Symantec Endpoint Encryption Removable...

Symantec Endpoint Encryption

Removable Storage

Policy Administrator Guide

Version 8.0.0

Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. GuardianEdge and Authenti-Check are either trademarks or registered trademarks of GuardianEdge Technologies Inc. (now part of Symantec). Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 “Commercial Computer Software - Restricted Rights” and DFARS 227.7202, et seq. “Commercial Computer Software and Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043http://www.symantec.com

Policy Administrator Guide Contents

Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Directory Service Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Active Directory and Native Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Manager Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Database Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Endpoint Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Symantec Endpoint Encryption Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Policy Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Client Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2. Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Client Computers Data Available from Users and Computers and Basic Reports . . . . . . . . . . . . . . . . . . . . . 7Directory Services Synchronization Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Admin Log Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Client Events Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Device Exemptions Report Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Symantec Endpoint Encryption Users and Computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Symantec Endpoint Encryption Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Active Directory Forests Synchronization Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Client Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Computer Status Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Computers not Encrypting to Removable Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Computers with Decrypted Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Computers with Expired Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Computers with Specified Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Computers without Full Disk Installed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Computers without Removable Storage Installed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Device Exemptions Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Percentage of Encrypted Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Full Disk Client Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Framework Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Non-Reporting Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Novell eDirectory Synchronization Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Custom Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Resultant Set of Policy (RSoP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Windows System Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3. Policy Creation & Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Active Directory Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Native Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Policy Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Symantec Endpoint Encryption Removable Storage iii

Policy Administrator Guide Contents

Client Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Registered Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Password Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Token Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Authentication Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Authenti-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27One-Time Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Access and Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Device and File Type Exclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Encryption Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Recovery Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Workgroup Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Portability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Default Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

4. Policy Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Active Directory Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Order of Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Forcing a Policy Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Native Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Symantec Endpoint Encryption Managed Computer Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Policy Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Order of Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Forcing a Policy Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Appendix A. System Event Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Framework System Events List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Removable Storage System Events List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Appendix B. CD/DVD Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Operational Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Temporary Data Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Command Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

CD/DVD Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Appendix C. Authentication Method Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

User Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Symantec Endpoint Encryption Removable Storage iv

Policy Administrator Guide Figures

Symantec Endpoint Encryption Removable Storage v

FiguresFigure 1.1—Sample Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Figure 1.2—SQL Server Logon Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Figure 2.1—Group Policy Results Wizard, User Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Figure 2.2—RSoP Report From a Symantec Endpoint Encryption Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Figure 3.1—Framework Computer Policy, Client Administrators Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Figure 3.2—Add New Client Administrator Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Figure 3.3—Framework Computer Policy, Registered Users Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Figure 3.4—Framework Computer Policy, Password Authentication Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Figure 3.5—Framework Computer/User Policy, Authenti-Check Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Figure 3.6—Removable Storage Computer Policy, Security Level Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Figure 3.7—Removable Storage Computer Policy, Device and File Type Exclusions . . . . . . . . . . . . . . . . . . . . . . . 30Figure 3.8—Removable Storage Computer Policy, Encryption Method Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Figure 3.9—Removable Storage Computer Policy, Recovery Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Figure 3.10—Removable Storage Computer Policy, Workgroup Key Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Figure 3.11—Removable Storage Computer Policy, Portability Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Figure 3.12—Removable Storage Computer Policy, Default Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Figure 4.1—Symantec Endpoint Encryption Managed Computers, Add New Group . . . . . . . . . . . . . . . . . . . . . . . . 38Figure 4.2—Name New Group Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Figure 4.3—SEE Unassigned, Computer Highlighted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Figure 4.4—Symantec Endpoint Encryption Managed Computers Groups Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . 39Figure 4.5—Symantec Endpoint Encryption Managed Computers Group Selected . . . . . . . . . . . . . . . . . . . . . . . . . 40Figure 4.6—Policy Selection Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Figure 4.7—Native Policy Assignment Confirmation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Figure 4.8—Symantec Endpoint Encryption Managed Computers Policy Assigned . . . . . . . . . . . . . . . . . . . . . . . . 41

Policy Administrator Guide Tables

Symantec Endpoint Encryption Removable Storage vi

TablesTable 1.1—Active Directory and Native Policies Compared . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Table 2.1—Client Computer Data Available from Main Window of Users and Computers and Basic Reports . . . . . 8Table 2.2—Client Computer Data Available from Computer Info Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Table 2.3—Client Computer Data Available from Framework Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Table 2.4—Client Computer Data Available from Full Disk Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Table 2.5—Client Computer Data Available from Removable Storage Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Table 2.6—Client Computer Data Available from Associated Users Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Table 2.7—Directory Services Synchronization Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Table 2.8—Admin Log Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Table 2.9—Client Log Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Table 2.10—Device Exemptions Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Table 2.11—Symantec Endpoint Encryption Version Numbers and Equivalent GuardianEdge Version Numbers . 17Table A.1—Framework System Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Table A.2—Removable Storage System Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Table B.1—Temporary Data Folder Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Table B.2—CD/DVD Command Line Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Table B.3—CD/DVD Messages and Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Table C.1—Effect of a Change in Authentication Method on Existing User Accounts . . . . . . . . . . . . . . . . . . . . . . 78

Policy Administrator Guide Introduction

1. Introduction

OverviewSymantec Endpoint Encryption Removable Storage allows organizations to enjoy the benefits of removable storage devices while eliminating the liability, customer service, and brand erosion costs associated with data breach incidents. As part of Symantec Endpoint Encryption, Removable Storage leverages existing IT infrastructures for seamless deployment, administration, and operation.

Removable Storage secures data in one of the following ways:

By allowing no access to removable storage devices,

By allowing only read access to removable storage devices,

By automatically encrypting all files written to or accessed on removable storage devices,

By automatically encrypting all files written to removable storage devices,

By automatically encrypting files per Symantec Data Loss Prevention for Endpoint,

By automatically encrypting data written to CD/DVD media, and/or

By encrypting files written to a removable storage device on user demand,

Removable Storage enforces access control and encryption policies on devices that use USB or FireWire ports to attach a file system.

Symantec Endpoint Encryption is comprised of Full Disk, Removable Storage, and Framework. Framework includes all the functionality that is extensible across Symantec Endpoint Encryption. It allows behavior that is common to both Removable Storage and Full Disk to be defined in one place, thus avoiding potential inconsistencies.

Symantec Endpoint Encryption Removable Storage 1


The following diagram depicts a sample network configuration of Symantec Endpoint Encryption.

Figure 1.1—Sample Network Configuration

The Active Directory domain controller and Symantec Endpoint Encryption Management Server are required.

Multiple domains, forests, trees, and Symantec Endpoint Encryption Management Servers are supported.

A database server is recommended, but the Symantec Endpoint Encryption database can also reside on the Symantec Endpoint Encryption Management Server. If a database server is chosen to host the Symantec Endpoint Encryption database, the database server can be located inside or outside of Active Directory.

The Manager Console can be installed on multiple Manager Computers. It can also be installed on the Symantec Endpoint Encryption Management Server. It must reside on a computer that is a member of Active Directory.

The Novell eDirectory tree, Active Directory group policy communications, and TLS/SSL encryption are optional.

Directory Service SynchronizationSynchronization with Active Directory and/or Novell eDirectory is an optional feature. If enabled, then the Symantec Endpoint Encryption Management Server will obtain the organizational hierarchy of the specified forest, domain, and/or tree and store this information in the Symantec Endpoint Encryption database. It also keeps this information up to date. This improves performance during Client Computer communications with the Management Server, as the Management Server will be able to identify the Client Computer without having to query the Active Directory domain controller and/or the Novell eDirectory server.

When you open the Manager Console, you will have your Active Directory and/or Novell endpoints organized just the way that they are in the directory service, easing your deployment activities.

your-org.com your_tree

eDirectoryServer

Client Client

Client

Manager Computer

DatabaseServer

Client

ManagementServer

DomainController

Group Policy

SOAP over HTTP

LDAP

TLS/SSL

TDS



In addition, you will have records of computers that reside in the designated forest, domain, or tree, even if these computers do not have any Symantec Endpoint Encryption products installed and/or have never checked in with the Management Server. This will allow you to run reports to assess the success of a given deployment and gauge the risk that your organization may face due to unprotected endpoints.

The timing of the synchronization event differs according to the directory service. Whereas Novell informs the Management Server of any changes that may occur, the Management Server needs to contact Active Directory to obtain the latest information. Synchronization with Active Directory is set to occur once every fifteen minutes.

Active Directory and Native PoliciesActive Directory policies are designed for deployment to the users and computers residing within your Active Directory forest/domain. Active Directory policies can be created and deployed whether synchronization with Active Directory is enabled or not.

Native policies are designed for deployment to computers that are not managed by Active Directory. Should you wish to deploy native policies to computers that are managed by Active Directory, you must turn synchronization with Active Directory off.

The following table itemizes the differences between Active Directory and native policies.

Manager Console

BasicsThe Manager Console contains the following Symantec Endpoint Encryption snap-ins:

Symantec Endpoint Encryption Management Password—is not relevant to Removable Storage.

Symantec Endpoint Encryption Software Setup—is used to create client installation packages.

Symantec Endpoint Encryption Native Policy Manager—escorts you through the process of creating a computer policy for clients not managed by Active Directory, such as Novell and other clients.

Symantec Endpoint Encryption Users and Computers—displays the organizational structure of your Active Directory forest and/or Novell tree; allows you to organize clients not managed by either Active Directory or Novell into groups.

Symantec Endpoint Encryption Reports—includes reports to allow you to obtain endpoint data, Policy Administrator activity logs, and directory service synchronization configuration. In addition, you will be able to create your own custom reports.

Table 1.1—Active Directory and Native Policies Compared

Active Directory Policies Native Policies

Certain policies are deployed to users and others are deployed to computers.

Policies can only be applied to computers.

Policies applied in Local, Site, Domain, OU (LSDOU) order of precedence.

Policies are applied in Computer, Subgroup, Group (CSG) order of precedence.

Single pane policy creation/deployment. Each pane must be visited when creating the policy.

Policies are obtained from the domain controller and applied at each reboot.

Policies are applied when the client checks in with the Symantec Endpoint Encryption Management Server.

An immediate policy update can be forced using the gpupdate \force or secedit command.

An immediate policy update can be forced by clicking Check In Now from the User Client Console.



It also contains the following Microsoft snap-ins to help you manage your Active Directory computers:

Active Directory Users and Computers—allows you to both view and modify your Active Directory organizational hierarchy.

Group Policy Management—lets you manage group policy objects and launch the Group Policy Object Editor (GPOE). Within the GPOE you will find Symantec Endpoint Encryption snap-in extensions that allow you to create and modify Symantec Endpoint Encryption user and computer policies for Active Directory–managed computers.

Depending on your responsibilities, you may not have access to all of these snap-ins. These restrictions, if any, will be effected as part of the privileges associated with your Windows account.

Database AccessYour Windows account may have been provisioned with rights to access the Symantec Endpoint Encryption database. If so, ensure that you are logged on to Windows with this account before launching the Manager Console.

If you are not logged on to Windows with read and write access to the Symantec Endpoint Encryption database at the time that you launch the Manager Console, you will be prompted for your SQL or Windows credentials.

Figure 1.2—SQL Server Logon Prompt

The Server name and Initial catalog fields will contain the information that was provided when this Manager Console was installed. In general, you should not modify the default contents of these fields. Circumstances that require you to edit these entries would be unusual, such as the loss of your primary Symantec Endpoint Encryption database. In such a situation, you could edit the Server name and Initial catalog fields to connect to a disaster recovery site. The syntax used in the Server name field is as follows:

computer name,port number\instance name

While the NetBIOS name of the server hosting the Symantec Endpoint Encryption database will always be required, the TCP port number will only be necessary if you are using a custom port, and the instance name will only be needed if you are using a named instance. The custom port number would need to be preceded by a comma and the instance name by a backslash.

To use a SQL account, select SQL Authentication and type the SQL user name in the User name field. Otherwise, select Windows Authentication and type the Windows account name in NetBIOS format in the User name field. Type the account password in the Password field. Click Connect to authenticate.

If you don’t wish to authenticate to the Symantec Endpoint Encryption database at this time, click Cancel. You may receive one or more error messages following cancellation. You will receive additional prompts upon attempting to access the individual Symantec Endpoint Encryption snap-ins in the console.



Endpoint Containers

Basics

The Symantec Endpoint Encryption Manager will place each endpoint into one or more of the following containers:

Active Directory Computers,

Novell eDirectory Computers, or

Symantec Endpoint Encryption Managed Computers.

Active Directory/Novell eDirectory Computers

No computers will be placed in the Active Directory Computers or Novell eDirectory Computers containers unless synchronization with the directory service is enabled.

If synchronization with Active Directory is enabled, the Active Directory Computers container will be populated with the computers in the Active Directory forest/domain. If synchronization with Novell is enabled, the Novell eDirectory Computers container will hold the computers in the Novell tree. If synchronization with both directory services is enabled and the computer is managed by both, it will appear in both containers. Computer and user objects located within the Active Directory and/or Novell containers cannot be moved or modified with Symantec Endpoint Encryption snap-ins.

Symantec Endpoint Encryption Managed Computers

Computers located within the Active Directory Computers and/or Novell eDirectory Computers containers will not be shown in the Symantec Endpoint Encryption Managed Computers container.

Only computers that have checked in with the Management Server will be shown in the Symantec Endpoint Encryption Managed Computers container. Whether a computer is placed in the Symantec Endpoint Encryption Managed Computers container or not following check in will vary depending on whether synchronization is enabled or not.

If synchronization is not enabled, all Client Computers that have checked in will be placed in the Symantec Endpoint Encryption Managed Computers container.

If synchronization is enabled, only Client Computers that have checked in that do not reside within the designated Active Directory forest/domain and/or Novell tree will be placed in the Symantec Endpoint Encryption Managed Computers container.

Computers located within the Symantec Endpoint Encryption Managed Computers container should be grouped into the organizational structure that you desire.

Deleted Computers

The Deleted Computers container stores Symantec Endpoint Encryption–managed computers that have been deleted, allowing you to restore the computer and revert its deletion.

Symantec Endpoint Encryption–managed computers will remain in the Manager Console even after the client-side software has been uninstalled. To complete the uninstallation of an Symantec Endpoint Encryption–managed computer, locate the computer within the Symantec Endpoint Encryption Managed Computers container. Right-click the computer and select Delete. The computer will be removed from the Symantec Endpoint Encryption Managed Computers container and placed in the Deleted Computers container.

Should you fail to delete the computer from the Symantec Endpoint Encryption Managed Computers container following uninstallation and then reinstall, you will find two computers with the same name in the Symantec Endpoint Encryption Managed Computers container. Locate the computer with the older last check-in date, right-click it, and select Delete.



Symantec Endpoint Encryption Roles

Policy AdministratorsAs the Policy Administrator, you perform centralized administration of Symantec Endpoint Encryption. Using the Manager Console and the Manager Computer, you perform one or more of the following tasks:

Update and set client policies.

Run reports.

Change the Management Password.

Client AdministratorsClient Administrators provide local support to Symantec Endpoint Encryption users.

Client Administrator accounts are created and maintained from the Symantec Endpoint Encryption Manager. Client Administrator accounts are managed entirely by Symantec Endpoint Encryption, independent of operating system or directory service, allowing Client Administrators to support a wide range of users.

Client Administrator passwords are managed from the Manager Console and cannot be changed at the Client Computer. This single-source password management allows Client Administrators to remember only one password as they move among many Client Computers.

Client Administrators may be configured to authenticate with either a password or a token.

Each Client Administrator account can be assigned an administrative privilege allowing them to unregister users. Other administrative privileges assigned to the Client Administrator account will be ignored by Removable Storage.

Client Administrators should be trusted in accordance with their assigned level of privilege.

The Client Administrator is also responsible for recovering Removable Storage–encrypted files when the user has forgotten their password and a Recovery Certificate was used. This responsibility is not controlled by privilege.

Each Client Computer must have one default Client Administrator account. The default Client Administrator account has all administrative privileges and authenticates using a password. Up to 1024 total Client Administrator accounts can exist on each Client Computer.

Client Administrators must register as a user to make use of removable storage devices at the Removable Storage–protected workstation.

UserAt least one user is required to register with Symantec Endpoint Encryption on each Client Computer. A wizard guides the user through the registration process, which involves a maximum of five screens. The registration process can also be configured to occur without user intervention. Users will not be able to access their removable storage devices until they have registered.

A maximum of 1024 users can be allowed during the creation of the installation package and can be changed by policy.

To ensure the success of this product in securing your encrypted assets, do not define users as local administrators or give users local administrative privileges.


Policy Administrator Guide Reporting

2. Reporting

Overview

BasicsThe Manager Console reporting tools allow you to obtain information about:

Client Computers,

Policy Administrator activities, and

Directory service synchronization.

Client Computers Data Available from Users and Computers and Basic Reports

Basics

At the time that a Client Computer succeeds in checking in with the Symantec Endpoint Encryption Management Server, it sends information about itself that is stored in the Symantec Endpoint Encryption database. This section discusses the data available about Client Computers from the following snap-in and reports:

“Symantec Endpoint Encryption Users and Computers” on page 14;

“Computer Status Report” on page 15;

“Computers not Encrypting to Removable Storage” on page 15;

“Computers with Decrypted Drives” on page 15;

“Computers with Expired Certificates” on page 15;

“Computers with Specified Users” on page 15;

“Computers without Full Disk Installed” on page 15;

“Computers without Removable Storage Installed” on page 16;

“Non-Reporting Computers” on page 16; and

“Custom Reports” on page 16.

Basic data is shown in the main window and you can double-click a record of interest or right-click it and select Show Selection to obtain further details.

If Active Directory and/or Novell synchronization is enabled, you will be able to obtain the computer names and directory service location of any computer located on your forest(s), domain(s), and/or tree(s)—even if it has never checked in with the Management Server. While only the computer name and directory service location of these machines will be available, the absence of additional data will allow you to identify computers that are unprotected or have not checked in.



Main Window

The following table itemizes the data available about from the main window. Columns that will be displayed but not populated by Removable Storage are identified as not applicable (N/A).

Computer Info Tab

After double-clicking the record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Computer Info tab.

Table 2.1—Client Computer Data Available from Main Window of Users and Computers and Basic Reports

Column Heading Data Displayed Explanation

Computer name computer name Computer name

Group name* group nameLocation of the computer within Symantec Endpoint Encryption Users and Computers

Last Check-In time/date stampThe time and date of the last connection that the Client Computer made with the Management Server

Decrypted N/A N/A

Decrypting N/A N/A

Encrypted N/A N/A

Encrypting N/A N/A

Version N/A N/A

Installation Date N/A N/A

RS Device Access Control*no access|read| read/write

The access policy currently being enforced by Removable Storage

RS Encryption Policy

All files|New files|CD/DVD only|User choice|DLP determined|Write unencrypted

The encryption policy currently being enforced by Removable Storage

RS Encryption Method† password|certificate|any The encryption method(s) currently allowed by Removable Storage

RS On-Demand Encryption*

enabled|encrypt|decrypt| encrypt/decrypt|not enabled

The on demand encryption policy currently being enforced by Removable Storage

RS Access Utility* True|FalseIf the Removable Storage Access Utility is being automatically copied to removable storage devices, True will be displayed. If not, False will be displayed.

RS Self-Extracting Archives*

True|FalseTrue will be displayed if the user has the option to save file(s)/folder(s) to a self-extracting executable; False if the user does not

* This column is not shown in the Symantec Endpoint Encryption Users and Computers snap-in.

† This column is not shown in the reports.

Table 2.2—Client Computer Data Available from Computer Info Tab


Group group nameLocation of the computer within Symantec Endpoint Encryption Users and Computers

OS operating system name The name of the installed operating system

OS Type 32-bit|64-bit The number of bits of memory supported by the installed operating system

Serial Number serial numberThe System Management BIOS (SMBIOS) serial number from WMI_SystemEnclosure class. If the data does not exist on the client, the value will be blank.



Framework Tab

After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Framework tab.

Full Disk Tab

After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Full Disk tab.

Asset Tag asset tagThe System Management BIOS (SMBIOS) asset tag from WMI_SystemEnclosure class. If the data does not exist on the client, the value will be blank.

Part Number time/date stampThe System Management BIOS (SMBIOS) asset tag from WMI_SystemEnclosure class. This data may not exist on the client, in which case it will be blank.

