Endpoint Encryption

Hello, 

My firm is in the process of deploying Symantec Endpoint Encryption using the management agent (version 11.0 build 6753). 

My question is: is there a way to log-in through the bootguard with windows roaming profiles? Please bear with me,I am a bit of a newbie and we outsource our IT support. I am the "in-house support" and our third-party does all server side maintenance and configurations. They set up the management agent on the server and I am deploying the client and the drive encryption on all PCs. Is there a configuration on the server side to enable users to use their roaming profiles to log-in to any PC on our network? I attempted to log in to someone else's PC through bootguard using my credentials but it did not work. Our roaming profiles worked properly before this. I am wondering if it is even possible to use roaming profiles with Endpoint Encryption. 

We are running Windows 7 Professional x64 SP1 and I believe we have Windows Server 2008. Please let me know if I can provide additional information that might help.

Any help is much appreciated! 

Thanks. 

It would not be possible to use roaming profiles to access the drive.  The client administrator credentials should be able to get you past pre-boot authentication, and when you log onto the Windows side with your other credentials, you should be added to the access list.

The access list for each system is static, and until a user registers on that system, they will not be able to authenticate.

That worked. Thank you very much for the quick response. 

But I have another question. What happens when someone does not reset their password and it expires? Before, users would just get a notification to change when they try to log in through Windows. Now, will it lock them out completely if they use a password that has expired or will it allow them to log in then make them reset it? I advised all users to reset passwords before the expiration but I know some people won't follow diections and I would like to know what would happen. I know I could log in using admin credentials but I would like to avoid that if possible. 

Thanks! 

The pre-boot authentication will not expire the passphrase, so the user would still log in through pre-boot as normal, then Windows would greet them with the familiar password change.  Note that they must then use Ctrl+Alt+Delete to change the password or it will not immediately sync with pre-boot auth.

If there is another method for password change in place, they could log off (not reboot or shut down), and the password will sync when they log back in with the new password.  Or, if they do shut down or reboot, they could simply enter their old passphrase once at pre-boot, and it will take them to the Windows login.  Then when they log into Windows, it should sync properly.

Basically, the method for updating the pre-boot passphrase with the Windows passphrase only kicks off on a successful login, so until they log into Windows, their pre-boot passphrase will be the same, regardless of whether or not it expired in AD.

Great, thanks again for the prompt reply. 

One more question, I have a computer that started the encryption process but now it has been paused for some reason. It has been paused for about a week and I have "checked-in" with the server and it is connected. Another weird thing that I only saw on this PC was, sometimes it will say "Next Check-In is due by: 1/1/1970" (we do not have this feature enabled to require a check-in). But it does not always say that, most of the time is says Next check in is: Not Applicable; which is correct. Like I said before, I do not handle the server side configurations and setup so is there anything I can pass along to our IT support that they can do to re-initiate the encryption on this PC and ensure this PC is configured correctly? I don't see any options locally to re-initiate the encryption process. 

Thanks for all the help. 

It sounds like something may have gone wrong with the installation, and it is not applying the policy correctly.  To be safe, I would decrypt manually using the command line, uninstall and reinstall.  The command line guide is here for reference:
http://www.symantec.com/docs/DOC7716

The decryption command should look similar to this:
eedAdminCli --decrypt --disk <number> --au <AdminUserName> --ap <AdminPassword>

Ok thanks a lot Mike! You've been a huge help.