"you do not have privilege to upload a Whole Disk Recovery Token to the server" error on a NIST-hardened computer
We've been trying to harden our Win7 computers with NIST USGCB guidelines.
One problem we've been running into is that if you're trying to register a user for WDE on a Win7 computer that has been hardened with the USGCB guidelines. When you get to the single sign on section of setting the user up, the first error you encounter is that when you give PGP the credentials, it gives you the error:
"Logon failure: The user has not been granted the requested logon type at this computer"
After some research, I discovered that this due to the setting in User Rights Assignment called "Access this computer from the network" which the NIST settings revoke all access except for Administrators.
but even after testing this out and adding the user I'm trying to register to the "Access this computer from the network" list, I get a second error after entering the single sign on credentials:
"you do not have privilege to upload a Whole Disk Recovery Token to the server"
This one I have not been able to figure out yet. If I attempt to register someone who is in the local Administrators group for the PC, registration goes fine or if I remove the hardening, then registration goes fine for everyone, including non-administrators.
So one of the NIST settings is preventing non-administrators from uploading the WDRT but I haven't had success yet in discovering which one.
What we're probably going to do when setting up users for WDE is that we will either temporarily make the user an Administrator, or set the user up on WDE *before* hardening the computer with the NIST USGCB guidelines, but I'd still like to know what setting is blocking the the registration from working correctly. I searched the forums and google and haven't found anyone with a similar situation.
Thanks in advance.