HOW TO: Enable Multiple PGP WDE Authenticated Bypass Restarts

Article:TECH171485  |  Created: 2011-10-11  |  Updated: 2013-09-10  |  Article URL http://www.symantec.com/docs/TECH171485
Article Type
Technical Solution


Issue



Once a computer is encrypted using PGP Whole Disk Encryption, the user must normally enter authentication credentials to successfully boot to the operating system. The prompt for the passphrase to authenticate for PGP WDE is called the PGP BootGuard. 

The PGP Whole Disk Encryption authenticated restart bypass feature was designed so that an administrator, after providing authentication credentials to PGP WDE, can boot the machine without entering authentication credentials at the PGP BootGuard prompt. This feature can be useful for system maintenance when one or more reboot is necessary, and bypassing the normal PGP BootGuard screen is desired. 

By default, the maximum number of reboots is set to one reboot. This article details how to enable this Bypass restart multiple times.

Note: Bypassing the bootguard more than 51 times works only if the WDE-ADMIN user is also enrolled with the Symantec Encryption Management server. If the user is not enrolled the limit is 51 bypasses.

 

 


Solution



The PGP Whole Disk Encryption authenticated restart bypass feature must be enabled for use on the PGP WDE client, but a PGP Universal Server administrator can set a preference on the server that limits the feature on the client.
 

The server preference is wdeMaximumBypassRestarts.
 

By default, if no wdeMaximumBypassRestarts preference is present on the PGP Universal Server, its value defaults to 1, allowing a single bypass operation to be specified on a PGP WDE-encrypted client. 
Setting wdeMaximumBypassRestarts to a positive integer (1­- 1000000) determines the maximum number of authentication bypasses that can occur.
 

Setting wdeMaximumBypassRestarts to 0 (zero) disables the authentication bypass feature (the creation of a bypass user).

 

Use the following steps to set the preference for wdeMaximumBypassRestarts:

1. Log in to PGP Universal Server.

2. Open Consumers > Consumer Policy and choose the policy that applies to the user.

3. On General option, click Edit then click Edit Preferences.

4. Choose Client as "PGP Desktop Client"

5. Click Set, enter the following information:

  • Pref name: wdeMaximumBypassRestarts
  • Type: Integer
  • Value:  10  ( or any number of time that you want to use bypass restart)

6. Click on Save.

7. Update the server policy on client by clicking PGP Tray in the Windows System Tray and then click Update Policy.

8. Open a command prompt window and switch to the PGP directory (normally located in C:\Program Files\PGP Corporation\PGP Desktop)

9. Run the command:

       pgpwde --add-bypass --disk <number> [--count <number>] --admin-passphrase <phrase>

Example: pgpwde --add-bypass  --disk 0  --count 10  --admin-passphrase  "123!"   (the passphrase here is 123!)

10. You can check how many bypass restart are left using this command:

     pgpwde --check-bypass

 




Article URL http://www.symantec.com/docs/TECH171485


Terms of use for this information are found in Legal Notices