Endpoint Encryption

Every month we set GPO's for Autologin for various maintenance reboots (patching, software upgrades). We typically set the GPO's a few days in advance and have no SEE Bypass issues. Every so often we have the "firecall" for a zero day, and the whole shebang of deployment (from setting SEE bypass/autologin in GPO to scheduled deployment) occurs in a 12 hour window, however this is well within GPO processing times for the clients.

What we usually see in those "danger-close" scenarios (setting everything in a tight window), a small handfull of machines will sit at SEE post reboot instead of properly bypassing and sitting at the Windows login. When checking the Event Log, we see that these machines are properly evaluting the GPO as being changed, and processing the GPO on the system well in advance of the scheduled reboot to Windows.

I think this issue resides within SEE client, wondering if anyone else has seen the behavior and can comment.

Thanks,

The S.

According to the below article, this is a known issue without a specific resolution, which prompted the creation of the Autologon Utiliy instead (essentially an MSI version of the Autologon policy).

http://www.symantec.com/docs/TECH151916
http://www.symantec.com/docs/TECH151755

So for your "danger-close" scenarios, generate a new Autologon Utility MSI (instead of making GPO changes) for your specific event, and run it on the endpoints prior to the reboot.

Don't forget, there is also the option of using the SEE Reboot Utility too, but this is less secure and not recommended for mass use (as it would require passing out the creds of a registered user or client administrator via a clear-text script):

http://www.symantec.com/docs/TECH178365

The problem is ITIL/Change Management everytime we deploy something there has to be an ITIL/Change Management and meeting of the Big Indians...

We actually created a WISE package that threw a command line at the Reboot Utility to prevent the passing in the clear of the admin accounts which worked well for software deployments in relation to ITIL/CM.

IIRC (back from the FDE days) the Autologin MSI needs to be uninstalled post deployment does it not?

Appreciate the feedback on the articles.

Easy_Coy

With regards to the requirement to uninstall the Autologon MSI, I cannot find any firm documentation on this I'm afraid.  That said, the user guide for it does provide upgrade instructions, so I can only suggest you test performing an inplace "upgrade" of the same version, to see if this successfully changes the grace login schedule.

As you say though, if you have to go through Change Control to get the MSI installed/upgraded, then it may not be feasible to use this tool in your "danger-close" scenarios.

If you're able to securely use the Reboot Utility, then that sounds like the more reliable option.