File Share Encryption

Hello awesome Symantec connect members,

 

                I’m having an issue that I did not have before upgrading my PGP universal server and client to version 110.3.1MP1. When I run a command like, for example, to bypass the bootguard screen. I would typically enter pgpwde --add-bypass --disk 0  --count 1 --admin-authorization and it would work successfully. Now I receive an error code -12198: Not permitted by your Administrator. When I run that same command with a –admin-passphrase <my password> then it works.

                I still have the same WDE-ADMIN group in AD with the same AD users groups in there. Do I have to move the WDE-ADMIN group to a specific OU for it to work now?  I also verified that in my disk authorized users list, I do have the WDE Administrator type: Symmetric A: M account in there. Like I stated, nothing changed except the version.

Please help someone.. Thanks

Try this command:

type pgpwde --add-bypass --admin-authorization --disk 0 and press Enter. 

This adds one bypass.

Thanks

Anthony

Anthony,

 

            Thanks for responding. I tried that command as well and it did the same thing. I had my colleague try the command, he is also in WDE-ADMIN group, and his commands work. Therefore, I narrowed the problem down to my computer only. I noticed that when I even ran a policy update command I received a weird error stating that my computer could not contact the domain or it didn’t exist, but it did update the GPO eventually.. Weird. I tried this under a different profile and it did the same thing so I knew it was not my profile being corrupted. The next thing I did was remove my computer from the domain, reboot, and place it back to the domain. To my surprise.. The –admin-authorized commands started working and I was able to do a gpudate force command with no more funky errors. Not sure when this happened and what caused it but I’m good now.

 

            This leads me to another problem related to running the WDE commands. When my colleague ran the command as a test for me, the command completed but he received 6 read MBR error messages before the command was successful. Below is the actual command and errors. It seems like he gets these MBR errors on any of the commands though. Any thought to what this might be and how to fix this? .. anyone? I'll keep investigating.. I'll post the fix if I find one as well.

 

C:\Program Files (x86)\PGP Corporation\PGP Desktop>pgpwde --remove-bypass --disk 0 --admin-authorization
Read MBR error

Read MBR error

Read MBR error

Read MBR error

Read MBR error

Read MBR error

Request sent to Remove bypass was successful

Hi 3L3M3NT,

Usually MBR errors are not something good.
From my perspective the best plan of action is backup all your data, decrypt the disk and run a disk integrity check using chkdsk and other tools provided by the disk manufacturer or third party.

Rgs,
dcats

Hello,

Check the integrity of the Hard drive that Dcats mentioned. 

On your server did you add the wdeMaximumBypassRestarts to the Xml.prefs or are you just going to use the default 51 passes that is allowed without the string?

This is more a side comment on the WDE-ADMIN group. The client does not query AD to get the list of group members and check if the running user is actually in that group. The client does however check the MemberOf attribute of the user running the command and checks if one of the values in this attribute matches WDE-ADMIN. The location in AD of the group itself (which OU etc) should not matter.

It turned out to be something with the secondary drive that my colleague had installed on his laptop. What was weird was that when we removed the drive and ran any command like pgpwde --remove-bypass --disk 0 --admin-authorization, we received no read MBR Errors.

Now.. after plugging back the secondary drive, we could not accessed the partition anymore. When accessing the drive windows though it was an unformatted partition and wanted to format it. I slaved the drive on another machine and booted into a boot CD that contains the PGPWDE command line support. I was able to authenticate to the drive using the built in admin account. I also issued a decrypt command and the drive decrypted with no problem. We then put the drive back into my colleague’s computer and encrypted it with no problems or MBR errors when running PGPWDE commands.   

                I still have no idea what caused this no read MBR error in the first place. Before all this I did run a check disk on the drive and even ran HDD Regenerator scan, no bad sectors found on this drive. The drive is healthy. The drive contained no OS, just a backup of various office files. Now the primary drive is a solid state and this one is a normal mechanical drive. Not sure if mixing them would cause glitches? I would think not.

Hey Anthony_Betow, What exactly is this wdeMaximumBypassRestarts setting in the xml.pref file? I never messed with this and I’m sure the default setting on 51 passes is still set. What exactly does this 51 passes do? Is this 51 represent the max you can set? If so.. not sure why that would cause a problem .. other machines are not having any issues.   

 

For the Bootguard Bypass, 51 passes is the maximum allowed without this string added on the server.

If you want to go past this amount then this string would have to be added to the Sever XML file which is under your policy General, Edit, Edit preferences. 

You can set up to a million bypasses with this string using the WDE-Admin Group.

http://www.symantec.com/business/support/index?page=content&id=TECH171761

If update policy doesn't update the prefs.xml to the correct value then a re-enroll would have to happen to download the new prefs file from the server to set the bypass higher than 51. 

If you choose to set the bypass higher than 51 then follow the article on the link.  This will only work in a managed environment with the PGP server.  If you are a stand-alone, PGP will not let you go past 51 passes.