File Share Encryption

Symantec Encryption Server Version 3.3.2 MP11

Clients are running Symantec Encryption Desktop 10.3.2 MP11. Most of the ones in question here are Dell E7440 and E7450, 64Bit Win7 with 240GB SSD

The issue we're having is that some of the laptops in our group are putting up the Simple Bootguard screen at startup, even though we have the Symantec Encryption Server set to require the Detailed Bootguard screen. Does not seem to happen on any of the office desktop PC's. The biggest problem this presents is that the Admin Passphrase does not work on the Simple screen. Only users that have logged into Windows while unlocked and registered their domain password can unlock from the Simple screen (inconvenient when doing tech support). The only way around this is to generate a WDRT.

This was the only similar post I've found so far on the forum. The solution suggested here sounded promising;  http://www.symantec.com/connect/forums/bootguard-loading-default-settings

But that did not make any difference on my test machine, which I had just imaged and installed SED. Still boots to the Simple screen. Another odd wrinkle is that my own laptop is the same model, running the same everything, yet mine boots to the Detailed screen as desired. We're at a loss to determine why there is a difference and what to do about it. Any ideas would be most appreciated.

Cheers!

From your description I suppose that the machine is obtaining different consumer policy. How many policies and how many groups do you have configured?

You can also check who was logging to this machine (check windows profiles) and how many users are assigned to the disk (run command line, go to "C:\Program Files (x86)\PGP Corporation\PGP Desktop" and run the "pgpwde --list-users --disk <disk-number>" where <disk-number> whould be the number of encrypted disk. You can check the number from Disk Management in Windows, or by running "pgpwde --enum" command).

Hi, and thanks for your reply.

To answer your question; Policies- Under "Consumer Policy", there are the "Default" and "Excluded" built-in policies. Then we have two which we've named "Front Desk Systems" and "IT Policy". All are set under the heading "Encryption BootGuard Customization" to "Display Detailed Authentication Fields", with Remember Domain checked and Default Domain set.

Then we have Groups- The standard "Everyone" (128) and "Excluded" (0). Then we have "Domain Users" (114), "IT"(3), "CompanyB Users" (0) and "Front Desk Systems" (0).

As I mentioned in my original post, it (the Simple BG screen) happens on a handful of machines (all laptops). The test machine I'm working on was freshly imaged, and windows up to date, prior to installing Symantec Encryption Desktop. 

The only user that had logged into the test machine was myself. After ending up with the simple screen, I had another employee log in and register her password as well. But that did not change anything.  Running the command line you suggeted confirms this.

Out of curiosity, I did try changing the OU that the computer name was in. Did gpupdate /force, then updated the SED policy from the tray icon. Rebooted-No change.

Open the Symantec Encryption Desktop on an affected system.  Go to PGP Disk>Encrypt Disk or Partition.

Does the drive show up as Removable Media?  If so, this system cannot boot with detailed auth, as it thinks it is removable.  This should be fixed for the E7440 in 10.3.2 mp12, which is out now.

Indeed, it does show up as "Removable Media".

I'll post results after update. Thanks!

Success!

After the SysAdmin updated the PGP Server, I rebooted the lapotop.

Symantec then prompted for program update. Accepted. It prompted for reboot again.

Then right-clicked the try icon to "Update Policy". Next reboot revealed the desired "Detailed Bootguard Screen"

(I'm assumig I'll need to do this now on all affected clients)

Thanks for the advice!