Endpoint Encryption

Hi experts,

Could anyone help me answer below queries.

1. If end user forgets his/her password, what is the process of retrieval ?
2. If admin forgets his/her password, what is the process of retrieval ?
3. What is the flow of OTP, when Admin raises a request for retrieving the password. Does end user machine require an internet connection to get that OTP or the configured internal mail would work?

Thanks in advance.

Here are the answers in short, for more information I'd highly recommend referring to the documentation:

1. Users can either recover their passwords themselves, by answering the Security Questions they are prompted to setup on registration, or they can call a SEE Helpdesk Admin, who can log into the Helpdesk element of the SEE portal and provide the OTP
2. It depends which password.  Access to the Manager console is intrinsically linked to Windows accounts, so if they forget their Windows password, you just get another AD admin to change it in AD.  If it's the client administrator account that has been forgotten, then the machine needs to be booted into Windows via some other means (hopefully someone can still get past the Pre-Boot Auth Screen), connected to the network, and applied with a new SEE Policy from the Management server to change the Client Administrator password.  If noone can authenticate past the Pre-Boot AUth screen, then the disk cannot be unlocked.
3. When a SEE Client machine registers with the SEE Management Server while fully booted up in Windows and connected to the network, it will establish the OTP.  After using OTP to get into Windows, and connecting to the network to check in with the SEE Management Server, the client will be told what it should be the next time.  While in the Pre-Boot Authentication Environment, the client has no network connectivity.

Thanks for the valuable information SMLatCST

Just one more point to check, how does it work for unmanaged solution?

Regarding the previous comment ...

" If noone can authenticate past the Pre-Boot AUth screen, then the disk cannot be unlocked."

-- This is not true. There is a helpdesk recovery option. So, if the machine has checked in with the Endpoint Encryption Server, you can select helpdesk recovery... The user will have to read a "question" key, and then the person at the helpdesk inputs that.. and reads a "response" key that the user enters. This will unlock the machine.

Your question (#3) regarding OTP is a bit confusing. Symantec Endpoint Encryption does not have any e-mail functions. 

If you are asking about a key that can be used to unlock the machine, yes... the helpdesk recovery feature has an offline mode. It will work without an internet connection.

Phil Support

Noted with Thanks, so i understand unmanaged endpoint password can be recovered through self set password and calling helpdesk. kindly confirm. reason am asking this because there are high ppl who are not in Active directory domain.

The OTP is a form of authentication, and already discussed in the answer to Q1.

The fact remains that, currently, if you cannot authenticate past PBE you cannot unlock the disk.  This remains the case until Symantec reinstate the ability to export keys from the DB and the ability to perform an offline forced decryption.

This functionality was dropped in the transition to SEE11 and is not yet back in (http://www.symantec.com/docs/INFO3984)

It's worth clarifying what you're trying to do here.

If by "unmanaged" you merely mean client machines that are in communication with the SEE Management Server but are not on the Domain, or users with local accounts on machines that *are* in contact the the Management Server, then yes: both Authenti-Check and OTP are available to you.

#EDIT#  Even for client machines that cannot contact the SEE Management Server, Phil is correct in that both both Authenti-Check and OTP options remain available to you.

If by "unmanaged" you mean the old "Serverless" implementation of SEE, then I believe this is no longer supported.

Got it ....Thanks a lot SMLatCST,