Table 2.3—Client Computer Data Available from Framework Tab


FR Version n.n.n The three digit version number of Framework that is currently installed

FR Installation Date time/date stamp The time and date on which Framework was installed

Last Check-In Time time/date stampThe time and date of the last connection that the Client Computer made with the Management Server

SSL Certificate Expiration Date

time/date stamp The time and date of the client-side TLS/SSL certificate’s expiration

Table 2.4—Client Computer Data Available from Full Disk Tab


FD Version n.n.n The three digit version number of Framework that is currently installed

FD Installation Version time/date stamp The time and date on which Framework was installed

Last Check-in time/date stampThe time and date of the last connection that the Client Computer made with the Management Server

SSL Certificate Expiration Date

time/date stamp The time and date of the client-side TLS/SSL certificate’s expiration

Partition drive letterThe drive letter of the partition that is encrypted, encrypting, decrypted, or decrypting

Encryption start time time/date stamp The date and time that encryption was initiated

Encryption end time time/date stamp The date and time that encryption completed

Decryption start time time/date stamp The date and time that decryption was initiated

Decryption end time time/date stamp The date and time that decryption completed

Decryption initiated by user name The user name of the user or Client Administrator that initiated decryption

Table 2.2—Client Computer Data Available from Computer Info Tab (Continued)




Removable Storage Tab

After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Removable Storage tab.

Associated Users Tab

After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in the following table will be available from the Associated Users tab for Windows endpoints. The Associated Users tab

Table 2.5—Client Computer Data Available from Removable Storage Tab


RS Device Access Control no access|read|read/write The access policy currently being enforced by Removable Storage

RS Encryption Policy

encrypt all files|encrypt new files|encrypt to CD/DVD only|Write unencrypted

The encryption policy currently being enforced by Removable Storage

RS On-Demand Encryptionenabled|encrypt|decrypt|encrypt/decrypt|not enabled

The on demand encryption policy currently being enforced by Removable Storage

RS Encryption Method password|certificate|any The encryption method(s) currently allowed by Removable Storage

RS Exempted File Type 1|2|3

If one or more multimedia groups is exempted from mandatory encryption, the values 1, 2, and/or 3 will be displayed. 1 represents the audio group. 2 represents the video group. 3 represents the image group. See the User Guide for an itemization of the file types that belong to each group.

RS Recovery Certificate serial numberIf a Recovery Certificate is in effect at the Client Computer, its serial number will be displayed. Otherwise, the field will be blank.

RS Workgroup Key True|FalseIf a group key is in use, True will be displayed. If not, False will be displayed.

RS Device Exclusions enabled|not enabledIf one or more devices are being excluded from encryption, Enabled will be displayed. If not, Disabled will be displayed.

RS PasswordsDefault|Session default|Default, session default

If users are allowed to set a Default Password, Default will be displayed. If users are allowed to set Session Default Passwords, Session default will be displayed. If users are allowed to set both a Default Password and one or more Session Default Passwords, Default, session default will be displayed.

RS Password Aging enabled|not enabledIf password aging is being applied to Default Passwords, Enabled will be displayed. If not, Disabled will be displayed.

RS Access Utility True|FalseIf the Removable Storage Access Utility is being automatically copied to removable storage devices, True will be displayed. If not, False will be displayed.

RS Self-Extracting Archives True|FalseTrue will be displayed if the user has the option to save file(s)/folder(s) to a self-extracting executable; False if the user does not

RS Version n.n.nThe three digit version number of Removable Storage that is currently installed

RS Last Upgrade Date time/date stampThe time and date on which Removable Storage was last installed or upgraded

RS Installation Version n.n.nThe three digit version number of Removable Storage that was originally installed



will contain one row of data per registered user or Client Administrator on the Windows Client Computer. If this is a Mac record, no data will be available from the Associated Users tab.

Fixed Drives Tab

The Fixed Drives tab is not applicable to Removable Storage.

Directory Services Synchronization DataYour current synchronization parameters are stored in the Symantec Endpoint Encryption database and can be retrieved using the following Symantec Endpoint Encryption Reports:

“Active Directory Forests Synchronization Status” on page 15, and

“Novell eDirectory Synchronization Status” on page 16.

One row of data per forest or tree will be listed. The following table identifies the data that will be available from these reports.

Table 2.6—Client Computer Data Available from Associated Users Tab


User Name user name The user name of the registered user or Client Administrator account

User Type Reg User|Client AdminIf the account is that of a registered user, Reg User will be displayed. If the account is that of a Client Administrator, Client Admin will be displayed.

Authentication MethodPassword|Token|Password and Token|Unauthenticated

If the user or Client Administrator uses a password to authenticate, Password will be displayed. If the user or Client Administrator uses a token to authenticate, Token will be displayed. If this is a user and the user has the option to register both a password and a token, Password and Token will be displayed. If the Client Computer has been configured to use automatic authentication, Unauthenticated will be displayed.

User Domainname of domain or tree|computer name

If the computer is joined to a domain or a part of a Novell tree, the name of the domain or tree will be displayed. If the computer does not belong to either directory service, the name of the computer will be displayed. For Client Administrators, this cell will be blank.

Last Logon Time time/date stampIf a user, the time and date of the last User Client Console logon. If a Client Administrator, the time and date of the last Administrator Client Console logon.

Registration Time time/date stampThe time and date on which this user registered. If this is a Client Administrator account, the time and date on which the account was created either by MSI or policy update.

Table 2.7—Directory Services Synchronization Data


Forest/Tree Name forest or tree nameThe name of the forest or tree that you are synchronizing with will be identified in this column.

Administrator Name user nameThe user name that is being used to authenticate to the directory service server of this forest or tree will be provided in this column. This corresponds to the Active Directory or Novell synchronization account.

Administrator Domain* domainThe Active Directory domain of the Active Directory synchronization account for this forest will be identified.

Last Synchronization time date stampThe time and date of the last successful synchronization with this forest or tree will be supplied.



Admin Log DataEach time the Policy Administrator makes a change using the Manager Console, the action will be logged.

The Admin Log provides a detailed log of all Policy Administrator activities. Log entries can be filtered according to inclusive date and time, user name, and computer name. The following table identifies the data that will be available in the Admin Log report.

Total Computers numberThe total number of computers in this forest or tree as of the last synchronization will be noted here. This includes all of the computers, not just the Symantec Endpoint Encryption–protected endpoints.

* This column is not shown in the Novell eDirectory Synchronization Status report.

Table 2.8—Admin Log Data


Date-Time time date stampThe time and date on which the activity occurred

User user nameThe Windows user name of the Policy Administrator that initiated the activity

Computer computer nameThe computer name of the Manager Computer from which the activity was initiated

Table 2.7—Directory Services Synchronization Data (Continued)




Activity Description

Changed Symantec Endpoint Encryption management password —

Created native policy policy name —

Renamed native policy ‘old policy name’ to ‘new policy name’ —

Deleted native policy ‘policy name’ —

Edited native policy ‘policy name’ —

Created new Symantec Endpoint Encryption Managed computer group ‘group name’

—

Renamed Symantec Endpoint Encryption Managed computer group ‘old group name’ to ‘new group name’

—

Deleted Symantec Endpoint Encryption Managed computer group ‘group name’

—

Assigned native policy ‘policy name’ to group ‘group name’ —

Unassigned native policy ‘policy name’ from group ‘group name’ —

Changed assigned native policy for group ‘group name’ from native policy ‘old policy name’ to native policy ‘new policy name’

—

Deleted Symantec Endpoint Encryption Managed Computer ‘computer name’

—

Moved Symantec Endpoint Encryption Managed Computer ‘computer name’ from group ‘old group name’ to ‘new group name’

—

Restored Symantec Endpoint Encryption Managed Computer ‘computer name’

—

Exported Recover DAT file for computer ‘computer name’ —

Initiated One-Time Password online method for user ‘user name’ on computer ‘computer name’ Symantec Endpoint Encryption GUID ‘Symantec Endpoint Encryption GUID of computer’

—

Initiated One-Time Password offline method for user ‘user name’ —

Created Framework client installation package ‘MSI package name’ —

Created Full Disk client installation package ‘MSI package name’ —

Created Removable Storage client installation package ‘MSI package name’

—

Created Autologon MSI package ‘MSI package name’ —

Table 2.8—Admin Log Data (Continued)




Client Events DataA subset of the Windows system events from Windows Client Computers will be available from the Client Events report. The following table identifies the data that will be available in the Client Events report for Windows endpoints. No client events data for Mac clients will be available.

Device Exemptions Report DataThe following table details the data available from the Device Exemptions report.

Symantec Endpoint Encryption Users and ComputersThe Symantec Endpoint Encryption Users and Computers snap-in allows you to obtain data about a specific group.

This data can be printed or exported into a comma-delimited format (CSV). This can be useful for generating reports on a per-group basis.

You might also want to consider your reporting needs when you create your groups (“Symantec Endpoint Encryption Managed Computer Groups” on page 37).

Symantec Endpoint Encryption Reports

BasicsThe Symantec Endpoint Encryption Reports snap-in contains a number of reports that will assist you in managing your endpoints and your synchronization(s).

After obtaining the data, you can export it into comma-delimited format (CSV) for further manipulations in the tool of your choice. Alternatively, you can print the report directly from the Manager Console.

Should you choose to print the report, you can choose which columns to include by right-clicking the report in the console tree and selecting Configure Columns Displayed. Alternatively, select Configure Columns Displayed from the Action menu.

Table 2.9—Client Log Data


Date-Time time date stamp The time and date on which the activity occurred

User user name The Windows user name of the user that initiated the activity

Computer Name computer name The computer name of the Windows Client Computer on which the event was logged

Event Description

description textFramework events 4, 6, 8, 11,14, 15, 16, 18, 19, 21, 124, 183, 184, and 246. Removable Storage event 2096. Refer to Appendix A “System Event Logging” on page 42 for the text of each event.

Table 2.10—Device Exemptions Report


Computer Name computer name The name of the computer on which devices have been exempted

Last Check-In time/date stampThe time and date of the last connection that the Client Computer made with the Symantec Endpoint Encryption Management Server

RS Exempted Product ID

product ID The product ID (PID) of the exempted device

RS Exempted Vendor ID

vendor ID The vendor ID (VID) of the exempted device

RS Device Memo text If a memo was added when the device was exempted, it will be available.



Active Directory Forests Synchronization StatusThe Active Directory Forest Synchronization Status report provides the latest details of your Active Directory synchronization parameters and status (“Directory Services Synchronization Data” on page 11).

Client EventsThe Client Events report provides you with a subset of the events logged on the endpoint (“Client Events Data” on page 14). Client events can be filtered according to inclusive date and time, user name, and computer name.

Computer Status ReportThe Computer Status Report is used to retrieve the records of specific computers when you know their computer name. Following deployment of client installation packages, you can use this report to ensure that each client checks in. Type or paste the computer names in the Enter Computer Names field. Each should be on a separate line. The % character can be used as a wildcard. Once you have entered the computer names that you want to retrieve the records of, click Run. To refresh the data, click Run again.

Computers not Encrypting to Removable StorageThe Computers not Encrypting to Removable Storage report will retrieve the records of the following computers on your network:

Did not have Removable Storage installed as of the time of last check-in.

Was not protected by a Removable Storage Encrypt all, Encrypt new, or Encrypt to CD/DVD policy as of the time of last check in.

Resides on a forest or tree that is synchronized with the Symantec Endpoint Encryption Management Server and has not checked in. These clients may or may not be allowing users to write unencrypted files to removable devices.

Computers with Decrypted DrivesThe Computers with Decrypted Drives report will retrieve the records of the following computers on your network:

Had one or more decrypted or decrypting drives and/or partitions as of the time of last check-in.

Resides on a forest or tree that is synchronized with the Management Server and has not checked in. These clients may or may not have a decrypted or decrypting drive or partition.

Computers with Expired CertificatesThe Computers with Expired Certificates report will retrieve the records of the clients with client-side TLS/SSL certificates due to expire within the specified number of days from the current day. Enter the number of days until expiration in the Days the Certificate Will Expire field and click Run. For example, to see all of the clients with certificates due to expire within the next ninety days, type 90 in the Days the Certificate Will Expire field and click Run.

Computers with Specified UsersThe Computers with Specified Users report allows you to find out all of the computers that one or more users have registered on. Type the user names in the Enter User Names field. If you enter more than one user name, they should be separated by carriage returns. The % wildcard character is supported. Once the desired report parameters have been entered, click Run.

The records of the computers on which one or more of the specified users has registered will be retrieved and listed in the report results.

Computers without Full Disk InstalledThe Computers without Full Disk Installed report will retrieve the records of the following computers on your network:

Did not have Full Disk installed as of the time of last check-in.



Resides on a forest or tree that is synchronized with the Management Server and has not checked in. These clients may or may not have Full Disk installed.

Computers without Removable Storage InstalledThe Computers without Removable Storage Installed report will retrieve the records of the following computers on your network:

Did not have Removable Storage installed as of the time of last check-in.

Resides on a forest or tree that is synchronized with the Management Server and has not checked in. These clients may or may not have Removable Storage installed.

Device Exemptions ReportThe Device Exemptions report allows you to obtain a list of the devices exempted from encryption on a given computer (“Device Exemptions Report Data” on page 14).

Percentage of Encrypted EndpointsThe Percentage of Encrypted Endpoints report provides you with a pie chart display of the percentage of computers that are encrypted versus the percentage that are not. The numerical breakdown is provided beneath the chart. Mac clients will not be included in this report.

Full Disk Client DeploymentThe Full Disk Client Deployment report provides you with a pie chart comparison of the percentage of computers installed with Full Disk versus the percentage that are not. You can filter the results based on date. The numerical breakdown is provided beneath the chart. Mac clients will not be included in this report.

Framework DeploymentThe Full Disk Client Deployment report provides you with a pie chart comparison of the percentage of computers installed with Framework versus the percentage that are not. You can filter the results based on date. The numerical breakdown is provided beneath the chart.

Non-Reporting ComputersThe Non-Reporting Computers report allows you to obtain a list of computers that have not checked in with the Symantec Endpoint Encryption Management Server within a specified number of elapsed days. This report will help you ensure that the data in the Symantec Endpoint Encryption database remains fresh.

Enter the number of elapsed days in the Days Since Last Check-In field and click Run. The records of the computers on your network that have not checked in with the Symantec Endpoint Encryption Management Server within the specified number of days will be retrieved and listed.

Novell eDirectory Synchronization StatusThe Novell eDirectory Synchronization Status report provides the latest details of your Novell synchronization parameters and status.

Custom ReportsThe custom reports feature allows you to create your own reports that you can run or edit at a later time. You can create subfolders to organize your custom reports. Right-click Custom Report and choose New Report to open the Query Editor. Click Save when you are done and type in a name for the new report.

Specify the filter criteria for your custom report in the three tabs of the Query Editor. For a list of all possible filter criteria, see Table 2.1 on page 8.

While only Symantec Endpoint Encryption version numbers will be available in the Client Version area, the selection of an Symantec Endpoint Encryption version number will result in the retrieval of not only the records of Client Computers installed with the selected Symantec Endpoint Encryption version, but also the Client Computers installed with the equivalent GuardianEdge Framework version. For example, if you select the 7.0.3 check box, the



records of 7.0.3 clients will be retrieved—as well as the records of GuardianEdge Framework 9.3.0 and 9.3.1 clients. If you have GuardianEdge clients, consult the following table for the full mapping.

Resultant Set of Policy (RSoP)The Group Policy Management snap-in features a reporting facility which allows you to verify that the Active Directory policies you assigned to Client Computers or users were actually processed as intended. This report is known as a Resultant Set of Policies (RSoP) or Group Policy Report.

To generate an RSoP report, perform the following steps:

1. Open the Symantec Endpoint Encryption Manager, and in the left pane, expand Group Policy Management, then expand Group Policy Results.

2. With the Group Policy Results container selected, right-click and choose Group Policy Results Wizard.

3. The Group Policy Results Wizard launches. Click Next, then select the option Another Computer.

4. Browse to or type the name of the computer for which you wish to generate a Group Policy Report.

5. Click Next.

Table 2.11—Symantec Endpoint Encryption Version Numbers and Equivalent GuardianEdge Version Numbers

Symantec Endpoint Encryption Version Number Equivalent GuardianEdge Version Number(s)

7.0.0 9.2.0

7.0.1 9.2.1

7.0.2 9.2.2

7.0.3 9.3.0, 9.3.1

7.0.4 9.4.0, 9.4.1

7.0.5 9.5.0

7.0.6 9.5.1, 9.5.1 Patch 1

7.0.7 —

7.0.8 9.5.3

The initial Symantec Endpoint Encryption installation settings as deployed using the Framework and Removable Storage client MSI packages (even if the MSI packages were deployed as GPOs) will not appear in the RSoP report. Only the results of Active Directory policy updates will be shown in the RSoP report.



Figure 2.1—Group Policy Results Wizard, User Selection

6. To view both user and computer policies, select the user that you want to see the user policies of. If you are only interested in computer policies, select Do not display user policy settings in the results.

7. Click Next.

8. Click Next at the summary screen, then click Finish.

9. The Group Policy Results snap-in connects to the Client Computer, gathers the policy information into a report, and displays the information in several tabs of the content pane on the right.

10. Click on the Settings tab of the Group Policy Results window in the pane on the right.

11. This windows shows a collapsed view representing all the settings for the user/computer pair you selected. The view is divided into two sections: one section named Computer Configuration, and another section beneath it named User Configuration.

12. Within the section named Computer Configuration, locate the subsection named Administrative Templates.

Symantec Endpoint Encryption uses registry based policies, and any Symantec Endpoint Encryption computer policies you create and apply will show up within the subsections Computer Configuration, Administrative Templates, Symantec Endpoint Encryption/Framework, and Computer Configuration, Administrative Templates, Symantec Endpoint Encryption/Removable Storage.

For user settings, this pattern is mirrored in the User Configuration section of the Group Policy Results window.

13. Expand the Administrative Templates and then expand the Symantec Endpoint Encryption/Framework section by clicking on the Show link on the right. That subsection will expand to reveal all Framework policies currently in effect.



Figure 2.2—RSoP Report From a Symantec Endpoint Encryption Client

Figure 2.2 shows that a Client Administrator policy has been applied. The Client Administrator mbrown authenticates using a password and has a high level of privilege. The Client Administrator mwilliams authenticates using a password and has a high level of privilege.

Any level in the report hierarchy can be exported as an HTML file by right-clicking the name (for example, Symantec Endpoint Encryption/Framework), choosing Save Report, and selecting a target location in which to save the HTML report.

Some Symantec Endpoint Encryption Active Directory policies create other settings in the client registry that are shown in the RSoP as Extra Registry Settings. These represent internal registry values used by the particular Symantec Endpoint Encryption policy and can be ignored.

Windows System EventsAll security-related system events are logged on the Symantec Endpoint Encryption Client Computer where they may be viewed remotely by an administrator using the Windows System Event viewer. To view Removable Storage–specific system events logged on a specific Windows computer, perform the following steps:

1. Open a Run dialog from the Windows Start menu.

2. Type eventvwr.msc and click OK.

3. An Event Viewer console window opens showing the events on your local computer.

4. In the navigation pane on the left, right-click the top-level folder named Event Viewer (Local), and choose Connect to another computer.

5. In the Select Computer dialog, make sure that the Another computer option is selected, then click Browse.

6. In the Select Computer dialog, type the name of a computer you wish to inspect the events of, and click OK.



7. In the navigation pane on the left, right-click the item named Application, and choose Connect to another computer.

8. Choose View and click Filter to open the Application Properties window.

9. From the Event Source drop-down list box, choose Removable Storage Service and click Apply.

10. This filters the event log for that computer to show Removable Storage events. Drag the Application Properties window away from the Event Viewer window, but leave it open.

11. In the right pane of the Event Viewer window, double-click the top-most event entry to open the Event Properties window for that event.

The Description field contains information about that particular Removable Storage event. To inspect other events in the log, use the up and down arrow buttons in the upper right of the Event Properties window.

To filter out all events other than a desired event, click on the Application Properties window. In the Event ID field, type the number of the event you are interested in, then click Apply. The Event Viewer window will update and filter out all event IDs other than the one you specified.

For a complete list of all Symantec Endpoint Encryption–specific system events, their event code numbers, and descriptions of the events, refer to Appendix A “System Event Logging” on page 42.


Policy Administrator Guide Policy Creation & Editing

3. Policy Creation & Editing

OverviewEach client will have installation settings in place. Installation settings are created at the time that the client is installed and modified each time an upgrade package is applied. Policy settings will always take precedence over any installation settings on the client.

Symantec Endpoint Encryption provides two different types of policies. While each contains identical options, Active Directory policies are created and edited in quite a different manner from native policies.

This chapter discusses the following:

How to create and/or edit Active Directory policies using Symantec Endpoint Encryption snap-in extensions in the Group Policy Object Editor (GPOE) (“Active Directory Policies” on page 21);

How to create and/or edit native policies using the Symantec Endpoint Encryption Native Policy Manager (“Native Policies” on page 22); and

The individual policy options themselves (“Policy Options” on page 22).

Active Directory PoliciesTo create or edit an Active Directory policy, expand the Group Policy Management snap-in, expand your forest, expand Domains, expand the domain, and expand Group Policy Objects.

To edit an existing GPO, right-click the GPO and select Edit.

To create a new GPO, right-click Group Policy Objects and select New.

The Group Policy Object Editor (GPOE) will launch.

