I want to use system lockdown ability of SEP 12 to lockdown unknown machines on the network with a notification to contact a specific team to unlock them. My first testing on this completly locked down the machine and it couldn't even communicate with the SEPM to be unlocked. I had to put the machine into safe mode and uninstall SEP to get it to respond. Is there any documentation as to how to use lockdown while still letting it communicate with the SEPM to get updates/policy to be unlocked remotly?

here is the document for 12.1

Configuring system lockdown

Did you run the checksum.exe and import the list into the SEPM?

The next thing you need to make sure is it is in log mode so you can watch for exceptions and add as you go.

This feature can be very powerful and takes some work to configure properly.

I've been trying to create a checksum from one of our standard builds but the file always comes back empty

Did you follow this?

Creating a file fingerprint list with checksum.exe

Without the hashes, all file will essentially be blocked when you turn it on (unless you're in log mode which I would recommend to start)

can you check samcast comment

https://www-secure.symantec.com/connect/forums/system-lockdown-sep-12ru1mp1-unapproved-applications-query

Hello,

Check the following Articles:

How to configure System Lockdown in Symantec Endpoint Protection

http://www.symantec.com/docs/TECH102526

Managing file fingerprint lists

http://www.symantec.com/docs/HOWTO55133

Configuring system lockdown

http://www.symantec.com/docs/HOWTO80848

Importing or merging file fingerprint lists in Symantec Endpoint Protection Manager

http://www.symantec.com/docs/HOWTO55138

How to configure System Lockdown to allow Microsoft Security Updates

http://www.symantec.com/docs/TECH103977

Enabling system lockdown to run in whitelist mode

http://www.symantec.com/docs/HOWTO80850

Also, check this Article:

https://www-secure.symantec.com/connect/articles/what-system-lockdown-what-stages-do-i-implement-system-lockdown-symantec-endpoint-protectio

Hope that helps!!

Yes I did follow that document

I also get when lockdown is running when the machine comes up with popups with notifications. But when the machine is rebooted it goes to the windows screen to start logging in then after a few minutes it just goes in a continuos look trying to reboot till it's put into safe mode and SEP uninstalled :(

And you have it in log mode instead of full lockdown??

Yeah I have it in log atm

What's the exact version of 12.1 that you're running?

I've used system lockdown on all versions of 12.1 so far and have not experienced this issue, not even when whitelist or blacklist mode is enabled. It would seem to be a bug of some sort.

Can you run the SymHelp tool on the affected client to see if any errors show up?

Version 12.1.2015.2015 symhelp has come back fine. Yeah seems odd.

Perhaps try a repair on the client first, than try system lockdown again.

Otherwise, try upgrading to the latest version, RU3, and see what the result is.

discovered that for some reason it didn't like the drive prifix at the end as described in the document once I ran the checksum.exe on the whole device it ran fine.

Brian as always thanks again for the quick replies.

Ahh makes sense. Good deal. Glad it's working.