

To run Recover /D:

1 Connect the computer to an uninterruptible power supply.





5 Follow the instruction to verify that the computer is connected to an uninterruptible power supply, then click Next. A verification screen will scroll pairs of volume files being read as part of an integrity check. When it completes, click Next.

6 The three recovery options appear with their descriptions. Select the option button for recover /D.

You will be asked to authenticate with a Client Administrator account name and password. If the Client Administrator account lacks the required decrypt drives privileges, you will be unable to authenticate. If you enter incorrect credentials three times, you will be required to wait one minute before attempting to authenticate again. Once you have authenticated, follow the program prompts.

30 Regaining Access to Unbootable ComputersRegaining Access to Computers without Opal Boot Drives

Once the program starts running, do not stop it or shut down the computer. The process must run to completion. A typical problem disk can take hours, days, or weeks to decrypt. If the process runs into a series of bad sectorsperhaps hundreds of thousands of themit will try multiple times to read them and the process may appear to have stopped. You will see a progress bar showing the percentage of disk decryption displayed on the screen; the progress bar may remain stationary for quite some time. If the process cannot successfully read a sector after multiple attempts, the process moves to the next sector. Readable sectors are read in, decrypted, and then written back to the disk.

When the program ends, if you see a success message, you will have a fully or partially decrypted disk, depending on the extent of damage.

Until you see a final message indicating success or failure, let the program run.

If you see a failure message, exit the Recover Program and proceed to the next step: Recover /B.

Recover /BRecover /B should be performed only with the assistance of Symantec technical support.

If all previous steps failed, it may mean that a very important cryptographic key cannot be found. The Recover Program using the /B option reads from a computer-specific recover DAT file that contains that key, allowing you to decrypt your data.

The Policy Administrator creates the DAT file by exporting a Client Computers data from the database. For this reason, Recover /B is only available for computers that have checked in at least once with the Symantec Endpoint Encryption Management Server.

When the Policy Administrator creates the DAT file, the administrator defines a Recovery Password to protect the DAT file. When the administrator provides the DAT, they tell you the password. Typically the administrator gives the DAT file an informative name, perhaps containing the name of the computer and the current date and time, such as D9HCPD3_20090525_Recover.dat.

Note: Make sure that you have the correct DAT file. Since the data in the DAT file is computer-specific, running /B using a recovery data file intended for another computer will corrupt your hard disk files. Also make sure that the computer is connected to an uninterruptible power supply; otherwise, data loss can occur if the process stops.

You may need to modify the BIOS to boot from CD/DVD. A command line window is displayed, and the Recover Program launches automatically.


Select the option button for recover /B.

Browse to the DAT file. You will be prompted for the Recovery Password associated with the DAT file. Enter the password. The Recover Program will generate several information and warning messages and/or prompts, depending on what the program encounters. The most severe warning message occurs if something goes wrong when the Recover Program attempts to compare values in the DAT file with the client database files, as described below.

If the Recover Program detects a mismatch between the DAT file and the client database files, the program stops and issues a warning that the data on the hard disk will be destroyed if you continue the recovery process. Click Cancel to cancel the recovery operation.

31Regaining Access to Unbootable ComputersRegaining Access to Computers with Opal Boot Drives

If the Recover Program is unable to compare the backup file and the client database files due to file corruption of client database files, the program halts and issues the same warning message as stated in the previous paragraph. Only if you are absolutely certain that the DAT file is the correct file should you continue the process; otherwise, click Cancel to cancel the recovery operation.

If the Recover Program detects that the DAT file is corrupted, the Recover Program stops. Click Cancel to cancel the recovery operation.

Regaining Access to Computers with Opal Boot Drives

BasicsIf your computer has encountered a serious error and you cannot load Windows, run the Recover Program with the /O option. The /O option attempts to repair damaged client database files on Opal drives.

The Policy Administrator creates the DAT file by exporting a Client Computers data from the database. For this reason, Recover /O is only available for computers that have checked in at least once with the Symantec Endpoint Encryption Management Server.

When the Policy Administrator creates the DAT file, the administrator defines a Recovery Password to protect the DAT file. When the administrator provides the DAT, they tell you the password. Typically the administrator gives the DAT file an informative name, perhaps containing the name of the computer and the current date and time, such as D9HCPD3_20090525_Recover.dat.

Recover /OTo run Recover with the /O option, you will need the Recover Program CD.

To perform this procedure

To perform this procedure


2 Make sure the computer is connected to an uninterruptible power supply.




5 Confirm that the computer is connected to an uninterruptible power supply, then click Next.

6 The Choose a physical drive to process menu will be populated with a list of all physical drives connected to the Client Computer. Each entry in the menu will show the physical disk number and size in MB, and will be marked Bootable SEE Full Disk or Unknown to indicate whether the drive is bootable or unmanaged. Only a single Opal drive configured as the boot drive is supported. If more than one disk is shown, ensure that you select the bootable disk for the Recover /O procedure.

From the drop-down menu, select the physical drive to process, then click Next.

7 If the integrity check discovers problems, the verification screen will scroll pairs of volume files. When it completes, click Next.

32 Regaining Access to Unbootable ComputersRegaining Access to Computers with Opal Boot Drives

8 If the selected physical drive passes the integrity check, recover /O will be one of the two recover options available. Ensure that the recover /O option button is selected, then click Next.