To edit or create a computer policy, expand Computer Configuration, expand Software Settings, and expand Symantec Endpoint Encryption. Then expand Framework and/or Removable Storage, according to your needs.

To edit or create a user policy, expand User Configuration, expand Software Settings, and expand Symantec Endpoint Encryption. Then expand Framework and/or Removable Storage, according to your needs.

Each Active Directory policy panel features three option buttons at the top:

Do not change these settings—this option is the default option. It specifies that no changes to existing policies or installation settings will be made.

Change these settings—click this option if you want to specify a policy update. When this option is selected, the fields below it will become available. These fields will not be defaulted to the policies currently in effect, they will just display generic defaults.

Restore the installation settings—click this option to apply a policy that instructs the client to disregard any existing policies and return to the settings that were specified in its installation package.

When the Change these settings option is selected, your entries are validated when you click away from the panel. Any incorrect entries will be highlighted in red, and the icon for the panel, as shown in the navigation tree of the GPOE window, will change to a warning icon to remind you to return to that panel and make the necessary corrections before closing the GPOE window.

For a detailed discussion of the options that will become available when the Change these settings option is selected, refer to “Policy Options” on page 22.



Native PoliciesTo create a native policy, right-click the Symantec Endpoint Encryption Native Policy Manager and select Create New Policy. When naming a policy, observe the following:

Each name must be unique and cannot have been assigned to any other native policy.

Names are case-insensitive.

Leading and trailing spaces will be deleted.

To edit a native policy, expand the Symantec Endpoint Encryption Native Policy Manager. Locate the policy that you want to edit and highlight it.

For a detailed discussion of the options available for modification within the Symantec Endpoint Encryption Native Policy Manager, continue to the next section.

Policy Options

Client AdministratorsWhen creating a Client Administrator policy, it must contain all Client Administrator accounts that are authorized to access the workstation. Any Client Administrator accounts not listed in this policy will not be able to authenticate to the Client Computer.

Figure 3.1—Framework Computer Policy, Client Administrators Options

At least one default Client Administrator account must be specified. No more than 1024 Client Administrators accounts can be added.

You can import a list of Client Administrators from a previously created installation settings package. Click Load from installation settings, select the previously created Framework client installer package, then click Open. The GPO panel will populate with the Client Administrator account information specified when the installation settings package was created.



Click Add to add a Client Administrator. Highlight an existing Client Administrator and click Edit to edit the account.

Figure 3.2—Add New Client Administrator Dialog

Only the names of the Add New Client Administrator and Edit Client Administrator dialogs differ.

Each Client Administrator account must have credentials and a specified level of privilege.

Leave the Default admin check box selected to designate this Client Administrator as the default Client Administrator account, otherwise deselect the check box. If you deselect the Default admin check box, the Level, Authentication, and Admin Privileges controls become available.

The Default admin check box will be deselected and unavailable if you already added a default Client Administrator.

The Admin Privileges section is only available if the Default admin check box is deselected. Select the Unregister users check box to allow the Client Administrator to unregister users. All other check boxes are not relevant to Removable Storage. Deselect all the check boxes to only allow the Client Administrator to authenticate to the Administrator Client Console.

The Level list box is only available if the Default admin check box is deselected. Click Level to set the desired privilege level for the Client Administrator. Note that the privileges you set in the Level list box will be ignored by Client Computers running Symantec Endpoint Encryption 8.0.0.

The Authentication list box is only available if the Default admin check box is deselected. Click Authentication to set the Client Administrator’s authentication method. If this is a native policy and you selected None (password authentication only) when installing the Framework Manager, the list box will display Password and be unavailable. If you selected one of the token types when installing the Framework Manager, the list box will have both Password and Token options available.

If you select the Password option, type the desired password for this Client Administrator account in the Password box. The password must be a minimum of two characters and no longer than 32. Type the password a second time in the Confirm password box.

If you select the token option, you will be prompted to locate the P7B certificate file associated with that Client Administrator account. The selected P7B file will be validated, and you will be prompted to choose the desired certificate from the list of valid certificates found in the P7B file.

The Level settings are provided for compatibility with legacy clients, and are completely independent of the Admin Privileges settings. Use the Admin Privileges settings if your policy will apply exclusively to Symantec Endpoint Encryption 8.0.0 clients. Use both the Admin Privileges settings and the Level settings if your policy will apply to multiple versions of the Symantec Endpoint Encryption client.



Registered Users

Basics

The Registered Users panel can be used to change the way that users authenticate to, register with, or get unregistered from Symantec Endpoint Encryption.

Figure 3.3—Framework Computer Policy, Registered Users Options

Authentication Method

In Authentication Method, select the authentication method you want Symantec Endpoint Encryption to effect.

Clicking on Require registered users to authenticate with ensures that users type their credentials before gaining access to the User Client Console. Select a password to have users authenticate with a password. Select a token to have users authenticate with a token. Select password or token to allow users authenticate using either a password or a token.

Clicking on Do not require registered users to authenticate to SEE selects automatic authentication and allows all registered users to access the User Client Console without providing any credentials. The registration process itself will also be automatic and occur without user intervention—unless a registration password is specified. Coupling automatic authentication with a registration password could serve to limit the number of users able to use removable storage devices from the workstation, as only registered users can use removable storage devices.

Single-Sign On will be unavailable to users not using the same authentication method for both Windows and Symantec Endpoint Encryption. For Single-Sign On to work, the authentication methods used in both environments must be identical.



Once the policy has been processed and the Client Computer has rebooted, the user’s experience will vary. Refer to Appendix C “Authentication Method Changes” on page 78 for details of the user’s experience.

Registration

To allow any Windows user the ability to register, click the option Any Windows user can register for a SEE account. To allow only those users who know a special registration password to be able to register, click Users must know this password to register, and type the password in the adjacent field and again to confirm. Each user will be required to know the administrator-defined registration password before they can register for a Symantec Endpoint Encryption account.

Specify the maximum number of Symantec Endpoint Encryption registered user accounts which can be created on each computer. New users will not be permitted to register after the maximum number of accounts has been reached.

Specify a custom message users will see when they are forced to register after grace restarts expire. The custom message can be from 0–900 characters in length, or you can use the default message. Note that the custom registration message field ignores any carriage returns you type or paste in.

Specify the number of grace restarts, i.e., the number of times, from 0–99, that the computer can restart before the first user who logs on will be forced to register for a Symantec Endpoint Encryption account and see the custom registration message. This setting can effectively allow users to defer registration. To force the first user to register immediately, set this value to zero.

Unregistration

Unregistration selects whether to allow users to only be unregistered manually by Client Administrators, or whether to also automatically unregister users who do not log on after a specified period, from 1–365 days. This setting is useful in a kiosk environment where many infrequent users can fill up the maximum number of available Symantec Endpoint Encryption accounts on a given computer. Use caution with this setting so that users do not have their accounts deleted unexpectedly.



Password AuthenticationUse the Password Authentication panel to set or change the logon delay and/or to set the criteria that new passwords must meet, if Single Sign-On is not enabled.

Figure 3.4—Framework Computer Policy, Password Authentication Options

Under Password Attempts, select the Limit password and Authenti-Check attempts check box to set the number of incorrect passwords or Authenti-Check answers a user can type in succession before the system will introduce a one minute delay between further logon attempts. You can also specify the time in minutes that must elapse after the last incorrect attempt occurred, after which the one minute delay behavior is lifted.

Note that the Password Attempts settings are enforced for the Symantec Endpoint Encryption password, passwords used to decrypt self-extracting executables, passwords used to decrypt files, and passwords used to decrypt files using the Removable Storage Access Utility.

Password Complexity—These include the minimum number of characters users’ Symantec Endpoint Encryption passwords must contain, the set of non-alphanumeric characters users may have in their passwords, as well as the minimum number of non-alphanumeric characters, uppercase letters, lowercase letters, and digits users must have in their passwords.

Note that the Password Complexity settings are enforced for the Symantec Endpoint Encryption password, the Removable Storage Default Password, passwords used to encrypt self-extracting executables, passwords used to encrypt files from Removable Storage–protected computers, and passwords used to encrypt files using the Removable Storage Access Utility.

Maximum Password Age—Leave this option at the default to not set an expiration date on user passwords. If you select the option to set an expiration date on user passwords, type the number of days after which users’ passwords will expire, and type the number of days in advance users will be prompted to change their expiring passwords.



Password History—allow users to use any previously-used Symantec Endpoint Encryption password, or select the other option and type the number of different passwords users must use before reverting to old passwords.

Minimum Password Age—Leave this option at the default to allow users to change their Symantec Endpoint Encryption passwords as frequently as they wish, or select the other option and type the minimum number of days that must pass before users can change their passwords. Note that leaving this option at the default will effectively override the password history feature, since a user could quickly cycle through the required number of new passwords in order to keep an old, favorite password.

Note that the Maximum Password Age, Password History, and Minimum Password Age settings can optionally be used by Removable Storage to enforce password aging restrictions on the Removable Storage Default Password chosen by users. See “Encryption Method” on page 31

Token AuthenticationIf token authentication is in effect and you want to allow expired certificates, check the Users can authenticate to SEE with expired certificates check box.

Authentication MessageTo change the message shown to users who are having trouble authenticating, edit the text within the Instructions for users who are having trouble with authentication field. For example, the phone number of your help desk may have been provided in the message and you may need to update it.

CommunicationUse the Communication panel to modify the interval at which the recipient computers will attempt to make contact with the Management Server.

Single Sign-OnSelect or deselect the Enable Single Sign-On check box for the desired effect.

Authenti-CheckAuthenti-Check allows users that have forgotten their password or do not have their token to gain access to the User Client Console. The user can then change their Symantec Endpoint Encryption password, if Single Sign-On is not enabled. If the user has been issued a new token, the user can use the User Client Console to change their token.

Consider what type of policy this is when modifying these settings. If this is an Active Directory policy, it can be deployed to individual users. If this is a native policy, it will be applied to all users of the recipient computer(s).



Use the Authenti-Check panel to enable or disable Authenti-Check, and/or to change the question-answer pair requirements.

Figure 3.5—Framework Computer/User Policy, Authenti-Check Options

Select or deselect the Enable Authenti-Check check box according to the policy that you wish to effect.

Type a value in the Minimum answer length box to set the minimum number of characters, from 1–99, that users must include when answering Authenti-Check questions.

Type one, two, or three Predefined questions, 0–99 characters in length, that a user must correctly answer before the user authenticates.

The number displayed in the Number of user-defined questions required drop-down list is dynamically updated based on how many questions you have typed in the Predefined questions boxes. Number of predefined questions shows the number of predefined questions currently specified, while Total shows the combined total of the Number of predefined questions plus the Number of user-defined questions required.

Note that at least one question must be defined either by you or by the user.

One-Time PasswordOne-Time Password is a help-desk-assisted means for Full Disk users to regain access to Windows. It is not relevant to Removable Storage.

Consider what type of policy this is when modifying these settings. If this is an Active Directory policy, it can be deployed to individual users. If this is a native policy, it will be applied to all users of the recipient computer(s).



Access and EncryptionUse the Access and Encryption panel to modify the access and/or encryption policies currently being enforced by Removable Storage.

Figure 3.6—Removable Storage Computer Policy, Security Level Options

Access

Choose Do not allow access to files on removable media to deny read and write access to files and folders stored on removable storage devices, even if the user is registered to Symantec Endpoint Encryption.

Allow read-only access to files on removable media allows registered Symantec Endpoint Encryption users to read files stored on removable storage devices. If the files are encrypted, the user must provide the credentials used to encrypt the file to read its contents. Users cannot write files to removable media, even if registered.

Allow read and write access to files on removable media allows registered Symantec Endpoint Encryption users to read files on removable media and write files to removable media. If the files are encrypted, the user must provide the credentials used to encrypt the file to read its contents. Selecting this option causes the Automatic Encryption options and On Demand Encryption options to become available.

Automatic Encryption

Select the Do not encrypt option to not encrypt files on removable media.

Select the Encrypt files written to CD/DVD option to only encrypt new files written to CD/DVD media using the Symantec Endpoint Encryption CD/DVD Burner application.

Select the Encrypt files as per Symantec DLP for Endpoint option to rely on Symantec Data Loss Prevention for Endpoint 11 to dictate the encryption of files. If this option is selected, Removable Storage will encrypt files only if directed by Symantec DLP for Endpoint 11. Files written to CD/DVD using the Symantec Endpoint Encryption CD/DVD Burner application will be encrypted automatically under this option, regardless of Symantec DLP for Endpoint 11. Refer to the Administration Guide for Symantec DLP for Endpoint 11 for more information on how to configure Symantec DLP for Endpoint 11 with this option. This option requires not only Symantec DLP for Endpoint 11, but also the Symantec Endpoint Encryption FlexResponse plug-in, available separately. Contact your sales representative for more information.

Select the Encrypt new files option to automatically encrypt all files newly added to removable media.



Select the Encrypt all files option to automatically encrypt both new and pre-existing files on removable media. Upon inserting a device, users will be warned about this policy and they will have an opportunity to remove the device should there be unencrypted files that they do not want encrypted.

Select Allow users to choose to let the user modify the automatic encryption policy. If this option is selected, the following options become available, allowing you to choose the default automatic encryption policy. Select Default to encrypt new files to set the default behavior to encrypt new files written to removable media. Select Default to do not encrypt to set the default behavior to not encrypt.

On Demand Encryption

The On-Demand Encryption options allow users to manually initiate the encryption and decryption of files using right-click menu options.

Select the Users may right-click to encrypt existing files on removable media—except CD/DVD option to provide end users with the ability to encrypt files on removable media using a right-click menu. The right-click menu option will not be available for files residing on CDs or DVDs.

Select the Users may right-click to decrypt existing files on removable media—except CD/DVD option to provide end users with the ability to decrypt files on removable media using a right-click menu. The right-click menu option will not be available for files residing on CDs or DVDs.

If multimedia files are exempted from encryption, the user can use the right-click option to override the exclusion. However, the right-click option cannot be used to override a removable storage device exclusion.

Device and File Type ExclusionsUse the Device and File Type Exclusions panel to specify removable storage devices and/or multimedia file types that should be excluded from automatic encryption on computers receiving this policy.

Figure 3.7—Removable Storage Computer Policy, Device and File Type Exclusions

If you selected the Encrypt files as per Symantec DLP for Endpoint option, Symantec recommends deselecting both Users may right-click to encrypt existing files on removable media—except CD/DVD and Users may right-click to decrypt existing files on removable media—except CD/DVD.



Exemption for Multimedia Files

When you set an Encrypt all or Encrypt new policy, you can exempt certain types of multimedia files from being encrypted. Select the Exclude multimedia files from automatic encryption check box, then leave selected one or more of the following check boxes according to the type of multimedia file formats you want to exclude from encryption:

Select Audio to exclude audio files.

Select Video to exclude video files.

Select Image to exclude image files.

The full list of file extensions that correspond to each check box are itemized in the User Guide.

The Exclude multimedia files from automatic encryption check box must be selected to effect any of the exemptions you have specified using the Audio, Video, or Image check boxes.

Device Exclusions

To exempt specific devices from all types of automatic and on-demand encryption, select the Exclude these removable storage devices from encryption check box, then enter the Vendor ID, Product ID, and an optional description into the fields provided. You can exclude up to 20 individual models of storage devices.

A number of free tools can be used to obtain the Vendor ID and Product ID of your chosen device(s), such as the Symantec Endpoint Encryption Device Control Auditor.

The Exclude these removable storage devices from encryption check box must be selected to effect any of the exemptions you have specified.

Encryption MethodUse the Encryption Method panel to modify the encryption methods currently allowed by Removable Storage. These methods will be available to users encrypting files and creating self-extracting executables from a Removable Storage–protected computer, as well as users encrypting files with the Removable Storage Access Utility from computers not protected by Removable Storage.

Figure 3.8—Removable Storage Computer Policy, Encryption Method Options

Select the appropriate option to restrict the encryption method to a password, restrict the encryption method to one or more certificates that the user chooses, or let each user choose the encryption method.

The user will be unable to circumvent the policy by manually changing the file extension.

Most tools are incapable of obtaining the Vendor ID and Product ID of flash memory cards that can be inserted into card readers. Exempt the card reader and the flash memory cards will also be exempted, as long as they are inserted into the exempted card reader.



Recovery CertificateUse the Recovery Certificate panel to set, remove, or modify the Recovery Certificate used by Removable Storage. Note that this feature only applies to computers on which write access and encryption are enabled for removable storage devices.

Figure 3.9—Removable Storage Computer Policy, Recovery Certificate

Select the Do not encrypt files with a recovery certificate option if you do not want to use a Recovery Certificate.

Select the Encrypt files with a recovery certificate option if you want to use a Recovery Certificate. You will be prompted for the location of the PKCS#7 format certificate file (.p7b).

Once you have chosen a certificate file, the Select Certificate dialog will show information about the certificate you have chosen.

Workgroup KeyUse the Workgroup Key panel to set, remove, or modify a workgroup key. The workgroup key is used by Removable Storage and the Removable Storage Access Utility to encrypt files—in addition to the user-provided passwords and/or certificate(s). The workgroup key facilitates the sharing of encrypted files among users within a group: if the group key on the Removable Storage–protected computer matches the group key that a file was encrypted under, the user will not be prompted to provide a password or certificate to decrypt the file.

Figure 3.10—Removable Storage Computer Policy, Workgroup Key Options

Click Do not encrypt or decrypt files with a workgroup key if you do not want the computers receiving this policy to use a workgroup key.

Click Encrypt and decrypt files with this workgroup key to deploy a single workgroup key to all the computers receiving this policy. The workgroup key will be shared among all users of the target computers. It should be a 64-digit random hexadecimal value.

Clicking Generate new key will fill the key box with a randomly generated number.

If you type or paste the key in, ensure that this value is random, 64 digits, hexadecimal format, and that alphanumeric characters are lowercase.

Descriptive optional text you type in the Memo box will be displayed in RSoP reports.

Ensure that the Recovery Certificate does not contain the private key and possesses the mandatory key usage detailed in the Installation Guide.



PortabilityUse the Portability panel to specify that the Removable Storage Access Utility should be automatically copied to all removable storage devices, or to change the self-extracting file policy on the recipient computer.

Figure 3.11—Removable Storage Computer Policy, Portability Options

Access Utility

Select the Copy the Removable Storage Access Utility to all removable storage devices check box to ensure that the Removable Storage Access Utility is placed on all removable devices automatically.

If the Encrypt files written to CD/DVD option is selected, the name of this check box will change to Copy the Removable Storage Access Utility to all CDs/DVDs. Select the Copy the Removable Storage Access Utility to all CDs/DVDs check box to ensure that the Removable Storage Access Utility is written automatically to all CD/DVDs burned by the Symantec Endpoint Encryption CD/DVD Burner application.

The Removable Storage Access Utility can only be run on computers where the Removable Storage client has not been installed.

Self-Extracting Executables

To permit users to create self-extracting archives, select the Allow users to save files as password and/or certificate encrypted self-extracting executables check box.

Considered munitions by many countries, encryption software is often subject to regulations. The United States, for example, prohibits the export of strong encryption products to the following countries:

Cuba,

Iran,

Libya,

North Korea,

Sudan, and

Syria.

Legal repercussions could ensue should someone in your organization fail to comply with national and/or international statutes. Visit http://www.bis.doc.gov for more information.



Default Passwords Use the Default Passwords panel to specify whether users can set a Default Password and/or up to two Session Default Passwords.

Figure 3.12—Removable Storage Computer Policy, Default Passwords

Default Password

Select the Allow users to set a default password option to allow the user to specify a Default Password. The Apply password aging to Removable Storage default passwords check box becomes available.

Select the Apply password aging to Removable Storage default passwords check box to ensure that the Default Password set by the user will conform to the restrictions set in the Maximum Password Age, Password History and Minimum Password Age sections of the Framework Password Authentication panel. See “Password Authentication” on page 26. This setting can be used to ensure that users change their Default Password at a designated interval. Such a policy should be accompanied by clear instructions to the user to prevent file availability issues. Specifying a Recovery Certificate is also recommended. Leaving the Apply password aging to Removable Storage default passwords check box deselected will allow any previous Removable Storage Default Password to be reused.

Select the Do not allow users to set a default password option to prevent users from setting a Default Password.

Session Default Passwords

Select Allow users to set session default passwords to allow the user to specify up to two session default password.

Select the Delete session default passwords at the end of every Windows session option to delete any SessionDefault Passwords at the end of each Windows session. The user will need to set his or her Session Default Password(s) anew at the beginning of each Windows session.

Select the Deactivate session default passwords at the end of every Windows session, but allow them to persist across every Windows session option to leave the Session Default Passwords intact, but force the user to activate them at the beginning of each Windows session.



Select the Apply password aging to session default passwords option to ensure that the Default Password set by the user will conform to the restrictions set in the Maximum Password Age, Password History and Minimum Password Age sections of the Framework Password Authentication panel.

