HOW TO: Recover a Locked System with PGP Remote Disable and Destroy

Article:HOWTO51881  |  Created: 2011-05-05  |  Updated: 2011-05-05  |  Article URL http://www.symantec.com/docs/HOWTO51881
Article Type
How To



If a computer is locked because the PGP RDD timers expired or because it was marked stolen, you must
recover the system by using one of the following tasks to unlock the system. You will need the recovery passphrase or recovery token, as well as the Whole Disk Recovery Token (WDRT).
The computer also locks after multiple failed attempts to enter a passphrase at the PGP BootGuard screen. To  unlock the computer, you will need the recovery passphrase, but not the WDRT.
 
NOTE: This lockout is not the same as the WDE lockout function enabled by Lock passphrase user accounts after [x] failed login attempts.
 
The recovery passphrase is created when Intel Anti-Theft activates. The passphrase is usually all
you need to unlock the computer, but if the passphrase fails, use the recovery token.
Because the passphrase recovery process is simpler, it is best to try that procedure first, before
moving on to the recovery token.
 
Caution: Before you begin the recovery process, change the laptop status from stolen to
activated on the PGP RDD Systems screen. If you do not, it is possible that the laptop will lock
and shut off again at the first rendezvous after recovery.
 
To unlock a computer using a Recovery Passphrase and a WDRT:
 
  1. Login to the PGP Universal Server admin interface.
  2. Click Consumers > Devices and then click the WDE Computers button.
  3. Select the user’s computer and click View WDRT.
  4. Note the WDRT for the user.
  5. Click Services > PGP RDD.
  6. Select Manage PGP RDD with Intel Anti-theft Technology. The PGP Universal RDD Administration screen is displayed.
  7. Click the Stolen button and then select the desired computer to recover.
  8. Change the status of the computer to AT Activate.
  9. Click the icon in the passphrase column for the laptop. The Recovery Passphrase dialog box appears.
  10. Note the Recovery Passphrase.
  11. Contact the user with the locked computer.
  12. When the locked computer starts, a screen appears requesting the user to choose to recover using either a passphrase or a token.
NOTE: The words on the screen will differ depending on the computer manufacturer. For example, the recovery passphrase might be called a User Password, and the recovery token might be called a Server Token Password.
  1. Have the user select the passphrase or password option.
  2. Have the user type the Current Recovery Passphrase into the computer. Use the most current passphrase, and not one marked Pending. Client computers will not recognize pending passphrases. The computer unlocks, and PGP BootGuard appears.
  3. Provide the user with the Whole Disk Recovery Token.
If the recovery passphrase does not unlock the computer, you must use the recovery token instead.
 
To recover a locked computer using a Server Recovery Token and a WDRT:
 
  1. Login to the PGP Universal Server admin interface.
  2. Click Consumers > Devices and then click the WDE Computers button.
  3. Select the user’s computer and click View WDRT.
  4. Note the WDRT for the user.
  5. Click Services > PGP RDD.
  6. Select Manage PGP RDD with Intel Anti-theft Technology. The PGP Universal RDD Administration screen is displayed.
  7. Click the Stolen button and then select the desired computer to recover.
  8. Change the status of the computer to AT Activate.
  9. Click the icon in the passphrase column for the laptop. The Recovery Passphrase dialog box appears.
  10. Click Generate Server Recovery Token on the Recovery Passphrase dialog box. The Generate Recovery Token dialog box appears.
  11. Have the user restart the computer and choose the recovery token option.
A long series of numbers appears on the user's screen. The numbers might be called the Platform Recovery ID.
 
Best Practice: If the user has access to a camera phone or smartphone, he can take a photograph of the numbers and token screen on the computer and send it by instant message or email to you.
 
  1. On the Generate Recovery Token dialog box, type the number into the System Recovery Pair field, and click Generate Server Recovery Token.
 
Three versions of the recovery token appear. Choose the recovery token appropriate for the manufacturer of the computer. If one version of the token does not work, try another.
 
Hexadecimal - Often works with HP laptops. Be careful to type the token exactly as it appears, including punctuation.
Decimal - The recommended token format, which should work with most computers other than HP and Lenovo.
Base32 - Often works with Lenovo and Panasonic laptops.
 
  1. Inform the user of the token and have the user type the token into the computer. The computer unlocks, and PGP BootGuard appears.
 
NOTE: The recovery process is on a timer and can time out. If you run out of time while entering the token, restart the computer and restart the recovery procedure. The Platform Recovery ID and Recovery Token both change if you restart recovery.
 
  1. Provide the user with the Whole Disk Recovery Token.

 



Article URL http://www.symantec.com/docs/HOWTO51881


Terms of use for this information are found in Legal Notices