File Share Encryption

 View Only
  • 1.  How reliable is the Bootguard Bypass?

    Posted May 06, 2011 09:27 AM

    We are utilizing the bypass for various software pushes and are finding that once the bypass is set (and confirmed that there is 1 reboot remaining), the PC still gets hung up at the bootguard screen upon reboot.

    I am wondering if there is a certain event that is removing the bypass, or if there is a time issue.  Some of the PCs are not restarted for a few days after the bypass is set.

    Is anyone experiencing this issue?

    Thanks!



  • 2.  RE: How reliable is the Bootguard Bypass?

    Posted May 06, 2011 05:08 PM

    This forum is devoted to the PGP Command Line product.  For WDE related questions, please post to the PGP WDE for Windows forum.



  • 3.  RE: How reliable is the Bootguard Bypass?

    Posted May 19, 2011 10:05 PM

    I have moved this topic/thread to the appropriate location.

    I have not heard of this type of behvior with other customers. The questions I would ask are:

    • Which windows version(s) are you using?
    • Which version of PGP desktop?
    • What are you using to do the software pushes?
    • What percentage of the time do you see this behavior?
    • Do you see this only on certain types of machines?

    I'm not certain any of those are directly relevant to your situation. They are, however, how I would start trying to identify and replicate the problem.



  • 4.  RE: How reliable is the Bootguard Bypass?

    Posted May 20, 2011 02:22 PM

    Machines are XP SP3. All pc's in question are running PGPDesktop 10.1.1.18. The U.S. is 3.1.0 (Build 860). I did have issues with the bypass in the last version (would not set at all), but that was addressed in 10.1.

    We use Altiris DS and NS6.5 to distribute software.

    I have a test group of 250 computers that have an unreliable bypass experience.  Bypass is set, bypass user is confirmed active, restart and sometimes get bootguard and sometimes bypasses with no problems.

    In some cases, the PC may not be restarted for 12-24 hours after bypass is set but some machines keep it that long and some do not.

    I cannot seem to find a common cause.

    Thanks!



  • 5.  RE: How reliable is the Bootguard Bypass?

    Posted May 21, 2011 08:01 AM

    Are you setting/adding the bypass using the --aa flag (and domain credentials for an account in the WDE-ADMIN group in AD)?

    Do you see the same behavior if you set the bypass count to something higher? (I'm wondering if PGP is erroneously decrementing the count for some reason.)

    Do you see anything relevant in the PGP Desktop log (%appdata%/PGP Corporation/PGP/PGPlog.txt)? I expect you will need to enable debug logging and you may not see anything even then. (Enabling debug logging is covered in TECH149847.) As a side note, the log file has unix style line endings. This makes it painful to look at using notepad. Wordpad and the notepad replacements I have tried work just find though.



  • 6.  RE: How reliable is the Bootguard Bypass?

    Posted Jun 09, 2011 02:30 PM

    Yes, setting bypass successfully with --aa.  Was going to try a higher count but went in a different direction for security reasons.  It appears that the bypass is generally quite sensitive. If you set the bypass and reboot right after, it is fine. Our issue is when you set the bypass and the machine is in use for awhile before restarting, then it does not work so well. 

    I did open a ticket with support yesterday for a closer look into it.

     

    Thanks!



  • 7.  RE: How reliable is the Bootguard Bypass?

    Posted Jun 28, 2011 09:32 AM

    I do PGP administration at our company as well as Altiris to a certain extent.  Anything that needs to be built specifically for PGP I usually handle.  Creating SWD packages, adding tasks to Task Server to help desktop support manage the app and end users.  One of the things that I have added is a bootguard bypass.  If they push a task to a machine and need to reboot it remotely they can without it sitting on bootguard.  Also it can be chained into other jobs as needed.

    We primarily use 9.12 on all laptops and bypass works pretty much flawlessly.  The only downside is you have to pass the command every time.  We upgraded our servers recently to support version 10 of the client and one of the reasons was being able to set multiple bypasses with one command in version 10.  We have NEVER been able to get this to work properly in ANY version of 10.  Despite how high you set the bypass restarts to, you can only bypass once.  Any other number specified other than 1 results in a failure to add the bypass user.  We have had a case open with PGP (along with 4 others for various issues) without resoluition.  This case remains open with very little progress.