Select the Do not delete, deactivate, or apply password aging to session default passwords option to allow the Session Default Passwords to persist across sessions, and to remain active until the user changes them.

Select Do not allow users to set session default passwords to prevent users from setting any Session Default Passwords.


Policy Administrator Guide Policy Deployment

4. Policy Deployment

OverviewPolicy deployment differs according to the type of policy that you are deploying.

Deployment of Active Directory policies is discussed in the next section.

Deployment of native policies is discussed in “Native Policies” on page 37.

Active Directory Policies

BasicsActive Directory policies are deployed using the Group Policy Management Console (GPMC) snap-in of the Manager Console.

Order of PrecedenceWhen a single computer or user object has two or more policies assigned to it, the Local, Site, Domain, OU (LSDOU) order of precedence and link order will be considered. Policies specific to a single computer or user object are considered local and have the highest order of precedence in the LSDOU chain.

If the policies are at the same LSDOU level, they will then be applied according to their link order. Those lowest in the link order will have the highest order of precedence.

Forcing a Policy Update

Basics

Active Directory policy changes take approximately 90 minutes and no more than 120 minutes to push out to Client Computers. To accelerate this, you can force an immediate policy update.

Windows XP Clients

1. On the Client Computer, open a command prompt. Click Start, then Run. Type cmd and press ENTER.A command prompt will open.

2. Type the following command at the command prompt:gpupdate /forceand press ENTER.

3. A message will appear in the command prompt window after a few seconds indicating that the update has taken place. The message will prompt you to confirm a restart. Type Y and press ENTER to restart the Client Computer.

Windows 2000 Clients

1. On the Client Computer, open a command prompt. Click Start, then Run. Type cmd and press ENTER.A command prompt will open.

2. Type the following command at the command prompt:secedit /refreshpolicy machine_policy /enforceand press ENTER.

3. The secedit command will not prompt you to restart. If the policy you are updating includes any computer policies, you will have to restart the computer manually to complete the update.



Native Policies

BasicsNative policies are applied at the computer level: they cannot be assigned on a per user basis.

Each policy will be comprehensive and contain all of the possible configurable settings.

Only one policy can be applied to a computer at a time. If no policy is assigned to a computer, it will revert to the settings specified in its original installation package.

Native policies are applied at the time that the Client Computer checks in with the Management Server. An immediate check-in can be performed by the user from the User Client Console on the endpoint computer.

If synchronization with Novell is enabled, the Novell computers will already be organized within the Novell eDirectory Computers container, just as they are organized within the Novell eDirectory tree. Native policies can be assigned to Novell computers, even if they have not checked in.

Clients in the Symantec Endpoint Encryption Managed Computers container cannot be assigned policies until they have checked in with the Management Server.

The following section discusses the process of creating groups and placing Client Computers inside of them.

Symantec Endpoint Encryption Managed Computer Groups

Basics

Before you can assign policies to your Symantec Endpoint Encryption–managed computers, they need to be organized into groups. This can be done from any Manager Computer. The structure will be saved in the Symantec Endpoint Encryption database and available to all other Manager Computers.

The Symantec Endpoint Encryption Managed Computers container will only have two groups in by default: SEE Unassigned and Deleted Computers.

Clients located within the SEE Unassigned group do not have any policies assigned to them. Clients will be placed in the SEE Unassigned group if:

Synchronization with its directory service is not enabled.

The computer does not reside within the Active Directory forest/domain or Novell tree that you are synchronizing with.

In general, the Client Computer will appear in SEE Unassigned at the time that it checks in. However, if the Client Computer is manually deleted from the Active Directory domain or Novell tree, it will not appear in SEE Unassigned until the time of the next synchronization.

Client Computers within the SEE Unassigned group do not have any policies assigned to them. Such Client Computers are enforcing the settings specified within their original installation package.



Group Creation

The first step in organizing your Symantec Endpoint Encryption–managed computers is to create the groups that they will reside in. To add a group, right-click Symantec Endpoint Encryption Managed Computers.

Figure 4.1—Symantec Endpoint Encryption Managed Computers, Add New Group

Select Add New Group.

Figure 4.2—Name New Group Dialog

Enter the name of the new group. This name must be unique within its group. For example, the Finance group can have two subgroups named Laptops and Desktops and the Human Resources group can also have two subgroups named Laptops and Desktops. But there cannot be two top-level groups just below Symantec Endpoint Encryption Managed Computers named Human Resources.

Each name must be at least one character. Leading and trailing spaces will be deleted. Enter the desired name of the group and click OK.

Continue to add groups and subgroups until you have the desired structure.

Move Computers

Client Computers can be moved from any Symantec Endpoint Encryption Managed Computers group to another Symantec Endpoint Encryption Managed Computers group. This section will discuss the process of moving a Client Computer out of the SEE Unassigned group and into one of the manually created groups.



Highlight SEE Unassigned. Locate the computer that you want to move and highlight it.

Figure 4.3—SEE Unassigned, Computer Highlighted

Click Move.

Figure 4.4—Symantec Endpoint Encryption Managed Computers Groups Dialog

Navigate to the desired destination group of the Client Computer. Highlight it and click OK.

Each Client Computer can only reside in one group at a time.

Policy AssignmentNative policies can be assigned to individual computers, subgroups, or groups located within either the Symantec Endpoint Encryption Managed Computers container or the Novell eDirectory Computers container.

This section describes how to assign a policy to a group within the Symantec Endpoint Encryption Managed Computers container, but the instructions are fully extensible to your individual circumstance.



Begin by locating the recipient computer, subgroup, or group of the policy. Highlight the name of the recipient.

Figure 4.5—Symantec Endpoint Encryption Managed Computers Group Selected

Click Policy.

Figure 4.6—Policy Selection Dialog

Locate the native policy to be assigned to this group within the dialog and highlight it. Click OK.

Figure 4.7—Native Policy Assignment Confirmation

A confirmation message will be displayed. Click OK.



Figure 4.8—Symantec Endpoint Encryption Managed Computers Policy Assigned

Following the successful assignment of the policy, the Manager Console will display the name of the policy now assigned to the group. The next time the Client Computers in this group check in with the Management Server, they will download this policy and apply it.

Order of PrecedenceEach computer can only have one policy assigned to it at any given time. Policies can be assigned to individual computers, subgroups, or entire groups. The rules of precedence are as follows: (1) Computer, (2) Subgroup, and (3) Group. Computer policies have the highest precedence.

For example, if a policy is applied to computer D9HCPD3, and another policy is applied to the Laptops subgroup in which it resides, the policy applied to the computer will take precedence over the policy that was applied to the Laptops subgroup.

Forcing a Policy UpdateRegistered users can force an immediate policy update by launching the User Client Console, opening the Check-In panel, and clicking Check in Now.


Policy Administrator Guide System Event Logging

Appendix A. System Event Logging

BasicsThis appendix itemizes the events logged by Symantec Endpoint Encryption on Windows Client Computers. The events are available from the Windows System Event Viewer.

Framework System Events ListThe following table lists the individual Framework–generated Windows system events logged on the Client Computer. The column headings indicate the Event ID, the severity of the event (Error, Info, or Warning), and a description of the event indicating the type, source, or policy that generated the event (Internal, Program Action, Initial Setting, Settings Change, or Utility).

Table A.1—Framework System Events

Event ID

Severity Description Explanation

0 Error Internal: Cannot map event ID to string. FrameworkThe Framework event ID cannot be mapped to the string in the Framework.

1 Info Internal: Audit functions started. Framework The Framework audit functions have started.

2 Info Internal: Audit functions ended. Framework The Framework audit functions have ended.

3 InfoProgram Action: Successful client logon/authentication attempted with password. Framework user name

An attempt to log on at pre-Windows with a password has succeeded.

4 WarningProgram Action: Unsuccessful client logon/authentication attempted with password. Framework user name

An attempt to log on at pre-Windows with a password has failed.

5 InfoProgram Action: Successful client logon/authentication attempted with token. Framework user name

An attempt to log on at pre-Windows with a token has succeeded.

6 WarningProgram Action: Unsuccessful client logon/authentication attempted with token. Framework

An attempt to log on at pre-Windows with a token has failed.

7 InfoProgram Action: Successful logon/authentication attempted with One-Time Password. Framework

The One-Time Password process has succeeded in authenticating the user.

8 WarningProgram Action: Unsuccessful logon/authentication attempted with One-Time Password. Framework

The One-Time Password process has failed to authenticate the user.

9 InfoProgram Action: Successful logon/authentication attempted with Authenti-Check. Framework

The Authenti-Check process has succeeded in authenticating the user.

10 WarningProgram Action: Unsuccessful logon/authentication attempted with Authenti-Check. Framework

The Authenti-Check process has failed to authenticate the user.

11 WarningProgram Action: Number of client logon attempts exceeded the maximum allowed. Framework

The number of pre-Windows logon attempts allowed before a delay has been exceeded.

12 InfoProgram Action: User password changed successfully. Framework user name

The user has successfully changed their Symantec Endpoint Encryption password.

13 InfoProgram Action: User password changed unsuccessfully. Framework

The user attempted to change their Symantec Endpoint Encryption password, but failed. This could be because it did not meet the password requirements.

14 WarningProgram Action: User program uninstallation attempted. Framework

An attempt to uninstall Framework has been made.

15 InfoProgram Action: User changed Authenti-Check questions and answers successfully. Framework

The user has succeeded in changing their Authenti-Check question(s) and/or answer(s).



16 InfoProgram Action: User user name has been unregistered. Framework

The user has successfully been unregistered.

17 InfoProgram Action: User password resynchronized with Windows password. Framework

The user’s Symantec Endpoint Encryption password has been resynchronized with their Windows password to enable the Single Sign-On feature.

18 WarningProgram Action: Computer locked due to failure to communicate with SEE server. Framework

The Client Computer has failed to communicate with the Symantec Endpoint Encryption Management Server within the mandatory interval and, as a result, has been locked.

19 Warning Program Action: User password expired. FrameworkThe user’s Symantec Endpoint Encryption password has expired.

20 InfoProgram Action: User registration completed. Framework user name

The user has successfully completed the registration process.

21 Warning Program Action: Final grace logon reached. FrameworkThe number of grace restarts is now zero and the next user to log on to Windows will be forced to register.

22 InfoProgram Action: User logged on after Hibernation or/and Stand by. Framework user name

A hibernation or standby process was initiated and ended when the user logged on to Windows.

23 InfoProgram Action: Client program installation attempted. Framework

An attempt to install Framework was made.

24 InfoProgram Action: Client program upgrade attempted. Framework

An attempt to upgrade Framework was made.

25 Info Program Action: Grace logon attempted. Framework An attempt to exercise a grace restart was made.

26 InfoProgram Action: Authenti-Check questions and answers created. Framework

The user has set their Authenti-Check questions and answers as a part of the registration process.

27 InfoProgram Action: User password created. Framework user name

The user has set their Symantec Endpoint Encryption password as a part of the registration process.

28 InfoProgram Action: Token account created. Framework user name

A token user has created their Symantec Endpoint Encryption account during the registration process.

29 InfoInitial Setting: One-Time Password online|offline method enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance.

The One-Time Password recovery method has been enabled as an installation setting. The default method will be online|offline, as indicated in the audit event.

30 ErrorInitial Setting: One-Time Password online|offline method enabled; policy failed. Framework Installation Settings - Authentication Assistance.

The installation package specified that the One-Time Password recovery method should be enabled, but this setting failed to be applied.

31 InfoInitial Setting: One-Time Password not enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance.

The One-Time Password recovery method is not enabled for this workstation, as per the installation setting.

32 ErrorInitial Setting: One-Time Password not enabled; policy failed. Framework Installation Settings - Authentication Assistance.

The installation package specified that the One-Time Password recovery method should not be enabled, but this setting failed to be applied.

33 InfoInitial Setting: Authenti-Check enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance.

The Authenti-Check recovery method has been enabled as an installation setting.

34 ErrorInitial Setting: Authenti-Check enabled; policy failed. Framework Installation Settings - Authentication Assistance.

The installation package specified that the Authenti-Check recovery method should be enabled, but this setting failed to be applied.

35 InfoInitial Setting: Authenti-Check not enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance.

The Authenti-Check recovery method is not enabled for this workstation, as per the installation setting.

Table A.1—Framework System Events (Continued)

Event ID




36 ErrorInitial Setting: Authenti-Check not enabled; policy failed. Framework Installation Settings - Authentication Assistance.

The installation package specified that the Authenti-Check recovery method should not be enabled, but this setting failed to be applied.

37 InfoInitial Setting: Authentication Assistance message; policy applied successfully. Framework Installation Settings - Authentication Assistance.

The authentication assistance message specified in the installation package was set successfully.

38 ErrorInitial Setting: Authentication Assistance message; policy failed. Framework Installation Settings - Authentication Assistance.

The authentication assistance message specified in the installation package failed to be set.

39 Info

Initial Setting: Client Administrator account name account created with low|medium|high privileges; policy applied successfully. Framework Installation Settings - Client Administrators.

The Client Administrator account specified in the installation package and described in the audit log description was created successfully.

40 Error

Initial Setting: Client Administrator account name account created with low|medium|high privileges; policy failed. Framework Installation Settings - Client Administrators.

The Client Administrator account specified in the installation package and described in the audit log description failed to be created.

41 InfoInitial Setting: the SEE Management Server communication interval was set successfully. Framework Installation Settings - Communication.

The Symantec Endpoint Encryption Management Server communication interval specified in the installation package was set successfully.

42 ErrorInitial Setting: the SEE Management Server communication interval failed to be set. Framework Installation Settings - Communication.

The Symantec Endpoint Encryption Management Server communication interval specified in the installation package failed to be set.

43 InfoInitial Setting: the user name of the SEE Management Server client account was set successfully. Framework Installation Settings - Communication.

The user name of the Symantec Endpoint Encryption Management Server client IIS account specified in the installation package was set successfully.

44 ErrorInitial Setting: the user name of the SEE Management Server client account failed to be set. Framework Installation Settings - Communication.

The user name of the Symantec Endpoint Encryption Management Server client IIS account specified in the installation package failed to be set.

45 InfoInitial Setting: the SEE Management Server client account password was set successfully. Framework Installation Settings - Communication.

The Symantec Endpoint Encryption Management Server client IIS account password specified in the installation package was set successfully.

46 ErrorInitial Setting: the SEE Management Server client account password failed to be set. Framework Installation Settings - Communication.

The Symantec Endpoint Encryption Management Server client IIS account password specified in the installation package failed to be set.

47 InfoInitial Setting: Limit password attempts enabled; policy applied successfully. Framework Installation Settings - Password Authentication.

The limitation on the number of password authentication attempts specified in the installation package has been set successfully.

48 ErrorInitial Setting: Limit password attempts enabled; policy failed. Framework Installation Settings - Password Authentication.

The limitation on the number of password authentication attempts specified in the installation package failed to be set.

49 InfoInitial Setting: Limit password attempts not enabled; policy applied successfully. Framework Installation Settings - Password Authentication.

No limitation to the number of password authentication attempts, as specified in the installation package, has been set successfully.

50 ErrorInitial Setting: Limit password attempts not enabled; policy failed. Framework Installation Settings - Password Authentication.

No limitation to the number of password authentication attempts, as specified in the installation package, failed to be set.

55 InfoInitial Setting: Maximum password age enabled; policy applied successfully. Framework Installation Settings - Password Authentication.

The user’s passwords will expire at the interval designated in the installation package; this was set successfully.

56 ErrorInitial Setting: Maximum password age enabled; policy failed. Framework Installation Settings - Password Authentication.

The user’s passwords will not expire at the interval designated in the installation package; this failed to be set.


Event ID




57 InfoInitial Setting: Maximum password age not enabled; policy applied successfully. Framework Installation Settings - Password Authentication.

The user’s passwords will not expire. This was set successfully, as specified in the installation package.

58 ErrorInitial Setting: Maximum password age not enabled; policy failed. Framework Installation Settings - Password Authentication.

Although the installation package specified that the user’s passwords would not expire, this failed to be set.

59 Info

Initial Setting: Password history (any previous password can be reused) enabled; policy applied successfully. Framework Installation Settings - Password Authentication.

The user will be able to reuse previous passwords, this installation setting was applied successfully.

60 ErrorInitial Setting: Password history (any previous password can be reused) enabled; policy failed. Framework Installation Settings - Password Authentication.

The installation package specified that the user should be able to reuse previous passwords, but this setting failed to be applied.

61 Info

Initial Setting: Password history (limit password reuse and days between changes) enabled; policy applied successfully. Framework Installation Settings - Password Authentication.

The user will not be able to use previous passwords, the limitations specified in the installation package were applied successfully.

62 Error

Initial Setting: Password history (limit password reuse and days between changes) enabled; policy failed. Framework Installation Settings - Password Authentication.

Even though the installation package specified certain limitations on the ability of users to use previous passwords, these settings failed to be applied.

63 Info

Initial Setting: Password complexity requirements for minimum password length met; policy applied successfully. Framework Installation Settings - Password Authentication.

The installation package specified that users must set their passwords to be of a minimum length. This was set successfully.

64 Error

Initial Setting: Password complexity requirements for minimum password length met; policy failed. Framework Installation Settings - Password Authentication.

The installation package specified that users must set their passwords to be of a minimum length. This setting failed to be applied.

65 Info

Initial Setting: Non-alphanumeric characters allowed in password setting; policy applied successfully. Framework Installation Settings - Password Authentication.

The installation package specified that users will be able to use non-alphanumeric characters in their passwords. This was set successfully.

66 ErrorInitial Setting: Non-alphanumeric characters allowed in password setting; policy failed. Framework Installation Settings - Password Authentication.

The installation package specified that users should be able to use non-alphanumeric characters in their passwords. This setting failed to be applied.

67 Info

Initial Setting: Password complexity requirements for minimum number of non-alphanumeric characters met; policy applied successfully. Framework Installation Settings - Password Authentication.

The installation package specified that a minimum number of non-alphanumeric characters must be present in the user’s passwords. This was set successfully.

68 Error

Initial Setting: Password complexity requirements for minimum number of non-alphanumeric characters not met; policy failed. Framework Installation Settings - Password Authentication.

The installation package specified that a minimum number of non-alphanumeric characters must be present in the user’s passwords. This setting failed to be applied.

69 Info

Initial Setting: Password complexity requirements for minimum number of uppercase characters met; policy applied successfully. Framework Installation Settings - Password Authentication.

The installation package specified that a minimum number of uppercase characters must be present in the user’s passwords. This was set successfully.

70 Error

Initial Setting: Password complexity requirements for minimum number of uppercase characters not met; policy failed. Framework Installation Settings - Password Authentication.

The installation package specified that a minimum number of uppercase characters must be present in the user’s passwords. This setting failed to be applied.


Event ID




71 Info

Initial Setting: Password complexity requirements for minimum number of lowercase characters met; policy applied successfully. Framework Installation Settings - Password Authentication.

The installation package specified that a minimum number of lowercase characters must be present in the user’s passwords. This was set successfully.

72 Error

Initial Setting: Password complexity requirements for minimum number of lowercase characters not met; policy failed. Framework Installation Settings - Password Authentication.

The installation package specified that a minimum number of lowercase characters must be present in the user’s passwords. This setting failed to be applied.

73 Info

Initial Setting: Password complexity requirements for minimum number of digits met; policy applied successfully. Framework Installation Settings - Password Authentication.

The installation package specified that a minimum number of digits must be present in the user’s passwords. This was set successfully.

74 Error

Initial Setting: Password complexity requirements for minimum number of digits not met; policy failed. Framework Installation Settings - Password Authentication.

The installation package specified that a minimum number of digits must be present in the user’s passwords. This setting failed to be applied.

75 InfoInitial Setting: Require registration password enabled; policy applied successfully. Framework Installation Settings - Registered Users.

The installation package specified that the user must provide the registration password to be able to register. This was set successfully.

76 ErrorInitial Setting: Require registration password enabled; policy failed. Framework Installation Settings - Registered Users.

The installation package specified that the user must provide the registration password to be able to register. This setting failed to be applied.

77 InfoInitial Setting: Require registration password not enabled; policy applied successfully. Framework Installation Settings - Registered Users.

The installation package specified that no registration password is required to allow a user to register. This was set successfully.

78 ErrorInitial Setting: Require registration password not enabled; policy failed. Framework Installation Settings - Registered Users.

The installation package specified that no registration password is required to allow a user to register. This setting failed to be applied.

79 InfoInitial Setting: Number of allowed user accounts setting; policy applied successfully. Framework Installation Settings - Registered Users.

The installation package specified the maximum number of user accounts allowed on the Client Computer. This was set successfully.

80 ErrorInitial Setting: Number of allowed user accounts setting; policy failed. Framework Installation Settings - Registered Users.

The installation package specified the maximum number of user accounts allowed on the Client Computer. This setting failed to be applied.