If the verification screen indicates integrity check failure, you have exhausted all recovery options. The only operation that you can perform is to securely erase the drive in preparation for repurposing or disposal. If you are certain that you want to securely erase the drive, see Decommissioning and Repurposing Opal Drives on page 55.

9 Browse to the DAT file. Enter the Recovery Password associated with the DAT file, then click Next.

Note: Make sure that you have the correct DAT file. Since the data in the DAT file is computer-specific, running /O using a recovery data file intended for another computer will corrupt your hard disk files.

If the Recover Program detects a mismatch between the DAT file and the client database files, the program stops and issues a warning that the data on the hard disk will be destroyed if you continue the recovery process. Click Cancel to cancel the recovery operation. Contact your Policy Administrator for the correct DAT file that matches your computer.

10 A message will be displayed warning you to make sure the computer is connected to an uninterruptible power supply. Click OK. The Recover Program will generate several information and warning messages and/or prompts, depending on what the program encounters.

11 When the process has successfully completed, click Finish. At the command-line prompt, type exit and press Enter to restart the computer.

If the /O option succeeds in repairing the client database files and you are able to boot, you once again have access to the computer.

Appendix
A
Novell Support


Overview

SSO for Novell Not Enabled

Turn On Feature Does Not Work

SSO Not Enabled

OverviewIf your organization uses Novell to manage your network, Full Disk makes it possible to associate a users Symantec Endpoint Encryption/Windows account with a Novell account. The user name and password may be the same or they may be different. SSO for Novell enables a user who logs on in pre-Windows to be admitted to Windows and Novell without further authentication.

Full Disks Single Sign-On feature will synchronize with Novell if all of the following statements are true.

A policy exists for this registered users Symantec Endpoint Encryption account that enables SSO.

Symantec Endpoint Encryption has captured the users Novell account information and synchronized it with the users Symantec Endpoint Encryption/Windows account.

The Novell GINA is installed in the GINA chain.

Refer to the User Guide for a discussion of the users experience with this feature. This appendix discusses error conditions that could occur.

SSO for Novell Not EnabledWhen the user clicks the Novell SSO link in the navigation pane, the following message may be displayed: Your Symantec Endpoint Encryption account has the Single Sign-On feature, but your computer is not configured for Novell SSO to work with Symantec Endpoint Encryption.

This message is related to product installation sequence. The correct installation sequence for Novell SSO to work with Symantec Endpoint Encryption is:

1 Install Novell Client for Windows.

2 Install Full Disk.

If Full Disk is already installed at the time of Novell Client for Windows installation, the following message will be displayed:

34 Novell SupportTurn On Feature Does Not Work

Figure A-1 Novell GINA Authenticator

No was clicked.

To fix the problem, correct the installation sequence:

1 Decrypt any and all encrypted hard disk partitions.

2 Uninstall Full Disk.

3 Reinstall Full Disk. The Full Disk software will correctly insert its own GINA in the chain, resulting in the correct GINA chain definitions.

Turn On Feature Does Not WorkTypically, if a user selects the Turn on Single Sign-On to Novell Netware check box and logs off or reboots, then logs on to Windows and to Novell, the next time they log on or reboot, Single Sign-On works both for Windows and for Novell. When the user returns to the User Client Console and clicks Novell SSO, they see the Reset Single Sign-On to Novell Netware check box available and their recently captured Novell account information displayed.

However, if a user selects the Turn on Single Sign-On to Novell Netware check box then logs on to a Novell account that is already tied to another Symantec Endpoint Encryption registered user account, Symantec Endpoint Encryption will not capture and associate that Novell account with this users account. Single Sign-On will not work for Novell. When the user returns to the User Client Console and clicks Novell SSO, once again the user will see the Turn on Single Sign-On to Novell Netware option and no Novell account information is displayed.

Tell the user that they must select the Turn on Single Sign-On to Novell Netware check box again then associate their Symantec Endpoint Encryption account with a Novell account that is not currently associated with any other Symantec Endpoint Encryption account.

SSO Not EnabledWhen the user clicks the Novell SSO link in the navigation pane, the following message may be displayed: Your Symantec Endpoint Encryption account does not have the Single Sign-On feature.

To enable Novell synchronization for this user, the Policy Administrator needs to push out a policy enabling SSO for the user.

Appendix
B
Visually Impaired User Support


Overview

After Client Administrator Logon

Double Registration

Multiple Users, Multiple Domains/Computer Names

OverviewFull Disk provides audio cues through a computers internal speakers to escort visually impaired users through the pre-Windows logon process.

To understand the user experience with audio cues, refer to the User Guide.

The feature is designed and documented for use with no prefilled user name and a prefilled domain, as discussed in the Installation Guide.

This appendix discusses the difficulties that a visually impaired password-based user may experience under the following circumstances:

The last person to log on to this Client Computer in pre-Windows was a Client Administrator.

The registered user is the only user on this computer, but has registered for two Symantec Endpoint Encryption accounts: a domain account and a local account.

Multiple users have registered with a mix of domain and local accounts.

After Client Administrator LogonWhen a Client Administrator l

Documents

Symantec Endpoint Encryption Full Diskorigin-symwisedownload.symantec.com/resources/sites/SYMWISE/cont… · Boot-Time Defragmenters ... Symantec Endpoint Encryption Full Disk ensures