Video Screencast Help

Migrating from Checkpoint Pointsec for PC with Symantec's Management Platform 7

Created: 10 Sep 2010 • Updated: 04 Nov 2010 | 3 comments
Language Translations
Mike Ainsworth's picture
0 0 Votes
Login to vote

If your organization is one of the many that have deployed full disk encryption products in their environments to mitigate the risk of data-loss, then you are already aware of the operational challenges associated with full disk encryption.  If deploying and managing a full disk encryption product is challenging, then migrating to a new encryption technology can seem like an impossible task.  Of course, not all full disk encryption products are management nightmares.  Take a look at Symantec's Endpoint Encryption product which includes integration into the Symantec Management Platform and a robust management console.  Many customers would like to migrate from their existing encryption provider to Symantec Endpoint Encryption, but the logistics involved can seem insurmountable.  This article takes a look at this very scenario by removing Pointsec for PC 6.3.1 in the following example. 

Normally this would be a very disruptive process and require allot of time and attention from the IT staff.  With the powerful task execution capabilities of the Symantec Management Platform and some creative scripting, the process can be controlled minimizing the amount of time an endpoint would be unencrypted as well as the burden on your IT staff.

Preparing for Pointsec Removal

Performing a managed removal of Pointsec for PC 6.3.1 requires the following items to be configured:

  • An Uninstall Profile must be created using the Pointsec for PC management console
  • Pre-boot authentication must be disabled if you wish to perform a zero-touch removal of the product
  • Auto-admin logon must be temporarily enabled on the endpoint to complete the Pointsec uninstall. 
    (Note: this step is not required if you intend to re-image the pc)

Creating your Uninstall Profile

From the Pointsec Management Console (typically located on the same machines with the encryption software installed), create a new profile > uninstall and name it whatever you like.

The uninstall profile will be stored in the shared profile storage directory by default.
IMPORTANT: Do NOT right click > publish the uninstall profile to the "update" directory.  If you do, removal of pointsec on all endpoints will be initialized immediately.

Disabling Pre-boot Authentication

From the Pointsec Management Console, create a new profile > update.
 

Configure the profile to enable the "Integrated Windows Logon".  This will disable the pre-boot authentication requirement and will prevent someone from manually logging on to the system in order for you to complete your task.
 

This profile could be published to the "update" share now or as part of our Job.  In this example, we will deploy the update profile to the endpoint with our Job.

Configure Auto-Admin Logon

If you intend to fully uninstall Pointsec from the system and not simply re-image the machine after it has been decrypted, you will need to configure the endpoint to automatically logon one time for the uninstallation to complete.  The simplest way to do this is to configure an "autoadminlogon" value in the HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon registry hive.  There are several inherent security risks in doing this, one of which is that a user account and password need to be passed to the registry and stored in clear text.  To mitigate this risk, consider packaging your AutoAdminLogon command as a .EXE, MSI or Virtual Software Archive using Wise Package Studio.

For more information on Symantec Workspace Virtualization, checkout the Endpoint Virtualization articles on Symantec Connect.  For more information on AutoAdminLogon, see http://support.microsoft.com/kb/324737

Configure your Filter

To configure the Symantec Management Platform to recognize the presence of Pointsec for PC on the endpoints, the Symantec Software Catalog will need to be configured with an entry for Pointsec.  The easiest way to add Pointsec to the catalog is to import the .MSI package into the Software Library.

 

Once imported, we can quickly analyze the environment with a targeted software inventory as well as create the dynamic Filters for management tasks.
To create a new Filter showing the systems with Pointsec installed, right > click the software catalog entry for Pointsec for PC and select "Actions" > "Create Installed Software Filter".

Configure the Tasks and Job

The biggest challenge in managing the removal of Pointsec for PC v6.3.1 is that it was not designed for managed removal.  Centralized visibility of the encryption state and automated removal will require your Job to initiate reboots at the right time so that your user doesn't have to do this manually.  We will configure our job to listen to the "EncryptionState" registry value that Pointsec uses to identify when the endpoint is  Decrypted (EncryptionState=0).
Create a job that includes the following tasks:

  1. Copy the Pointsec Uninstall Profile to the Pointsec Work Directory
    This step initiates the uninstall of Pointsec.  Using the "copy file" task type, copy the uninstall profile to the "C:\Program Files\Pointsec\Pointsec for PC\Work" directory on the endpoint.

     

  2. Wait 15 Seconds
    Using the "run script" task type we will use a simple wscript.sleep command to allow Pointsec sufficient time to absorb its new policy before we send down the next one.

     

  3. Copy the Pointsec Update Profile to the Pointsec Work Directory
    This step disables the pre-boot authentication requirement in Pointsec.  Using the "copy file" task type, copy the update profile to the "C:\Program Files\Pointsec\Pointsec for PC\Work" directory on the endpoint. (tip: clone and modify the task you created in Step 1)

     

  4. Wait 15 Seconds
    (You can re-use the Task you created in Step 2)
     
  5. Power Control - Restart
    To initialize the decryption process the endpoint must be restarted.  Use the default 'Power Control' task type

     

  6. Run EncryptionState monitor vbscript
    Using the default "Run Script" task type create a vbscript that will poll the value of the "EncryptionState" registry key on the endpoint every second.  When the value is 0, the task will complete and the disk is encrypted.
    Note: It is very important that you visit the "advanced > run options" of the script task and disable the default setting to "End Task after 30 minutes" since this must run for several hours

     

  7. Auto-Admin Logon Enabled
    Using a "Quick Delivery Task" associated with my Auto Admin Logon package I will enable this temporarily on the endpoint.