81 InfoInitial Setting: User authentication with password only setting enabled; policy applied successfully. Framework Installation Settings - Registered Users.

The installation package specified that users will authenticate only using passwords. This was set successfully.

82 ErrorInitial Setting: User authentication with password only setting enabled; policy failed. Framework Installation Settings - Registered Users.

The installation package specified that users will authenticate only using passwords. This setting failed to be applied.

83 InfoInitial Setting: User authentication with token only setting enabled; policy applied successfully. Framework Installation Settings - Registered Users.

The installation package specified that users will authenticate only using tokens. This was set successfully.

84 ErrorInitial Setting: User authentication with token only setting enabled; policy failed. Framework Installation Settings - Registered Users.

The installation package specified that users will authenticate only using tokens. This setting failed to be applied.

85 InfoInitial Setting: User can select authentication method setting enabled; policy applied successfully. Framework Installation Settings - Registered Users.

The installation package specified that users will authenticate using the method of their choice. This was set successfully.

86 ErrorInitial Setting: User can select authentication method setting enabled; policy failed. Framework Installation Settings - Registered Users.

The installation package specified that users will authenticate using the method of their choice. This setting failed to be applied.


Event ID




87 InfoInitial Setting: Registration Wizard custom message; policy applied successfully. Framework Installation Settings - Registered Users.

The installation package specified that users will see a custom message during registration. This was set successfully.

88 ErrorInitial Setting: Registration Wizard custom message; policy failed. Framework Installation Settings - Registered Users.

The installation package specified that users will see a custom message during registration. This setting failed to be applied.

89 InfoInitial Setting: Grace restarts before registration setting; policy applied successfully. Framework Installation Settings - Registered Users.

The installation package specified the number of grace restarts that users will have before being forced to register. This was set successfully.

90 ErrorInitial Setting: Grace restarts before registration setting; policy failed. Framework Installation Settings - Registered Users.

The installation package specified the number of grace restarts that users will have before being forced to register. This setting failed to be applied.

91 InfoInitial Setting: User can authenticate with expired certificates setting enabled; policy applied successfully. Framework Installation Settings - Token Authentication.

The installation package specified that users with expired certificates will be allowed to authenticate. This was set successfully.

92 ErrorInitial Setting: User can authenticate with expired certificates setting enabled; policy failed. Framework Installation Settings - Token Authentication.

The installation package specified that users with expired certificates will be allowed to authenticate. This setting failed to be applied.

93 Info

Initial Setting: User can authenticate with expired certificates setting not enabled; policy applied successfully. Framework Installation Settings - Token Authentication.

The installation package specified that users with expired certificates will not be allowed to authenticate. This was set successfully.

94 ErrorInitial Setting: User can authenticate with expired certificates setting not enabled; policy failed. Framework Installation Settings - Token Authentication.

The installation package specified that users with expired certificates will not be allowed to authenticate. This setting failed to be applied.

95 InfoInitial Setting: Single Sign-On enabled; policy applied successfully. Framework Installation Settings - Single Sign-On.

The installation package specified that users will authenticate using Single Sign-On. This was set successfully.

96 ErrorInitial Setting: Single Sign-On enabled; policy failed. Framework Installation Settings - Single Sign-On.

The installation package specified that users will authenticate using Single Sign-On. This setting failed to be applied.

97 InfoInitial Setting: Single Sign-On not enabled; policy applied successfully. Framework Installation Settings - Single Sign-On.

The installation package specified that users will not authenticate using Single Sign-On. This was set successfully.

98 ErrorInitial Setting: Single Sign-On not enabled; policy failed. Framework Installation Settings - Single Sign-On.

The installation package specified that users will not authenticate using Single Sign-On. This setting failed to be applied.

99 InfoInitial Setting: Encryption strength setting; policy applied successfully. Framework Installation Settings - Encryption.

The installation package specified the encryption strength. This was set successfully.

100 ErrorInitial Setting: Encryption strength setting; policy failed. Framework Installation Settings - Encryption.

The installation package specified the encryption strength. This setting failed to be applied.

101 InfoInitial Setting: Default log file location enabled; policy applied successfully. Framework Installation Settings - Installer Customization.

The installation package specified that the client database files will be stored in the default location. This was set successfully.

102 ErrorInitial Setting: Default log file location enabled; policy failed. Framework Installation Settings - Installer Customization.

The installation package specified that the client database files will be stored in the default location. This setting failed to be applied.

103 InfoInitial Setting: Custom log file location enabled; policy applied successfully. Framework Installation Settings - Installer Customization.

The installation package specified that the client database files will be stored in a custom location. This was set successfully.


Event ID




104 ErrorInitial Setting: Custom log file location enabled; policy failed. Framework Installation Settings - Installer Customization.

The installation package specified that the client database files will be stored in a custom location. This setting failed to be applied.

105 InfoSettings Change: Authentication Assistance message modified; policy applied successfully. Framework Computer Policy - Authentication Assistance.

A policy specified that users will see a modified message when requesting authentication assistance. This was set successfully.

106 ErrorSettings Change: Authentication Assistance message modified; policy failed. Framework Computer Policy - Authentication Assistance.

A policy specified that users will see a modified message when requesting authentication assistance. This setting failed to be applied.

107 InfoSettings Change: One-Time Password online|offline method enabled; policy applied successfully. Framework User Policy - Authentication Assistance.

A policy specified the One-Time Password method that users see when requesting authentication assistance: either online or offline. This was set successfully.

108 ErrorSettings Change: One-Time Password online|offline method enabled; policy failed. Framework User Policy - Authentication Assistance.

A policy specified the One-Time Password method that users see when requesting authentication assistance: either online or offline. This setting failed to be applied.

109 InfoSettings Change: One-Time Password not enabled; policy applied successfully. Framework User Policy - Authentication Assistance.

A policy specified that the One-Time Password method will not be available to users requesting authentication assistance. This was set successfully.

110 ErrorSettings Change: One-Time Password not enabled; policy failed. Framework User Policy - Authentication Assistance.

A policy specified that the One-Time Password method will not be available to users requesting authentication assistance. This setting failed to be applied.

111 InfoSettings Change: Authenti-Check enabled; policy applied successfully. Framework User Policy - Authentication Assistance.

A policy specified that Authenti-Check will be available to users requesting authentication assistance. This was set successfully.

112 ErrorSettings Change: Authenti-Check enabled; policy failed. Framework User Policy - Authentication Assistance.

A policy specified that Authenti-Check will be available to users requesting authentication assistance. This setting failed to be applied.

113 InfoSettings Change: Authenti-Check not enabled; policy applied successfully. Framework User Policy - Authentication Assistance.

A policy specified that Authenti-Check will not be available to users requesting authentication assistance. This was set successfully.

114 ErrorSettings Change: Authenti-Check not enabled; policy failed. Framework User Policy - Authentication Assistance.

A policy specified that Authenti-Check will not be available to users requesting authentication assistance. This setting failed to be applied.

115 InfoSettings Change: Authenti-Check settings modified; policy applied successfully. Framework User Policy - Authentication Assistance.

A policy specified that the Authenti-Check settings were modified. This was set successfully.

116 ErrorSettings Change: Authenti-Check settings modified; policy failed. Framework User Policy - Authentication Assistance.

A policy specified that the Authenti-Check settings were modified. This setting failed to be applied.

117 Info

Settings Change: Client Administrator account name account modified, privileges changed from low|medium|high to low|medium|high; policy applied successfully. Framework Computer Policy - Client Administrators.

A policy specified that the privileges of Client Administrator account account name were changed from low|medium|high to low|medium|high. This was set successfully.

118 Error

Settings Change: Client Administrator account name account modified, privileges changed from low|medium|high to low|medium|high; policy failed. Framework Computer Policy - Client Administrators.

A policy specified that the privileges of Client Administrator account account name were changed from low|medium|high to low|medium|high. This setting failed to be applied.

119 InfoSettings Change: the SEE Management Server communication interval was modified successfully. Framework Computer Policy - Communication.

A policy specified a change in how often the Client Computer reports its status to the Symantec Endpoint Encryption Management Server. This was set successfully.


Event ID




120 ErrorSettings Change: a policy modifying the SEE Management Server communication interval failed to be applied. Framework Computer Policy - Communication.

A policy specified a change in how often the Client Computer reports its status to the Symantec Endpoint Encryption Management Server. This setting failed to be applied.

121 InfoSettings Change: the SEE Management Server client account was modified successfully. Framework Computer Policy - Communication.

A policy specified a change to the credentials of the Symantec Endpoint Encryption Management Server Client account that the Client Computer uses when reporting status to the Symantec Endpoint Encryption Management Server. This was set successfully.

122 ErrorSettings Change: a policy modifying the SEE Management Server client account failed to be applied. Framework Computer Policy - Communication.

A policy specified a change to the credentials of the Symantec Endpoint Encryption Management Server Client account that the Client Computer uses when reporting status to the Symantec Endpoint Encryption Management Server. This setting failed to be applied.

123 InfoSettings Change: the SEE Management Server client account password was modified successfully. Framework Computer Policy - Communication.

A policy specified a change to the password of the Symantec Endpoint Encryption Management Server Client account that the Client Computer uses when reporting status to the Symantec Endpoint Encryption Management Server. This was set successfully.

124 ErrorSettings Change: a policy modifying the SEE Management Server client account password failed to be applied. Framework Computer Policy - Communication.

A policy specified a change to the password of the Symantec Endpoint Encryption Management Server Client account that the Client Computer uses when reporting status to the Symantec Endpoint Encryption Management Server. This setting failed to be applied.

125 InfoSettings Change: Limit password attempts enabled; policy applied successfully. Framework Computer Policy - Password Authentication.

A policy was specified that limits the number of times a user can attempt to authenticate with an incorrect password. This was set successfully.

126 ErrorSettings Change: Limit password attempts enabled; policy failed. Framework Computer Policy - Password Authentication.

A policy was specified that limits the number of times a user can attempt to authenticate with an incorrect password. This setting failed to be applied.

127 InfoSettings Change: Limit password attempts not enabled; policy applied successfully. Framework Computer Policy - Password Authentication.

A policy was specified that does not limit the number of times a user can attempt to authenticate with an incorrect password. This was set successfully.

128 ErrorSettings Change: Limit password attempts not enabled; policy failed. Framework Computer Policy - Password Authentication.

A policy was specified that does not limit the number of times a user can attempt to authenticate with an incorrect password. This setting failed to be applied.

129 InfoSettings Change: Limit password attempts settings modified; policy applied successfully. Framework Computer Policy - Password Authentication.

A policy was specified that modified the settings controlling how often a user can attempt to authenticate with an incorrect password. This was set successfully.

130 ErrorSettings Change: Limit password attempts settings modified; policy failed. Framework Computer Policy - Password Authentication.

A policy was specified that modified the settings controlling how often a user can attempt to authenticate with an incorrect password. This setting failed to be applied.

135 InfoSettings Change: Maximum password age enabled; policy applied successfully. Framework Computer Policy - Password Authentication.

A policy was specified that forces the user’s passwords to expire at the designated interval. This was set successfully.

136 Error Settings Change: Maximum password age enabled; policy failed. Framework Computer Policy - Password Authentication.

A policy was specified that forces the user’s passwords to expire at the designated interval. This setting failed to be applied.

137 InfoSettings Change: Maximum password age not enabled; policy applied successfully. Framework Computer Policy - Password Authentication.

A policy was specified that does not force the user’s passwords to expire. This was set successfully.


Event ID




138 ErrorSettings Change: Maximum password age not enabled; policy failed. Framework Computer Policy - Password Authentication.

A policy was specified that does not force the user’s passwords to expire. This setting failed to be applied.

139 InfoSettings Change: Maximum password age settings modified; policy applied successfully. Framework Computer Policy - Password Authentication.

A policy was specified that modified the settings controlling how often a user’s passwords will expire. This was set successfully.

140 ErrorSettings Change: Maximum password age settings modified; policy failed. Framework Computer Policy - Password Authentication.

A policy was specified that modified the settings controlling how often a user’s passwords will expire. This setting failed to be applied.

141 Info

Settings Change: Password history (any previous password can be reused) enabled; policy applied successfully. Framework Computer Policy - Password Authentication.

A policy was specified that allows the user to reuse previous passwords. This was set successfully.

142 ErrorSettings Change: Password history (any previous password can be reused) enabled; policy failed. Framework Computer Policy - Password Authentication.

A policy was specified that allows the user to reuse previous passwords. This setting failed to be applied.

143 Info

Settings Change: Password history (limit password reuse and days between changes) enabled; policy applied successfully. Framework Computer Policy - Password Authentication.

A policy was specified that prevents the user from using previous passwords. This was set successfully.

144 ErrorSettings Change: Password history (limit password reuse and days between changes) enabled; policy failed. Framework Computer Policy - Password Authentication.

A policy was specified that prevents the user from using previous passwords. This setting failed to be applied.

145 Info

Settings Change: Password history (limit password reuse and days between changes) settings modified; policy applied successfully. Framework Computer Policy - Password Authentication.

A policy was specified that modified the settings controlling how often the user is prevented from using previous passwords. This was set successfully.

146 Error

Settings Change: Password history (limit password reuse and days between changes) settings modified; policy failed. Framework Computer Policy - Password Authentication.

A policy was specified that modified the settings controlling how often the user is prevented from using previous passwords. This setting failed to be applied.

147 InfoSettings Change: Minimum password length setting modified; policy applied successfully. Framework Computer Policy - Password Authentication.

A policy was specified that modified the minimum length for user passwords. This was set successfully.

148 ErrorSettings Change: Minimum password length setting modified; policy failed. Framework Computer Policy - Password Authentication.

A policy was specified that modified the minimum length necessary for user passwords. This setting failed to be applied.

149 Info

Settings Change: Non-alphanumeric characters allowed in password setting modified; policy applied successfully. Framework Computer Policy - Password Authentication.

A policy was specified that modified the number of non-alphanumeric characters allowed in user passwords. This was set successfully.

150 ErrorSettings Change: Non-alphanumeric characters allowed in password setting modified; policy failed. Framework Computer Policy - Password Authentication.

A policy was specified that modified the number of non-alphanumeric characters allowed in user passwords. This setting failed to be applied.

151 Info

Settings Change: Change password complexity requirements for minimum number of non-alphanumeric characters; policy applied successfully. Framework Computer Policy - Password Authentication.

A policy was specified that changed the minimum number of non-alphanumeric characters that must be present in the user’s passwords. This was set successfully.

152 Error

Settings Change: Change password complexity requirements for minimum number of non-alphanumeric characters; policy failed. Framework Computer Policy - Password Authentication.

A policy was specified that changed the minimum number of non-alphanumeric characters that must be present in the user’s passwords. This setting failed to be applied.


Event ID




153 Info

Settings Change: Change password complexity requirements for minimum number of uppercase characters; policy applied successfully. Framework Computer Policy - Password Authentication.

A policy was specified that changed the minimum number of uppercase characters that must be present in the user’s passwords. This was set successfully.

154 Error

Settings Change: Change password complexity requirements for minimum number of uppercase characters; policy failed. Framework Computer Policy - Password Authentication.

A policy was specified that changed the minimum number of uppercase characters that must be present in the user’s passwords. This setting failed to be applied.

155 Info

Settings Change: Change password complexity requirements for minimum number of lowercase characters; policy applied successfully. Framework Computer Policy - Password Authentication.

A policy was specified that changed the minimum number of lowercase characters that must be present in the user’s passwords. This was set successfully.

156 Error

Settings Change: Change password complexity requirements for minimum number of lowercase characters; policy failed. Framework Computer Policy - Password Authentication.

A policy was specified that changed the minimum number of lowercase characters that must be present in the user’s passwords. This setting failed to be applied.

157 Info

Settings Change: Change password complexity requirements for minimum number of digits; policy applied successfully. Framework Computer Policy - Password Authentication.

A policy was specified that changed the minimum number of digits that must be present in the user’s passwords. This was set successfully.

158 Error

Settings Change: Change password complexity requirements for minimum number of digits; policy failed. Framework Computer Policy - Password Authentication.

A policy was specified that changed the minimum number of digits that must be present in the user’s passwords. This setting failed to be applied.

159 InfoSettings Change: Require registration password enabled; policy applied successfully. Framework Computer Policy - Registered Users.

A policy was specified that the user must provide the registration password to be able to register. This was set successfully.

160 ErrorSettings Change: Require registration password enabled; policy failed. Framework Computer Policy - Registered Users.

A policy was specified that the user must provide the registration password to be able to register. This setting failed to be applied.

161 InfoSettings Change: Require registration password not enabled; policy applied successfully. Framework Computer Policy - Registered Users.

A policy was specified that no registration password is required to allow a user to register. This was set successfully.

162 ErrorSettings Change: Require registration password not enabled; policy failed. Framework Computer Policy - Registered Users.

A policy was specified that no registration password is required to allow a user to register. This setting failed to be applied.

163 InfoSettings Change: Registration password modified; policy applied successfully. Framework Computer Policy - Registered Users.

A policy was specified that modified the registration password users must know to be able to register. This was set successfully.

164 ErrorSettings Change: Registration password modified; policy failed. Framework Computer Policy - Registered Users.

A policy was specified that modified the registration password users must know to be able to register. This setting failed to be applied.

165 InfoSettings Change: Number of allowed user accounts setting modified; policy applied successfully. Framework Computer Policy - Registered Users.

A policy was specified that modified the maximum number of user accounts allowed on the Client Computer. This was set successfully.

166 ErrorSettings Change: Number of allowed user accounts setting modified; policy failed. Framework Computer Policy - Registered Users.

A policy was specified that modified the maximum number of user accounts allowed on the Client Computer. This setting failed to be applied.

167 InfoSettings Change: User authentication with password only setting enabled; policy applied successfully. Framework Computer Policy - Registered Users.

A policy was specified that users will authenticate only using passwords. This was set successfully.


Event ID




168 ErrorSettings Change: User authentication with password only setting enabled; policy failed. Framework Computer Policy - Registered Users.

A policy was specified that users will authenticate only using passwords. This setting failed to be applied.

169 InfoSettings Change: User authentication with token only setting enabled; policy applied successfully. Framework Computer Policy - Registered Users.

A policy was specified that users will authenticate only using tokens. This was set successfully.

170 ErrorSettings Change: User authentication with token only setting enabled; policy failed. Framework Computer Policy - Registered Users.

A policy was specified that users will authenticate only using tokens. This setting failed to be applied.

173 InfoSettings Change: Registration Wizard custom message modified; policy applied successfully. Framework Computer Policy - Registered Users.

A policy was specified that modified the custom message users will see during registration. This was set successfully.

174 ErrorSettings Change: Registration Wizard custom message modified; policy failed. Framework Computer Policy - Registered Users.

A policy was specified that modified the custom message users will see during registration. This setting failed to be applied.

175 InfoSettings Change: User can authenticate with expired certificates setting enabled; policy applied successfully. Framework User Policy - Token Authentication.

A policy was specified that users with expired certificates will be allowed to authenticate. This was set successfully.

176 ErrorSettings Change: User can authenticate with expired certificates setting enabled; policy failed. Framework User Policy - Token Authentication.

A policy was specified that users with expired certificates will be allowed to authenticate. This setting failed to be applied.

177 Info

Settings Change: User can authenticate with expired certificates setting not enabled; policy applied successfully. Framework User Policy - Token Authentication.

A policy was specified that users with expired certificates will not be allowed to authenticate. This was set successfully.

178 ErrorSettings Change: User can authenticate with expired certificates setting not enabled; policy failed. Framework User Policy - Token Authentication.

A policy was specified that users with expired certificates will not be allowed to authenticate. This setting failed to be applied.

179 InfoSettings Change: Single Sign-On enabled; policy applied successfully. Framework User Policy - Single Sign-On.

A policy was specified that users will authenticate using Single Sign-On. This was set successfully.

180 ErrorSettings Change: Single Sign-On enabled; policy failed. Framework User Policy - Single Sign-On.

A policy was specified that users will authenticate using Single Sign-On. This setting failed to be applied.

181 InfoSettings Change: Single Sign-On not enabled; policy applied successfully. Framework User Policy - Single Sign-On.

A policy was specified that users will not authenticate using Single Sign-On. This was set successfully.

182 ErrorSettings Change: Single Sign-On not enabled; policy failed. Framework User Policy - Single Sign-On.

A policy was specified that users will not authenticate using Single Sign-On. This setting failed to be applied.

183 Info

Program Action: The user was provided access to Windows using cached credentials and was not required to change their Windows password following successful completion of the password recovery process because there was no connectivity to a domain controller.

After a user successfully completes the password recovery process in pre-Windows, they will be forced to select a new password when they log on to Windows. If the Client Computer was offline and cached credentials were used, this password synchronization is deferred until after the Client Computer regains network connectivity.

184 InfoProgram Action: Client Administrator account name unregistered user user name. Framework

The Client Administrator account name has unregistered the user user name on the Client Computer.

