File Share Encryption

 View Only

  • 1.  Silent PGP desktop installation and automatic encryption for local account

    Posted May 08, 2014 04:58 PM

    Hi all,

    I'm trying to find a way to silently install PGP desktop, and also silently encrypt the drive with the local admin account enrolled.

    I want to be able to install the OS on new laptops, encrypt the drive, and be able to put the laptop in storage until it is ready to assign to a user. When I give the laptop to the user, I want to add the domain user to the encryption key, and then remove the local admin account from the encryption key.

    I can't seem to automate the install to where the disk is encrypted and the local admin account has access to the key, while keeping the install silent.

    Can anyone help me with this?
     



  • 2.  RE: Silent PGP desktop installation and automatic encryption for local account

    Broadcom Employee
    Posted May 11, 2014 08:59 AM
    Hi milbauer, The silent install has restricted requirements. (SymWise is currently under maintenance, if needed I can post later the article reference.) The local admin account usually doesn't allow an automated authentication via LDAP synchronization. However, a domain admin account may pass all the requirements. HTH, dcats


  • 3.  RE: Silent PGP desktop installation and automatic encryption for local account

    Posted May 12, 2014 10:38 AM

    Hi dcats,

    Thanks for your reply. Is there any way to go ahead and encrypt the disk without providing a user account at all? And yes if you could post the link when SymWise is back up that would be great.

    Thanks
     



  • 4.  RE: Silent PGP desktop installation and automatic encryption for local account

    Posted May 13, 2014 07:21 AM

    Hi Milbauer,

    Here is an article for silent enrollment

    http://www.symantec.com/docs/HOWTO77014

    With these settings make sure we also check option in Encryption Server's consumer desktop policy for (automatically encrypt boot disk and force single sign on password) so encryption starts automatically.

    Regards,

    Sarfaraz Rahman



  • 5.  RE: Silent PGP desktop installation and automatic encryption for local account
    Best Answer

    Posted May 13, 2014 06:22 PM

    There is more information that we also need to know to assist you with this:

    Are the clients standalone, or managed by a Symantec Encryption Management Server?  If it is not a managed environment, silent enrollment will not work.  It is based on Active Directory Sync through the encryption management server and your AD structure for authentication.

    Is there a requirement that the laptops be encrypted and protected by preboot authentication during the 'storage' period?  It may be possible to create a passphrase-only user to encrypt the drive to, then create a single-use Bootguard Authenticated Bypass user per the instructions here:

    http://www.symantec.com/docs/TECH149026

    There is no official method for deploying pre-encrypted systems from Symantec, but if you are using a management server, and don't require preboot authentication until a system is delivered to an end user, I would do the following:

    1.  Create two groups using AD Sync, and two policies on the server.  One should force users to use single sign on for authentication, and the other should Allow, but not force it.  The second group should have permissions to encrypt the drive.

    2.  Download a package that is set to auto-detect policy.

    3.  Install following the directions for invisible silent enrollment from http://www.symantec.com/docs/HOWTO77014

    4.  After the initial reboot after installation, log onto the system with a member of the second group (Allow SSO, has encryption permissions).

    5.  Encrypt the drive to a passphrase only user.  This should also add any WDE Administrator user as set in the policy.

    6.  After encryption completes, add a single use bypass per http://www.symantec.com/docs/TECH149026

    7.  Shut down the system, and store it.

    When it is given to an end user, it should start up once without asking for a Bootguard authentication.  When they log into Windows, it should detect that they are in the first group, and force them to be added to the drive as a user for authentication.  They should then be able to use Single Sign On without getting any prompts, etc.

    It definitely is not the most elegant solution, but I think it will accomplish what you are after.  The product was designed to be implemented with the desired end user, not encrypted before distribution.  Since the product is designed to encrypt per user, a user must be created before encryption can begin.



  • 6.  RE: Silent PGP desktop installation and automatic encryption for local account

    Posted May 15, 2014 03:28 PM

    Thanks Mike.

    I'll give this a try and I will post the results. It will probably take me a little while as I am new to the product :).
     



  • 7.  RE: Silent PGP desktop installation and automatic encryption for local account

    Posted May 23, 2014 03:27 PM

    I was able to get it working. I used super silent enrollment using a service account to encrypt the disk. Computers are then placed in storage, then when the PC is needed, the new user is added as a passphrase user, and the service account is removed. We no longer have to wait on encryption to finish when we build new PCs, saving us lots of time.


    Thank you Mike for thinking outside the box and helping with my unorthodox request! Much appreciated.