     

  8. Power Control - Restart
    To complete the removal of Pointsec, a reboot is required.  By forcing a reboot from the management platform, no user input is required.
    (You can re-use the Task created in step 5)
    Note: If you intend to re-image the machine after the drive has been decrypted, you may skip the auto-admin logon and begin booting to PXE/Automation here.
     
  9. Run EncryptionInstalled monitor vbscript
    After the system has rebooted and the default user account has been logged in, the uninstallation will continue.  Using the "Run Script" task type, create a vbscript that will run in the background polling the registry for Pointsec every second.  When Pointsec no longer exists, the script will exit and the task will complete. 
    Note: The example depicted here is looking for the MSI product code for this specific version of PointSec (31B33270-24D7-4307-84F2-A3288636B83A).  Verify your product code before implementing.  One easy way to do this is to edit the "detection rule" from the software package properties in the Software Catalog.  This one was too big to capture in a screenshot, so the code is as follows:
     

    Option Explicit
    Dim LoopAgain   
    LoopAgain = False
              Do
               LoopAgain = False
               If RegistryKeyExists("HKLM","Software\Microsoft\Windows\CurrentVersion\Uninstall","{31B33270-24D7-4307-84F2-A3288636B83A}") = True Then
                WScript.Sleep(1000)
               Else
                LoopAgain = True
               End If
              Loop Until LoopAgain = True
    
    Function RegistryKeyExists(LNGHKEY, strKey, strSubkey)
         Const HKLM = &H80000002
         Const HKCU = &H80000001
         Const HKUSERS = &H80000003
         RegistryKeyExists = False
         Dim reg, aSubkeys, s, hkroot
         If LNGHKEY = "HKLM" Then hkRoot = HKLM
         If LNGHKEY = "HKCU" Then hkRoot = HKCU
         If LNGHKEY = "HKCR" Then hkRoot = HKCR
         If LNGHKEY = "HKUSERS" Then hkRoot = HKUSERS
         Set reg = GetObject("WinMgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
         reg.EnumKey hkroot, strKey, aSubkeys
         If Not IsNull(aSubkeys) Then
             For Each s In aSubkeys
                 If lcase(s)=lcase(strSubkey) Then
                     RegistryKeyExists = True
                     Exit Function
                 End If
             Next
         End If
    End Function

Disable the AutoAdminLogon
Using another Quick Delivery Task and the AutoAdminLogon package created previously, we will remove the AutoAdminLogon from the registry

 

 

  • Power Control - Restart
    When the uninstall has completed, Pointsec will prompt for a manual reboot of the system.  By forcing a reboot from the management platform, no user input is required.
    (You can re-use the Task created in step 5)
  • On a typical endpoint, decryption performance is about 10gb/hour so this task will take some time to complete.  After those steps have been completed, the drive has been decrypted and the system is now ready to receive additional instructions. Add additional Jobs and Tasks to this job to customize to your needs.

     

    Comments 3 CommentsJump to latest comment

    Mike Ainsworth's picture

    The vbscript in Step 9 should be:

    Option Explicit
    Dim LoopAgain   
    LoopAgain = False
              Do
               LoopAgain = False
               If RegistryKeyExists("HKLM","Software\Microsoft\Windows\CurrentVersion\Uninstall","{31B33270-24D7-4307-84F2-A3288636B83A}") = True Then
                WScript.Sleep(1000)
               Else
                LoopAgain = True
               End If
              Loop Until LoopAgain = True

    Function RegistryKeyExists(LNGHKEY, strKey, strSubkey)
         Const HKLM = &H80000002
         Const HKCU = &H80000001
         Const HKUSERS = &H80000003
         RegistryKeyExists = False
         Dim reg, aSubkeys, s, hkroot
         If LNGHKEY = "HKLM" Then hkRoot = HKLM
         If LNGHKEY = "HKCU" Then hkRoot = HKCU
         If LNGHKEY = "HKCR" Then hkRoot = HKCR
         If LNGHKEY = "HKUSERS" Then hkRoot = HKUSERS
         Set reg = GetObject("WinMgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
         reg.EnumKey hkroot, strKey, aSubkeys
         If Not IsNull(aSubkeys) Then
             For Each s In aSubkeys
                 If lcase(s)=lcase(strSubkey) Then
                     RegistryKeyExists = True
                     Exit Function
                 End If
             Next
         End If
    End Function

     

    0
    Login to vote
    ohzone - CherylPeterson's picture

    I fixed that portion in Step 9 - hope it looks better now!

    Cheryl

    Endpoint Management,
    Endpoint Virtualization
    Managing Mobility
    Community Manager
    www.twitter.com/EMnV_symc
    Need Altiris help? IRC chat #Altiris

    0
    Login to vote
    Mike Ainsworth's picture

    I realized that the screenshot I included in step 6 wasn't properly sized and the entire script is not visible. The full script is:

     

    'vbscript
    'monitor value of Pointsec Encryption State until decrypted (EncryptedState=0)
    Dim oShell
    Set oShell = CreateObject("WScript.Shell")
    Do
    WScript.Sleep(1000)
    Loop Until oShell.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Pointsec Mobile Tech\Pointsec for PC\EncryptionState") = 0
    0
    Login to vote