185 Info

Settings Change: Client Administrator account name created with low|medium|high privileges; policy applied successfully. Framework Installation Settings - Client Administrators.

A policy was specified that added account name as a Client Administrator having low|medium|high privileges. This was set successfully.

186 InfoInitial Setting: Minimum password age enabled; policy applied successfully. Framework Computer Policy - Password Authentication.

The installation package specified that users must wait the designated interval before changing their passwords. This was set successfully.


Event ID




187 ErrorInitial Setting: Minimum password age enabled; policy failed. Framework Computer Policy - Password Authentication.

The installation package specified that users must wait the designated interval before changing their passwords. This setting failed to be applied.

188 Info Initial Setting: Minimum password age not enabled; policy applied successfully. Framework Computer Policy - Password Authentication.

The installation package specified that users will not be forced to wait before changing their passwords. This was set successfully.

189 Error Initial Setting: Minimum password age not enabled; policy failed. Framework Computer Policy - Password Authentication.

The installation package specified that users will not be forced to wait before changing their passwords. This setting failed to be applied.

190 Info Settings Change: Minimum password age enabled; policy applied successfully. Framework Computer Policy - Password Authentication.

A policy was specified that forces users to wait the designated interval before allowing them to change their passwords. This was set successfully.

191 Error Settings Change: Minimum password age enabled; policy failed. Framework Computer Policy - Password Authentication.

A policy was specified that forces users to wait the designated interval before allowing them to change their passwords. This setting failed to be applied.

192 Info Settings Change: Minimum password age not enabled; policy applied successfully. Framework Computer Policy - Password Authentication.

A policy was specified that users will not be forced to wait before changing their passwords. This was set successfully.

193 Error Settings Change: Minimum password age not enabled; policy failed. Framework Computer Policy - Password Authentication.

A policy was specified that users will not be forced to wait before changing their passwords. This setting failed to be applied.

194 Info Settings Change: Minimum password age settings modified; policy applied successfully. Framework Computer Policy - Password Authentication.

A policy was specified that modified whether users must wait the designated interval before being allowed to change their passwords. This was set successfully.

195 Error Settings Change: Minimum password age settings modified; policy failed. Framework Computer Policy - Password Authentication.

A policy was specified that modified whether users must wait the designated interval before being allowed to change their passwords. This setting failed to be applied.

196 Info Settings Change: Do not require registered users to authenticate to SEE; policy applied successfully. Framework Computer Policy - Registered Users.

A policy was specified that automatically authenticates Symantec Endpoint Encryption users. If Full Disk has been installed, the pre-Windows authentication will be bypassed. This was set successfully.

197 Error Settings Change: Do not require registered users to authenticate to SEE; policy failed. Framework Computer Policy - Registered Users.

A policy was specified that automatically authenticates Symantec Endpoint Encryption users. If Full Disk has been installed, the pre-Windows authentication will be bypassed. This setting failed to be applied.

198 Info Settings Change: Require registered users to authenticate to SEE; policy applied successfully. Framework Computer Policy - Registered Users.

A policy was specified that Symantec Endpoint Encryption users will authenticate normally. If Full Disk has been installed, the pre-Windows authentication will not be bypassed. This was set successfully.

199 Error Settings Change: Require registered users to authenticate to SEE; policy failed. Framework Computer Policy - Registered Users.

A policy was specified that Symantec Endpoint Encryption users will authenticate normally. If Full Disk has been installed, the pre-Windows authentication will not be bypassed. This setting failed to be applied.

200 Info

Settings Change: Users can only be unregistered manually by client administrators; policy applied successfully. Framework Computer Policy - Registered Users.

A policy was specified that users will not be automatically unregistered, but can only be unregistered manually by a suitable level Client Administrator who logs on at the Client Computer. This was set successfully.

201 Error Settings Change: Users can only be unregistered manually by client administrators; policy failed. Framework Computer Policy - Registered Users.

A policy was specified that users will not be automatically unregistered, but can only be unregistered manually by a suitable level Client Administrator who logs on at the Client Computer. This setting failed to be applied.


Event ID




202 Info

Settings Change: Users who do not log on for number days will be automatically unregistered; policy applied successfully. Framework Computer Policy - Registered Users.

A policy was specified that inactive user accounts will be automatically unregistered after number days. This was set successfully.

203 Error Settings Change: Users who do not log on for number days will be automatically unregistered; policy failed. Framework Computer Policy - Registered Users.

A policy was specified that inactive user accounts will be automatically unregistered after number days. This setting failed to be applied.

204 Info Initial Setting: Do not require registered users to authenticate to SEE; policy applied successfully. Framework Computer Policy - Registered Users.

The installation package specified that Symantec Endpoint Encryption users will be automatically authenticated. If Full Disk has been installed, the pre-Windows authentication will be bypassed. This was set successfully.

205 Error Initial Setting: Do not require registered users to authenticate to SEE; policy failed. Framework Computer Policy - Registered Users.

The installation package specified that Symantec Endpoint Encryption users will be automatically authenticated. If Full Disk has been installed, the pre-Windows authentication will be bypassed. This setting failed to be applied.

206 Info Initial Setting: Require registered users to authenticate to SEE; policy applied successfully. Framework Computer Policy - Registered Users.

The installation package specified that Symantec Endpoint Encryption users will authenticate normally. If Full Disk has been installed, the pre-Windows authentication will not be bypassed. This was set successfully.

207 Error Initial Setting: Require registered users to authenticate to SEE; policy failed. Framework Computer Policy - Registered Users.

The installation package specified that Symantec Endpoint Encryption users will authenticate normally. If Full Disk has been installed, the pre-Windows authentication will not be bypassed. This setting failed to be applied.

208 Info Initial Setting: Users can only be unregistered manually by client administrators; policy applied successfully. Framework Computer Policy - Registered Users.

The installation package specified that users will not be automatically unregistered, but can only be unregistered manually by a suitable level Client Administrator who logs on at the Client Computer. This was set successfully.

209 Error Initial Setting: Users can only be unregistered manually by client administrators; policy failed. Framework Computer Policy - Registered Users.

The installation package specified that users will not be automatically unregistered, but can only be unregistered manually by a suitable level Client Administrator who logs on at the Client Computer. This setting failed to be applied.

210 Info

Initial Setting: Users who do not log on for number days will be automatically unregistered; policy applied successfully. Framework Computer Policy - Registered Users.

The installation package specified that inactive user accounts will be automatically unregistered after number days. This was set successfully.

211 Error Initial Setting: Users who do not log on for number days will be automatically unregistered; policy failed. Framework Computer Policy - Registered Users.

The installation package specified that inactive user accounts will be automatically unregistered after number days. This setting failed to be applied.

212 Info

Initial Setting: the client will not communicate with the SEE Management Server and is a silent client; installation setting applied successfully. Framework Installation Settings - Communication.

The installation package specified that the Client Computer will not communicate with the Symantec Endpoint Encryption Management Server. This was set successfully.

213 Error

Initial Setting: the installation setting dictated that the client would not attempt to communicate with the SEE Management Server and was a silent client, but this failed to be applied. Framework Installation Settings - Communication.

The installation package specified that the Client Computer will not communicate with the Symantec Endpoint Encryption Management Server. This setting failed to be applied.


Event ID




214 Info

Settings Change: this client will no longer attempt to communicate with the SEE Management Server and is now a silent client; policy applied successfully. Framework Computer Policy - Communication.

A policy was specified that a Client Computer previously able to contact an Symantec Endpoint Encryption Management Server will now have all Symantec Endpoint Encryption Management Server communications suppressed. This was set successfully.

215 Error

Settings Change: a policy dictating that this client would no longer communicate with the SEE Management Server and would become a silent client failed to be applied. Framework Computer Policy - Communication.

A policy was specified that a Client Computer previously able to contact an Symantec Endpoint Encryption Management Server will now have all Symantec Endpoint Encryption Management Server communications suppressed. This setting failed to be applied.

216 InfoProgram Action: User user name successfully modified their One-Time Password personal identifier. Framework user name

A user has successfully modified their One-Time Password personal identifier. This was set successfully.

217 ErrorProgram Action: User user name failed to modify their One-Time Password personal identifier. Framework user name

A user has successfully modified their One-Time Password personal identifier. This setting failed to be applied.

218 InfoSettings Change: Client Administrator account name password modified; policy applied successfully. Framework Computer Policy - Client Administrators.

A policy was specified that modified the Symantec Endpoint Encryption password of one or more Client Administrator accounts. This was set successfully.

219 ErrorSettings Change: Client Administrator account name password modified; policy failed. Framework Computer Policy - Client Administrators.

A policy was specified that modified the Symantec Endpoint Encryption password of one or more Client Administrator accounts. This setting failed to be applied.

220 InfoSettings Change: Client Administrator account name certificate modified; policy applied successfully. Framework Computer Policy - Client Administrators.

A policy was specified that modified the certificate associated with the token used to authenticate to one or more Client Administrator accounts. This was set successfully.

221 ErrorSettings Change: Client Administrator account name certificate modified; policy failed. Framework Computer Policy - Client Administrators.

A policy was specified that modified the certificate associated with the token used to authenticate to one or more Client Administrator accounts. This setting failed to be applied.

222 InfoSettings Change: Client Administrator account name has unregistered. Framework Computer Policy - Client Administrators.

A policy or installation setting was specified that unregistered the Client Administrator account name on the Client Computer.

223 InfoInitial Setting: the address of the SEE Management Server was set successfully. Framework Installation Settings - Communication.

The address of the Symantec Endpoint Encryption Management Server was successfully set during installation.

224 ErrorInitial Setting: the address of the SEE Management Server failed to be set. Framework Installation Settings - Communication.

The address of the Symantec Endpoint Encryption Management Server was not set during installation.

225 InfoInitial Setting: the domain of the SEE Management Server client account was set successfully. Framework Installation Settings - Communication.

The domain of the Symantec Endpoint Encryption Management Server client account was successfully set during installation.

226 ErrorInitial Setting: the domain of the SEE Management Server client account failed to be set. Framework Installation Settings - Communication.

The domain of the Symantec Endpoint Encryption Management Server client account was not set during installation.

227 Info

Initial Setting: the certificate to be used for HTTPS communications with the SEE Management Server was set successfully. Framework Installation Settings - Communication.

The certificate for HTTPS communication with the Symantec Endpoint Encryption Management Server was successfully set.


Event ID




228 Error

Initial Setting: the certificate to be used for HTTPS communications with the SEE Management Server failed to be set. Framework Installation Settings - Communication.

The certificate for HTTPS communication with the Symantec Endpoint Encryption Management Server was not set during installation.

229 Info Program Action: User token changed successfully.A user has successfully changed their token using the User Client Console.

230 Info Program Action: User token changed unsuccessfully.A user was unable to change their token using the User Client Console.

231 Info Program Action: User token registered successfully. A user registered a token using the Registration wizard.

232 Info Program Action: User token registered unsuccessfully.A user was unable to register a token using the Registration wizard.

233 Info Program Action: User password registered successfully.A user registered a password using the Registration wizard.

234 InfoProgram Action: User password registered unsuccessfully.

A user was unable to register a password using the Registration wizard.

235 Info

Settings Change: Client Administrator account name authentication method modified; policy applied successfully. Framework Computer Policy - Client Administrators.

A policy was applied that resulted in a change to the authentication method used by the specified Client Administrator.

236 ErrorSettings Change: Client Administrator account name authentication method modified; policy failed. Framework Computer Policy - Client Administrators.

A policy that would have resulted in a change to the authentication method used by the specified Client Administrator failed to be applied.

237 InfoSettings Change: One-Time Password communication unlock enabled; policy applied successfully. Framework Computer Policy - Authentication Assistance.

A policy specified that one or more users will have access to the One-Time Password Program as a means for regaining access to the computer after it has been locked for a failure to communicate. This was set successfully.

238 ErrorSettings Change: One-Time Password communication unlock enabled; policy failed. Framework Computer Policy - Authentication Assistance.

A policy specified that one or more users will have access to the One-Time Password Program as a means for regaining access to the computer after it has been locked for a failure to communicate. This policy failed to be applied.

239 Info

Settings Change: One-Time Password communication unlock not enabled; policy applied successfully. Framework Computer Policy - Authentication Assistance.

A policy specified that one or more users will not have access to the One-Time Password Program as a means for regaining access to the computer after it has been locked for a failure to communicate. This was set successfully.

240 ErrorSettings Change: One-Time Password communication unlock not enabled; policy failed. Framework Computer Policy - Authentication Assistance.

A policy specified that one or more users will not have access to the One-Time Password Program as a means for regaining access to the computer after it has been locked for a failure to communicate. This policy failed to be applied.

241 InfoSettings Change: User authentication with password or token setting enabled; policy applied successfully. Framework Computer Policy - Registered Users.

A policy specifying that users on this computer should be able to authenticate with either a password or a token has been set successfully.

242 ErrorSettings Change: User authentication with password or token setting enabled; policy failed. Framework Computer Policy - Registered Users.

A policy specifying that users on this computer should be able to authenticate with either a password or a token failed to be applied.

243 InfoProgram Action: User account name has been unregistered due to applying new authentication method policy. Framework

Automatic authentication is no longer in place on this computer, as the result of either an upgrade or a policy update. The account that was automatically created for the specified user has been deleted.


Event ID




244 InfoProgram Action: User account name has been unregistered due to account expiration. Framework

The account of the specified user has been deleted because the user failed to log on within the number of days specified in the Unregistration area of the Registered Users panel.

245 InfoProgram Action: Successful Client Console logon/authentication attempted with Authenti-Check. Framework account name

The specified user successfully authenticated using Authenti-Check.

246 WarningProgram Action: Unsuccessful Client Console logon/authentication attempted with Authenti-Check. Framework account name

The specified user failed to successfully authenticate using Authenti-Check.

247 InfoInitial Setting: One-Time Password communication unlock enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance

A policy specified that one or more users will have access to the One-Time Password Program as a means for regaining access to the computer after it has been locked for a failure to communicate. This was set successfully.

248 ErrorInitial Setting: One-Time Password communication unlock enabled; policy failed. Framework Installation Settings - Authentication Assistance.

A policy specified that one or more users will have access to the One-Time Password Program as a means for regaining access to the computer after it has been locked for a failure to communicate. This policy failed to be applied.

249 Info

Initial Setting: One-Time Password communication unlock not enabled; policy applied successfully. Framework Installation Settings - Authentication Assistance.

A policy specified that one or more users will not have access to the One-Time Password Program as a means for regaining access to the computer after it has been locked for a failure to communicate. This was set successfully.

250 ErrorInitial Setting: One-Time Password communication unlock not enabled; policy failed. Framework Installation Settings - Authentication Assistance.

A policy specified that one or more users will not have access to the One-Time Password Program as a means for regaining access to the computer after it has been locked for a failure to communicate. This policy failed to be applied.


Event ID




Removable Storage System Events ListThe following table lists the individual Removable Storage–generated Windows system events logged on the client. These events are logged in the Application section of the Windows Event Log.

Table A.2—Removable Storage System Events

Event ID


100 Info The Removable Storage service was installed. Removable Storage was installed.

101 Info The Removable Storage service was removed. Removable Storage was uninstalled.

102 Error The Removable Storage service could not be removed.

An uninstallation of Removable Storage was attempted, but due to some problem with the MSI, the Removable Storage Service was not removed during the uninstallation.

103 Error The control handler could not be installed. The Removable Storage Service could not be started.

104 Error The initialization process failed.

Removable Storage experienced problems with an important component of its operations, such as the Registry, device detection, named pipes, or the filter driver. This could be remedied by unplugging all devices and rebooting.

105 Info The service was started.This routine event should be logged each time the computer boots up.

106 Error The service received an unsupported request.A request was made to the Removable Storage service that is not supported.

108 Info The service was stopped.This routine event should be logged each time the computer is shut down.

109 InfoDetected logon by user domain name or local machine name/user name.

This routine event should be recorded each time a user logs on to Windows.

110 InfoDetected logoff by user domain name or local machine name/user name.

This routine event should be recorded each time a user logs off of Windows.

111 InfoCould not impersonate user domain name or local machine name/user name.

This event indicates a serious problem and should not occur.

112 ErrorNotification Package could not connect to service to load or unload user domain name or local machine name/user name.

This event indicates an issue with the Removable Storage Service. It should follow either Removable Storage event 109 or 110. If this message occurs, the machine should be rebooted.

113 ErrorCould not start the RS GUI process for user domain name or local machine name/user name.

This event indicates a serious problem with the GUI or named pipes communications.

114 InfoSuccessfully started the RS GUI process for user domain name or local machine name/user name.

This routine event should always follow Removable Storage event 109.

115 InfoCould not connect to the RS GUI process for user domain name or local machine name/user name.

The Removable Storage Service attempted to display a GUI element to the user, but failed.

116 InfoThe RS GUI process for user domain name or local machine name/user name has shut down.

This routine event should always follow Removable Storage event 110.

117 InfoThe service was unable to retrieve settings for user domain name or local machine name/user name.

Removable Storage was unable to read the Registry and cannot determine user policy settings for the specified user. This could cause unexpected behavior.

118 InfoThe service was unable to retrieve settings for the local machine.

Removable Storage was unable to read the Registry and cannot determine policy settings and/or the workgroup key. This could cause unexpected behavior.

119 InfoA removable device type was detected under user domain name or local machine name/user name and successfully activated.

This routine event should be logged each time a user inserts a device of interest.



120 Info

A removable device type was detected under user domain name or local machine name/user name and failed to activate. It is the correct behavior for media readers without inserted media (such as a floppy drive with no floppy inserted) to not activate.

This event indicates a user inserted a device of interest, but it failed to be activated by Removable Storage. The Removable Storage Service could not establish communication with the device. The user may have pulled the device out. If not, there may be a more serious problem.

121 InfoUser domain name or local machine name/user name successfully created an XML header for file name.

This routine event should be logged each time an encrypted file is placed on a device of interest.

122 InfoUser domain name or local machine name/user name failed to create an XML header for file name.

This event indicates a failed attempt to create a header for an encrypted file. This could occur for a variety of reasons, such as the failure of a cryptographic library or the XML library to initialize, or if the Recovery Certificate could not be found.

123 WarningThe service was started manually. A user is already logged in.

This event indicates a user manually started the Removable Storage Service and it will not function properly. A reboot of the machine should solve this problem.

124 WarningUser domain name or local machine name/user name is not registered with the Framework and is being denied access to a removable volume.

A user is attempting to access a removable storage device, but has not registered with the Framework.

125 ErrorUser domain name or local machine name/user name failed to parse the XML header for file name.

This event indicates a failed attempt to parse the header for an encrypted file.

126 WarningA failure occurred generating the password node of the XML header.

This event indicates a failed attempt to create the password node of a header for an encrypted file.

127 WarningA failure occurred generating the group key node of the XML header.

This event indicates a failed attempt to create the group key node of a header for an encrypted file.

128 WarningA failure occurred generating the certificate node of the XML header for Serial Number serial number.

This event indicates a specific failure while creating the certificate key node of a header for an encrypted file.

129 WarningA failure occurred generating the certificate node of the XML header.

This event indicates a general failure while creating the certificate key node of a header for an encrypted file.

130 InfoThe SEE-RS Access Utility has been copied to drive letter

This event indicates that the Removable Storage Access Utility has been copied to the specified device.

135 InfoThe self-extracting file file name was successfully created.

The specified self extracting file was created.

136 ErrorThe file file name could not be decrypted because the current user's logon information was not received.

The Removable Storage service did not receive login information about the user and cannot proceed.

139 ErrorThe SEE-RS Access Utility could not be copied to drive letter. error

This event indicates a failed attempt to distribute the Removable Storage Access Utility to a device.

144 Info

The newly created file file name has been exempted from encryption because of encryption exemption policy setting(multimedia file description) for the user user name.

A new file of the name indicated was added to a removable storage device by the specified user. The file would normally have been encrypted because an encrypt all or an encrypt new policy is in place. The file was not encrypted because it belongs to an exempted multimedia file group. See the User Guide for more information about the exempted files.

145 Info

The existing file file name has been exempted from encryption because of encryption exemption policy setting(multimedia file description) for the user user name.

A file of the name indicated existed on a removable storage device that was inserted into the Removable Storage–protected workstation by the specified user. The file would normally have been encrypted because an encrypt all policy is in place. The file was not encrypted because it belongs to an exempted multimedia file group. See the User Guide for more information about the exempted files.

Table A.2—Removable Storage System Events (Continued)

Event ID




534 InfoGPO and SEE Framework policy synchronization completed.

Policy synchronization has been completed.

535 Error

A failure occurred during the device mount process for device drive letter. Applying a No Access policy to the device. Please disconnect and reconnect device to remount the device properly.

This event indicates a failed attempt to mount a removable storage device. The user will not be able to access the device.

565 Info Encryption of a file file name completed successfully.The user attempted to encrypt a file and the operation completed successfully.

566 InfoEncryption of a file file name did not complete successfully.

The user attempted to encrypt a file and the operation failed.

567 Info Decryption of a file file name completed successfully.The user attempted to decrypt a file and the operation completed successfully.

568 InfoDecryption of a file file name did not complete successfully.

The user attempted to decrypt a file and the operation failed.

569 InfoThreshold reached for failed authentication attempts to encrypt or decrypt a file.

The user reached the maximum number of incorrect passwords allowed while attempting to encrypt or decrypt a file.

570 InfoDelay instituted because threshold for failed authentication attempts to encrypt or decrypt a file was reached. success.

The user exceeded the number of incorrect passwords allowed while attempting to encrypt or decrypt a file and must wait for one minute before further attempts.

571 InfoDelay instituted because threshold for failed authentication attempts to encrypt or decrypt a file was reached. failure.

The one minute delay caused when a user exceeded the number of incorrect passwords allowed while attempting to encrypt or decrypt a file could not be instituted.

572 InfoExpiration of the delay instituted because of failed authentication attempts. success.

The one minute delay caused when a user exceeded the number of incorrect passwords allowed while attempting to encrypt or decrypt a file has expired.

573 InfoExpiration of the delay instituted because of failed authentication attempts. failure.

The one minute delay caused when a user exceeded the number of incorrect passwords allowed while attempting to encrypt or decrypt a file could not be expired.

579 InfoThe Default Password for user user name has reached maximum age.

Password aging is enabled. The user must use the User Client Console to change their Default Password. The expired Default Password can still be used for decryption.

585 InfoThe user user name has enabled automatic encryption through client console.

The user has changed the automatic encryption setting through the User Choice panel of the Client Console to specify Encrypt new files written to removable media as the default.

586 InfoThe user user name has disabled automatic encryption through client console.

The user has changed the automatic encryption setting through the User Choice panel of the Client Console to specify Do not encrypt new files written to removable media as the default.

587 InfoThe inserted device is exempted from encryption and the files written to the device will not be encrypted.

A removable storage device that matches an exempted device type has been inserted. Therefore, files written to the device will not be encrypted.

2000 Info Initial Setting: Do not allow access to files on removable storage devices; policy applied successfully. Removable Storage Installation Settings - Security Level.

An access policy of Do not allow access to files on removable media has been applied successfully as an installation setting.

2001 Error Initial Setting: Do not allow access to files on removable storage devices; policy failed. Removable Storage Installation Settings - Security Level.

An access policy of Do not allow access to files on removable media has failed to be applied as an installation setting.


Event ID




2002 Info

Initial Setting: Allow read-only access to files on removable storage devices; policy applied successfully. Removable Storage Installation Settings - Security Level.

An access policy of Allow read-only access to files on removable media has been applied successfully as an installation setting.

2003 Error Initial Setting: Allow read-only access to files on removable storage devices; policy failed. Removable Storage Installation Settings - Security Level.

An access policy of Allow read-only access to files on removable media has failed to be applied as an installation setting.

2004 Info

Initial Setting: Allow read and write access to files on removable storage devices; policy applied successfully. Removable Storage Installation Settings - Security Level.

An access policy of Allow read and write access to files on removable media has been applied successfully as an installation setting.

2005 Error Initial Setting: Allow read and write access to files on removable storage devices; policy failed. Removable Storage Installation Settings - Security Level.

An access policy of Allow read and write access to files on removable media has failed to be applied as an installation setting.

2006 Info

Initial Setting: Encrypt all files read from or written to removable storage devices; policy applied successfully. Removable Storage Installation Settings - Security Level.

An automatic encryption policy of Encrypt all files has been applied successfully as an installation setting.

2007 Error Initial Setting: Encrypt all files read from or written to removable storage devices; policy failed. Removable Storage Installation Settings - Security Level.

An automatic encryption policy of Encrypt all files has failed to be applied as an installation setting.

2008 Info Initial Setting: Encrypt all files written to removable storage devices; policy applied successfully. Removable Storage Installation Settings - Security Level.

An automatic encryption policy of Encrypt new files has been applied successfully as an installation setting.

2009 Error Initial Setting: Encrypt all files written to removable storage devices; policy failed. Removable Storage Installation Settings - Security Level.

An automatic encryption policy of Encrypt new files has failed to be applied as an installation setting.

2010 Info Initial Setting: Do not encrypt files written to removable storage devices; policy applied successfully. Removable Storage Installation Settings - Security Level.

An automatic encryption policy of Do not encryp has been applied successfully as an installation setting.

2011 Error Initial Setting: Do not encrypt files written to removable storage devices; policy failed. Removable Storage Installation Settings - Security Level.

An automatic encryption policy of Do not encrypt has failed to be applied as an installation setting.

2012 Info

Initial Setting: Copy the Access Utility to all removable storage devices enabled; policy applied successfully. Removable Storage Installation Settings - Security Level.

A portability policy of Copy the Removable Storage Access Utility to all removable storage devices has been applied successfully as an installation setting.

2013 Error Initial Setting: Copy the Access Utility to all removable storage devices enabled; policy failed. Removable Storage Installation Settings - Security Level.

A portability policy of Copy the Removable Storage Access Utility to all removable storage devices has failed to be applied as an installation setting.

2014 Info

Initial Setting: Copy the Access Utility to all removable storage devices not enabled; policy applied successfully. Removable Storage Installation Settings - Security Level.

The portability policy of not copying the Removable Storage Access Utility to all removable storage devices has been applied successfully as an installation setting.

2015 Error Initial Setting: Copy the Access Utility to all removable storage devices not enabled; policy failed. Removable Storage Installation Settings - Security Level.

The portability policy of not copying the Removable Storage Access Utility to all removable storage devices has failed to be applied as an installation setting.

2016 Info

Initial Setting: Encrypt files on removable storage devices with password; policy applied successfully. Removable Storage Installation Settings - Encryption Method.

Users will only be able to use a password to encrypt files written to removable storage devices; this installation setting was applied successfully.


Event ID




2017 Error Initial Setting: Encrypt files on removable storage devices with password; policy failed. Removable Storage Installation Settings - Encryption Method.

An installation setting of only allowing users to use a password to encrypt files written to removable storage devices was specified but failed to be applied.

2018 Info

Initial Setting: Encrypt files on removable storage devices with one or more certificates; policy applied successfully. Removable Storage Installation Settings - Encryption Method.

Users will only be able to use from one to ten certificates to encrypt files written to removable storage devices; this installation setting was applied successfully.

2019 Error

Initial Setting: Encrypt files on removable storage devices with one or more certificates; policy failed. Removable Storage Installation Settings - Encryption Method.

An installation setting of only allowing users to use one or more certificates to encrypt files written to removable storage devices was specified but failed to be applied.

2020 Info

Initial Setting: Encrypt files on removable storage devices with password and/or one or more certificates; policy applied successfully. Removable Storage Installation Settings - Encryption Method.

Users can select a password, certificate(s), or both to encrypt files written to removable storage devices; this installation setting was applied successfully.

2021 Error

Initial Setting: Encrypt files on removable storage devices with password and/or one or more certificates; policy failed. Removable Storage Installation Settings - Encryption Method.

An installation setting of allowing users to use a password, certificate(s), or both to encrypt files written to removable storage devices was specified but failed to be applied.

2022 Info Initial Setting: Do not encrypt files with a master certificate; policy applied successfully. Removable Storage Installation Settings - Master Certificate.

A policy of Do not encrypt files with a recovery certificate has been applied successfully as an installation setting.

2023 Error Initial Setting: Do not encrypt files with a master certificate; policy failed. Removable Storage Installation Settings - Master Certificate.

A policy of Do not encrypt files with a recovery certificate has failed to be applied as an installation setting.

2024 Info Initial Setting: Encrypt files with a master certificate; policy applied successfully. Removable Storage Installation Settings - Master Certificate.

A policy of Encrypt files with a recovery certificate has been applied successfully as an installation setting.

2025 Error Initial Setting: Encrypt files with a master certificate; policy failed. Removable Storage Installation Settings - Master Certificate.

A policy of Encrypt files with a recovery certificate has failed to be applied as an installation setting.

2026 Info Initial Setting: Do not encrypt or decrypt files with group key; policy applied successfully. Removable Storage Installation Settings - Group Key.

A policy of Do not encrypt or decrypt files with a workgroup key has been applied successfully as an installation setting.

2027 Error Initial Setting: Do not encrypt or decrypt files with group key; policy failed. Removable Storage Installation Settings - Group Key.

A policy of Do not encrypt or decrypt files with a workgroup key has failed to be applied as an installation setting.

2028 Info Initial Setting: Encrypt or decrypt files with a group key unique to each workstation; policy applied successfully. Removable Storage Installation Settings - Group Key.

A policy of Encrypt and decrypt files with a workgroup key unique to each workstation has been applied successfully as an installation setting.

2029 Error Initial Setting: Encrypt or decrypt files with a group key unique to each workstation; policy failed. Removable Storage Installation Settings - Group Key.

A policy of Encrypt and decrypt files with a workgroup key unique to each workstation has failed to be applied as an installation setting.

2030 Info Initial Setting: Encrypt or decrypt files with specified group key; policy applied successfully. Removable Storage Installation Settings - Group Key.

A policy of Encrypt and decrypt files with this workgroup key has been applied successfully as an installation setting.

2031 Error Initial Setting: Encrypt or decrypt files with specified group key; policy failed. Removable Storage Installation Settings - Group Key.

A policy of Encrypt and decrypt files with this workgroup key has failed to be applied as an installation setting.

2032 Info Initial Setting: Set group key memo; policy applied successfully. Removable Storage Installation Settings - Group Key.

An optional memo was added to identify the workgroup key used to encrypt and decrypt files; this installation setting was applied successfully.


Event ID




2033 Error Initial Setting: Set group key memo; policy failed. Removable Storage Installation Settings - Group Key.

The optional memo that was specified to identify the workgroup key used to encrypt and decrypt files did not get added; this installation setting failed to be applied.

2034 Info

Initial Setting: Allow users to save files as password-encrypted self-extracting executables enabled; policy applied successfully. Removable Storage Installation Settings - Executables.

A policy of Allow users to save files as password-encrypted self-extracting executables has been applied successfully as an installation setting.

2035 Error

Initial Setting: Allow users to save files as password-encrypted self-extracting executables enabled; policy failed. Removable Storage Installation Settings - Executables.

A policy of Allow users to save files as password-encrypted self-extracting executables failed to be applied as an installation setting.

2036 Info

Initial Setting: Allow users to save files as password-encrypted self-extracting executables not enabled; policy applied successfully. Removable Storage Installation Settings - Executables.

A policy of do not Allow users to save files as password-encrypted self-extracting executables has been applied successfully as an installation setting.

2037 Error

Initial Setting: Allow users to save files as password-encrypted self-extracting executables not enabled; policy failed. Removable Storage Installation Settings - Executables.

A policy of do not Allow users to save files as password-encrypted self-extracting executables failed to be applied as an installation setting.

2038 Info Initial Setting: 128-bit encryption strength; policy applied successfully. Removable Storage Installation Settings - Encryption.

An AES encryption strength of 128-bit has been applied successfully as an installation setting.

2039 Error Initial Setting: 128-bit encryption strength; policy failed. Removable Storage Installation Settings - Encryption.

An AES encryption strength of 128-bit failed to be applied as an installation setting.

2040 Info Initial Setting: 256-bit encryption strength; policy applied successfully. Removable Storage Installation Settings - Encryption.

An AES encryption strength of 256-bit has been applied successfully as an installation setting.

2041 Error Initial Setting: 256-bit encryption strength; policy failed. Removable Storage Installation Settings - Encryption.

An AES encryption strength of 256-bit failed to be applied as an installation setting.

2042 Info Settings Changed: Do not allow access to files on removable storage devices; policy applied successfully. Removable Storage Computer Policy - Security Level.

An access policy of Do not allow access to files on removable media has been applied successfully as a policy update.

2043 Error Settings Changed: Do not allow access to files on removable storage devices; policy failed. Removable Storage Computer Policy - Security Level.

An access policy of Do not allow access to files on removable media has failed to be applied as a policy update.

2044 Info Settings Change: Allow read-only access to files on removable storage devices; policy applied successfully. Removable Storage Computer Policy - Security Level.

An access policy of Allow read-only access to files on removable medias has been applied successfully as a policy update.

2045 Error Settings Change: Allow read-only access to files on removable storage devices; policy failed. Removable Storage Computer Policy - Security Level.

An access policy of Allow read-only access to files on removable media has failed to be applied as a policy update.

2046 Info Settings Change: Allow read and write access to files on removable storage devices; policy applied successfully. Removable Storage Computer Policy - Security Level.

An access policy of Allow read and write access to files on removable media has been applied successfully as a policy update.

2047 Error Settings Change: Allow read and write access to files on removable storage devices; policy failed. Removable Storage Computer Policy - Security Level.

An access policy of Allow read and write access to files on removable media has failed to be applied as a policy update.

2048 Info Settings Change: Encrypt all files accessed on removable storage devices; policy applied successfully. Removable Storage Computer Policy - Security Level.

An automatic encryption policy of Encrypt all files s has been applied successfully as a policy update.

2049 Error Settings Change: Encrypt all files accessed to removable storage devices; policy failed. Removable Storage Computer Policy - Security Level.

An automatic encryption policy of Encrypt all files has failed to be applied as a policy update.


Event ID




2050 Info Settings Change: Encrypt new files written to removable storage devices; policy applied successfully. Removable Storage Computer Policy - Security Level.

An automatic encryption policy of Encrypt new files has been applied successfully as a policy update.

2051 Error Settings Change: Encrypt new files written to removable storage devices; policy failed. Removable Storage Computer Policy - Security Level.

An automatic encryption policy of Encrypt new files has failed to be applied as a policy update.

2052 Info Settings Change: Do not encrypt files written to removable storage devices; policy applied successfully. Removable Storage Computer Policy - Security Level.

An automatic encryption policy of Do not encrypt files has been applied successfully as a policy update.

2053 Error Settings Change: Do not encrypt files written to removable storage devices; policy failed. Removable Storage Computer Policy - Security Level.

An automatic encryption policy of Do not encrypt files has failed to be applied as a policy update.

2054 Info Settings Change: Copy the Removable Storage Access utility to all removable storage devices enable. Removable Storage Computer Policy - Security Level.

A portability policy of Copy the Removable Storage Access Utility to all removable storage devices has been applied successfully as a policy update.

2055 Error

Settings Change: Copy the Removable Storage Access utility to all removable storage devices enable; policy failed. Removable Storage Computer Policy - Security Level.

A portability policy of Copy the Removable Storage Access Utility to all removable storage devices has failed to be applied as a policy update.

2056 Info

Settings Change: The Removable Storage Access Utility will no longer be copied to all removable storage devices. Removable Storage Computer Policy - Security Level.

The portability policy of not copying the Removable Storage Access Utility to all removable storage devices has been applied successfully as a policy update.

2057 Error

Settings Change: The Removable Storage Access Utility will no longer be copied to all removable storage devices; policy failed. Removable Storage Computer Policy - Security Level.

The portability policy of not copying the Removable Storage Access Utility to all removable storage devices has failed to be applied as a policy update.

2058 Info

Settings Change: Users encrypt files on removable storage devices with password; policy applied successfully. Removable Storage Computer Policy - Encryption Method.

Users will only be able to use a password to encrypt files written to removable storage devices; this policy update was applied successfully.

2059 Error Settings Change: Users encrypt files on removable storage devices with password; policy failed. Removable Storage Computer Policy - Encryption Method.

A policy update of only allowing users to use a password to encrypt files written to removable storage devices was specified but failed to be applied.

2060 Info

Settings Change: Users encrypt files on removable storage devices with one or more certificates; policy applied successfully. Removable Storage Computer Policy - Encryption Method.

Users will only be able to use one or more certificates to encrypt files written to removable storage devices; this policy update was applied successfully.

2061 Error

Settings Change: Users encrypt files on removable storage devices with one or more certificates; policy failed. Removable Storage Computer Policy - Encryption Method.

A policy update of only allowing users to use one or more certificates to encrypt files written to removable storage devices was specified but failed to be applied.

2062 Info

Settings Change: Users encrypt files on removable storage devices with password and/or one or more certificates; policy applied successfully. Removable Storage Computer Policy - Encryption Method.

Users can select a password, certificate(s), or both to encrypt files written to removable storage devices; this policy update was applied successfully.

2063 Error

Settings Change: Users encrypt files on removable storage devices with password and/or one or more certificates; policy failed. Removable Storage Computer Policy - Encryption Method

A policy update of allowing users to use a password, certificate(s), or both to encrypt files written to removable storage devices was specified but failed to be applied.

2064 Info Settings Change: Do not encrypt files with a master certificate; policy applied successfully. Removable Storage Computer Policy - Master Certificate.

A policy of Do not encrypt files with a recovery certificate has been applied successfully as a policy update.


Event ID




2065 Error Settings Change: Do not encrypt files with a master certificate; policy failed. Removable Storage Computer Policy - Master Certificate.

A policy of Do not encrypt files with a recovery certificate has failed to be applied as a policy update.

2066 Info Settings Change: Encrypt files with a master certificate; policy applied successfully. Removable Storage Computer Policy - Master Certificate.

A policy of Encrypt files with a recovery certificate has been applied successfully as a policy update.

2067 Error Settings Change: Encrypt files with a master certificate; policy failed. Removable Storage Computer Policy - Master Certificate.

A policy of Encrypt files with a recovery certificate has failed to be applied as a policy update.

2068 Info Settings Change: Encrypt files with a master certificate issuer changed; policy applied successfully. Removable Storage Computer Policy - Master Certificate.

The recovery certificate has been changed successfully by policy update. The name of the issuer of the new recovery certificate is provided.

2069 Error Settings Change: Encrypt files with a master certificate issuer changed; policy failed. Removable Storage Computer Policy - Master Certificate.

An attempt to apply a policy update and change the recovery certificate failed. The name of the issuer of the new recovery certificate is provided.

2070 Info

Settings Change: Encrypt files with a master certificate serial number changed; policy applied successfully. Removable Storage Computer Policy - Master Certificate.

The recovery certificate has been changed successfully by policy update. The serial number of the new recoveryr certificate is provided in the log.

2071 Error Settings Change: Encrypt files with a master certificate serial number changed; policy failed. Removable Storage Computer Policy - Master Certificate.

An attempt to apply a policy update and change the recovery certificate failed.

2072 Info Settings Change: Encrypt files with a master certificate enable; policy applied successfully. Removable Storage Computer Policy - Master Certificate.

A policy of Encrypt files with a recovery certificate has been applied successfully as a policy update.

2073 Error Settings Change: Encrypt files with a master certificate enable; policy failed. Removable Storage Computer Policy - Master Certificate.

A policy of Encrypt files with a recovery certificate has failed to be applied as a policy update.

2074 Info Settings Change: Encrypt files with a master certificate not enable; policy applied successfully. Removable Storage Computer Policy - Master Certificate.

A policy of Do not encrypt files with a recovery certificate has been applied successfully as a policy update.

2075 Error Settings Change: Encrypt files with a master certificate not enable; policy failed. Removable Storage Computer Policy - Master Certificate.

A policy of Do not encrypt files with a recovery certificate has failed to be applied as a policy update.

2076 Info Settings Change: Do not encrypt or decrypt files with group key; policy applied successfully. Removable Storage Computer Policy - Group Key.

A policy of Do not encrypt or decrypt files with a workgroup key has been applied successfully as a policy update.

2077 Error Settings Change: Do not encrypt or decrypt files with group key; policy failed. Removable Storage Computer Policy - Group Key.

A policy of Do not encrypt or decrypt files with a workgroup key has failed to be applied as a policy update.

2078 Info Settings Change: Encrypt or decrypt files with group key; policy applied successfully. Removable Storage Computer Policy - Group Key.

A policy of Encrypt and decrypt files with this workgroup key has been applied successfully as a policy update.

2079 Error Settings Change: Encrypt or decrypt files with group key; policy failed. Removable Storage Computer Policy - Group Key.

A policy of Encrypt and decrypt files with this workgroup key has failed to be applied as a policy update.

2080 Info Settings Change: Encrypt or decrypt files with group key and Memo; policy applied successfully. Removable Storage Computer Policy - Group Key.

A policy of Encrypt and decrypt files with this workgroup key identified by a certain memo has been applied successfully as a policy update.

2081 Error Settings Change: Encrypt or decrypt files with group key and Memo; policy failed. Removable Storage Computer Policy - Group Key.

A policy of Encrypt and decrypt files with this workgroup key identified by a certain memo has failed to be applied as a policy update.


Event ID




2082 Info Settings Change: Memo for Group Key changed; policy applied successfully. Removable Storage Computer Policy - Group Key.

An existing memo was changed; this installation setting was applied successfully.

2083 Error Settings Change: Memo for Group Key changed. Removable Storage Computer Policy - Group Key.

An existing memo was changed; this installation setting was applied successfully.

2084 Info Settings Change: Memo for Group Key not changed; policy applied successfully. Removable Storage Computer Policy - Group Key.

A policy update to change an existing memo failed to be applied; the memo was not changed.

2085 Error Settings Change: Memo for Group Key not changed. Removable Storage Computer Policy - Group Key.

A policy update to change an existing memo failed to be applied; the memo was not changed.

2086 Info Settings Change: Allow users to save files as password-encrypted self-extracting executables enable. Removable Storage Computer Policy - Executables.

A policy of Allow users to save files as password-encrypted self-extracting executables has been applied successfully as a policy update.

2087 Error

Settings Change: Allow users to save files as password-encrypted self-extracting executables enable; policy failed. Removable Storage Computer Policy - Executables.

A policy of Allow users to save files as password-encrypted self-extracting executables failed to be applied as a policy update.

2088 Info Settings Change: Allow users to save files as password-encrypted self-extracting executables not enable. Removable Storage Computer Policy - Executables.

A policy of do not Allow users to save files as password-encrypted self-extracting executables has been applied successfully as a policy update.

2089 Error

Settings Change: Allow users to save files as password-encrypted self-extracting executables not enable; policy failed. Removable Storage Computer Policy - Executables.

A policy of do not Allow users to save files as password-encrypted self-extracting executables failed to be applied as a policy update.

2090 Info Program Action: Client program installation attempted. Removable Storage

An attempt was made to execute a Removable Storage client MSI package.

2091 Info Program Action: Client program installation success. Removable Storage

The Removable Storage client software was successfully installed.

2092 Error Program Action: Client program installation failed. Removable Storage

The Removable Storage client software failed to be installed.

2093 Info Program Action: Client program upgrade attempted. Removable Storage

An attempt was made to upgrade an existing installation of the Removable Storage client software.

2094 Info Program Action: Client program upgrade success. Removable Storage

The Removable Storage client software was successfully upgraded.

2095 Error Program Action: Client program upgrade failed. Removable Storage

The Removable Storage client software failed to be upgraded.

2096 WarningProgram Action: User program uninstallation attempted. Removable Storage

An attempt was made to uninstall a Removable Storage client installation.

2097 WarningProgram Action: User program uninstallation success. Removable Storage

The Removable Storage client software was successfully uninstalled.

2098 WarningProgram Action: User program uninstallation failed. Removable Storage

The Removable Storage client software failed to be uninstalled.

2099 Info

Settings Change: Allow Encryption exemption for group(s) of file for removable storage devices; policy applied successfully. Removable Storage Computer Policy - Security Level. Following group(s) would be exempted from encryption:group name(s)

A policy of excluding the identified multimedia file groups from encryption has been applied successfully as a policy update.

2100 Info

Settings Change: Turn off Encryption exemption for group(s) of file for removable storage devices policy; policy applied successfully. Removable Storage Computer Policy - Security Level.

A policy of excluding multimedia file groups from encryption has been lifted successfully: multimedia files will no longer be excluded from mandatory encryption.


Event ID




2101 Error

Settings Change: Allow Encryption exemption for group(s) of file for removable storage devices; policy failed. Removable Storage Computer Policy - Security Level. The Policy failed for following group(s): group name(s)

A policy of excluding the identified multimedia file groups from encryption was sent, but failed to be applied.

2102 Error

Settings Change: Turn off Encryption exemption for group(s) of file for removable storage devices; policy failed. Removable Storage Computer Policy - Security Level.

A policy lifting the exclusion of multimedia file groups from encryption failed to be applied; multimedia files will continue to be excluded.

2103 Info

Initial Setting: Allow Encryption exemption for group(s) of file for removable storage devices; policy applied successfully. Removable Storage Computer Policy - Security Level. Following group(s) would be exempted from encryption: group name(s)

Multimedia files belonging to the groups specified will be excluded from mandatory encryption; this installation setting was applied successfully.

2104 Info

Initial Setting: Turn off Encryption exemption for group(s) of file(s) for removable storage devices policy; policy applied successfully. Removable Storage Computer Policy - Security Level. group name(s)

Multimedia files belonging to the groups specified will not be excluded from mandatory encryption; this installation setting was applied successfully.

2105 Error

Initial Setting: Allow Encryption exemption for group(s) of file(s) for removable storage devices; policy failed. Removable Storage Computer Policy - Security Level. The Policy failed for following group(s): group name(s)]

Multimedia files belonging to the groups specified will be excluded from mandatory encryption; this installation setting failed to be applied.

2106 Error

Initial Setting: Turn off Encryption exemption for group(s) of file for removable storage devices; policy failed. Removable Storage Computer Policy - Security Level.

An installation setting specifying that multimedia file groups should not be excluded from encryption failed to be applied.

2107 InfoInitial Setting: Encrypt to CDs/DVDs only; policy applied successfully. Removable Storage Installation Setting

An encryption policy of Encrypt files written to CD/DVD has been applied successfully as an installation setting.

2108 ErrorInitial Setting: Encrypt to CDs/DVDs only; policy failed. Removable Storage Installation Setting

An encryption policy of Encrypt files written to CD/DVD failed to be applied as an installation setting.

2109 InfoSettings Change: Encrypt to CDs/DVDs only; policy applied successfully. Removable Storage Computer Policy - Security Level.

An encryption policy of Encrypt files written to CD/DVD has been applied successfully as a policy update or as part of an upgrade package.

2110 ErrorSettings Change: Encrypt to CDs/DVDs only; policy failed. Removable Storage Computer Policy - Security Level.

An encryption policy of Encrypt files written to CD/DVD was specified as a policy update or as part of an upgrade package but failed to be applied.

2111 ErrorSettings Change: Encrypt to CDs/DVDs only; policy failed. Removable Storage Computer Policy- Security Level

An encryption policy of Encrypt files written to CD/DVD was specified as a policy update or as part of an upgrade package but failed to be applied.

2112 InfoSettings Change: Default Password not allowed; policy applied successfully. Removable Storage Computer Policy- Security Level

A policy that does not allow users to set a Default Password has been successfully applied as a policy update.

2113 InfoSettings Change: Default Password allowed; policy applied successfully. Removable Storage Computer Policy - Security Level

A policy that allows users to set a Default Password has been successfully applied as a policy update.

2114 ErrorSettings Change: Default Password allowed; policy failed. Removable Storage Computer Policy- Security Level

A policy that allows users to set a Default Password has failed to be applied as a policy update.

2115 InfoSettings Change: Temporary Passwords not allowed; policy applied successfully. Removable Storage Computer Policy- Security Level

A policy that does not allow users to set Session Default Passwords has been successfully applied as a policy update.


Event ID




2116 ErrorSettings Change: Temporary Passwords not allowed; policy failed. Removable Storage Computer Policy- Security Level

A policy that does not allow users to set Session Default Passwords has failed to be applied as a policy update.

2117 ErrorSettings Change: Temporary Passwords allowed; policy failed. Removable Storage Computer Policy- Security Level

A policy that allows users to set Session Default Passwords has failed to be appliedy applied as a policy update.

2118 InfoSettings Change: Temporary Passwords allowed; policy applied successfully. Removable Storage Computer Policy - Security Level

A policy that allows users to set Session Default Passwords has been successfully applied as a policy update.

2119 InfoSettings Change: Delete Temporary Passwords at Windows session; policy applied successfully. Removable Storage Computer Policy- Security Level

A policy that specifies that Session Default Passwords be deleted at the end of the user’s Windows session has been successfully applied as a policy update.

2120 ErrorSettings Change: Delete Temporary Passwords at Windows session; policy failed. Removable Storage Computer Policy- Security Level

A policy that specifies that Session Default Passwords be deleted at the end of the user’s Windows session has failed to be applied as a policy update.

2121 ErrorSettings Change: Inactivate Temporary Passwords at Windows session; policy failed. Removable Storage Computer Policy- Security Level

A policy that specifies that Session Default Passwords be inactivated at the end of a Windows session has failed to be applied as a policy update.

2122 InfoSettings Change: Inactivate Temporary Passwords at Windows session; policy applied successfully. Removable Storage Computer Policy- Security Level

A policy that specifies that Session Default Passwords be inactivated at the end of the user’s Windows session has been successfully applied as a policy update.

2123 InfoSettings Change: Apply password aging to Temporary Passwords; policy applied successfully. Removable Storage Computer Policy- Security Level

A policy that specifies that password aging be applied to Session Default Passwords has been successfully applied as a policy update.

2124 ErrorSettings Change: Apply password aging to Temporary Passwords; policy failed. Removable Storage Computer Policy- Security Level

A policy that specifies that password aging be applied to Session Default Passwords has failed to be applied as a policy update.

2125 ErrorSettings Change: Do not delete, inactivate or apply password aging to Temporary Password; policy failed. Removable Storage Computer Policy- Security Level

A policy that specifies that Session Default Passwords not be inactivated, deleted, or be subjected to password aging has failed to be applied as a policy update.

2126 Info

Settings Change: Do not delete, inactivate or apply password aging to Temporary Password; policy applied successfully. Removable Storage Computer Policy - Security Level

A policy that specifies that Session Default Passwords not be inactivated, deleted, or be subjected to password aging has been successfully applied as a policy update.

2127 InfoInitial Setting: User choice encryption, default to encrypt; policy applied successfully. Removable Storage Installation Settings - Security Level

An encryption setting of Allow users to choose with a default setting of Default to encrypt new files has been successfully applied as an installation setting.

2128 ErrorInitial Setting: User choice encryption, default to encrypt; policy failed. Removable Storage Installation Settings - Security Level

An encryption setting of Allow users to choose with a default setting of Default to encrypt new files has failed to be applied as an installation setting.

2129 InfoInitial Setting: User choice encryption, default setting not to encrypt; policy applied successfully. Removable Storage Installation Settings - Security Level

An encryption setting of Allow users to choose with a default setting of Default to do not encrypt has been successfully applied as an installation setting.

2130 ErrorInitial Setting: User choice encryption, default setting not to encrypt; policy failed. Removable Storage Installation Settings - Security Level

An encryption setting of Allow users to choose with a default setting of Default to do not encrypt has failed ot be applied as an installation setting.

2131 InfoInitial Setting: User can Right click to Encrypt files/folders; policy applied successfully. Removable Storage Installation Settings - Security Level

An On Demand Encryption setting of Users may right-click to encrypt existing files on removable media has been successfully applied as an installation setting.

2132 ErrorInitial Setting: User can Right click to Encrypt files/folders; policy failed. Removable Storage Installation Settings - Security Level

An On Demand Encryption setting of Users may right-click to encrypt existing files on removable media has failed to be applied as an installation setting.


Event ID




2133 InfoInitial Setting: User cannot Right click to Encrypt files/folders; policy applied successfully. Removable Storage Installation Settings - Security Level

An On Demand Encryption setting that does not allow users to right-click to encrypt existing files on removable media has been successfully applied as an installation setting.

2134 ErrorInitial Setting: User cannot Right click to Encrypt files/folders; policy failed. Removable Storage Installation Settings - Security Level

An On Demand Encryption setting that does not allow users to right-click to encrypt existing files on removable media has failed to be applied as an installation setting

2135 InfoInitial Setting: User can Right click to Decrypt files/folders; policy applied successfully. Removable Storage Installation Settings - Security Level

An On Demand Encryption setting of Users may right-click to decrypt existing files on removable media has been successfully applied as an installation setting.

2136 ErrorInitial Setting: User can Right click to Decrypt files/folders; policy failed. Removable Storage Installation Settings - Security Level

An On Demand Encryption setting of Users may right-click to decrypt existing files on removable media has failed to be applied as an installation setting.

2137 InfoInitial Setting: User cannot Right click to Decrypt files/folders; policy applied successfully. Removable Storage Installation Settings - Security Level

An On Demand Encryption setting that does not allow users to right-click to decrypt existing files on removable media has been successfully applied as an installation setting.

2138 ErrorInitial Setting: User cannot Right click to Decrypt files/folders; policy failed. Removable Storage Installation Settings - Security Level

An On Demand Encryption setting that does not allow users to right-click to decrypt existing files on removable media has failed to be applied as an installation setting.

2139 ErrorSettings Change: Encryption policy change to User Choice; policy failed. Removable Storage Computer Policy- Security Level

A policy change to allow an encryption setting of Allow users to choose has failed to be applied as a policy update.

2140 InfoSettings Change: Encryption policy change to User Choice; policy applied successfully. Removable Storage Computer Policy- Security Level

A policy change to allow an encryption setting of Allow users to choose has been successfully applied as a policy update.

2141 ErrorSettings Change: Encryption policy User Choice- Default to Encrypt; policy failed. Removable Storage Computer Policy- Security Level

An encryption setting of Allow users to choose with a default setting of Default to encrypt new files has failed to be applied as a policy update.

2142 InfoSettings Change: Encryption policy User Choice- Default to Encrypt; policy applied successfully. Removable Storage Computer Policy- Security Level

An encryption setting of Allow users to choose with a default setting of Default to encrypt new files has been successfully applied as a policy update.

2143 ErrorSettings Change: Encryption policy User Choice- Default setting Not to Encrypt; policy failed. Removable Storage Computer Policy- Security Level

An encryption setting of Allow users to choose with a default setting of Default to do not encrypt has been successfully applied as a policy update.

2144 Info

Settings Change: Encryption policy User Choice- Default setting Not to Encrypt; policy applied successfully. Removable Storage Computer Policy- Security Level

An encryption setting of Allow users to choose with a default setting of Default to do not encrypt has failed to be applied as a policy update.

2145 ErrorSettings Change: Encryption policy User can right click and Encrypt; policy failed. Removable Storage Computer Policy- Security Level

An On Demand Encryption setting of Users may right-click to encrypt existing files on removable media has failed to be applied as a policy update.

2146 InfoSettings Change: Encryption policy User can right click and Encrypt; policy applied successfully. Removable Storage Computer Policy- Security Level

An On Demand Encryption setting of Users may right-click to encrypt existing files on removable media has been applied successfully as a policy update.

2147 ErrorSettings Change: Encryption policy User cannot right click and Encrypt; policy failed. Removable Storage Computer Policy- Security Level

An On Demand Encryption setting that does not allow users to right-click to encrypt existing files on removable media has failed to be applied as a policy update.

2148 InfoSettings Change: Encryption policy User cannot right click and Encrypt; policy applied successfully. Removable Storage Computer Policy- Security Level

An On Demand Encryption setting that does not allow users to right-click to encrypt existing files on removable media has been applied successfully as a policy update.


Event ID




2149 ErrorSettings Change: Encryption policy User can right click and Decrypt; policy failed. Removable Storage Computer Policy- Security Level

An On Demand Encryption setting of Users may right-click to decrypt existing files on removable media has failed to be applied as a policy update.

2150 InfoSettings Change: Encryption policy User can right click and Decrypt; policy applied successfully. Removable Storage Computer Policy- Security Level

An On Demand Encryption setting of Users may right-click to decrypt existing files on removable media has been successfully applied as a policy update.

2151 ErrorSettings Change: Encryption policy User cannot right click and Decrypt; policy failed. Removable Storage Computer Policy- Security Level

An On Demand Encryption setting that does not allow users to right-click to decrypt existing files on removable media has failed to be applied as a policy update.

2152 InfoSettings Change: Encryption policy User cannot right click and Decrypt; policy applied successfully. Removable Storage Computer Policy- Security Level

An On Demand Encryption setting that does not allow users to right-click to decrypt existing files on removable media has been applied successfully as a policy update.

2153 InfoInitial Setting: Some of the devices are exempted; policy applied successfully. Removable Storage Installation Settings - Security Level

A policy that exempts one or more removable storage devices from encryption has been applied successfully as an installation setting.

2154 ErrorInitial Setting: Some of the devices are exempted; policy failed. Removable Storage Installation Settings - Security Level

A policy that exempts one or more removable storage devices from encryption has failed to be applied as an installation setting.

2155 InfoInitial Setting: Device exemption disabled; policy applied successfully. Removable Storage Installation Settings - Security Level

A policy that does not allow devices to be exempted from encryption has been applied successfully as an installation setting.

2156 ErrorInitial Setting: Device exemption disabled; policy failed. Removable Storage Installation Settings - Security Level

A policy that does not allow devices to be exempted from encryption has failed to be applied as an installation setting.

2157 ErrorSettings Change: Some of the devices are exempted; policy failed. Removable Storage Computer Policy - Security Level

A policy that exempts one or more removable storage devices from encryption has failed to be applied as a policy update.

2158 InfoSettings Change: Some of the devices are exempted; policy applied successfully. Removable Storage Computer Policy - Security Level

A policy that exempts one or more removable storage devices from encryption has been applied successfully as a policy update.

2159 ErrorSettings Change: Device exemption disabled; policy failed. Removable Storage Computer Policy - Security Level

A policy that does not allow devices to be exempted from encryption has failed to be applied as a policy update.

2160 InfoSettings Change: Device exemption disabled; policy applied successfully. Removable Storage Computer Policy - Security Level

A policy that does not allow devices to be exempted from encryption has been applied successfully as a policy update.

2161 InfoSettings Change: Encryption policy User cannot right click and Decrypt; policy applied successfully. Removable Storage Computer Policy - Security Level

An On Demand Encryption setting that does not allow users to right-click to decrypt existing files on removable media has been applied successfully as a policy update.

2162 InfoProgram Action: An exempted device was inserted. Security Level.

A removable storage device exemtped from encryption has been inserted.

2163 ErrorSettings Change: Encryption policy change to Use DLP; policy failed. Removable Storage Computer Policy - Security Level

An automatic encryption policy of Encrypt files as per Symantec DLP for Endpoint has failed to be applied as a policy update.

2164 InfoSettings Change: Encryption policy change to Use DLP; policy applied successfully. Removable Storage Computer Policy - Security Level

An automatic encryption policy of Encrypt files as per Symantec DLP for Endpoint has been applied successfully as a policy update.

2165 ErrorInitial Setting: Encrypt according to User Choice; policy failed. Removable Storage Installation Settings - Security Level

A policy change to allow an encryption setting of Allow users to choose has failed to be applied as an installation setting.


Event ID




2166 InfoSettings Change: Encrypt according to User Choice; policy applied successfully. Removable Storage Computer Policy - Security Level

A policy change to allow an encryption setting of Allow users to choose has been successfully applied as a policy update.

2167 ErrorInitial Setting: Encrypt according to DLP; policy failed. Removable Storage Installation Settings - Security Level

An automatic encryption policy of Encrypt files as per Symantec DLP for Endpoint has failed to be applied as an installation setting.

2168 InfoSettings Change: Encrypt according to DLP; policy applied successfully. Removable Storage Computer Policy - Security Level

An automatic encryption policy of Encrypt files as per Symantec DLP for Endpoint has been applied successfully as a policy update.


Event ID



Policy Administrator Guide CD/DVD Command Line

Appendix B. CD/DVD Command Line

Overview

BasicsThe Removable Storage CD/DVD Burner application offers the ability to burn selected files and folders from the command line. This allows you to integrate Removable Storage with your custom applications, such as backup programs or scripts.

PrerequisitesRequirements for running the CD/DVD Burner application from the command line include:

Removable Storage is installed on the Client Computer.

The user logged on to Windows has registered with Symantec Endpoint Encryption.

Sufficient temporary data storage space is available on a local hard disk volume. The required space can be estimated according to the following formula:

The Client Computer is equipped with a CD/DVD recorder.

The currently enforced installation and policy settings allow for read/write access.

A blank write-once or rewritable CD or DVD disc is inserted into the disc recorder.

Note that multi-session recording is not supported, and that previously recorded rewritable media will be erased before use. Any EFS-encrypted files will be decrypted, then re-encrypted by Removable Storage prior to burning. These requirements are the same as running the CD/DVD Burner application from the GUI. To achieve a seamless experience, it is recommended that the user set a Default Password and/or Default Certificate(s).

Depending on the particular application or script, a user may be required to be physically present to perform tasks requiring manual intervention. These include:

Selecting individual files or folders for burning;

Inserting media;

Initiating the burn operation;

Providing a password and/or a certificate(s) should a Default Password and/or Default Certificate(s) not be set; and

Responding to error conditions.

Operational StepsOnce the list of source files and folders have been specified and the burn operation has been initiated, the CD/DVD Burner application performs the following steps:

Verifies that sufficient temporary data storage space exists to allow encryption and burning.

Copies all files and folders selected for burning to the temporary data directory.

Encrypts the data according to the currently enforced encryption policy.

Burns the encrypted files and folders to disc.

Deletes the temporary data directory.

1.1 Total size of all files and folders to be burned×( ) 2 1.1 Size of the largest individual file to be burned×( )×( )+



Temporary Data DirectoryThe CD/DVD Burner application requires a place to store temporary data. When run from the command line, it creates a temporary data directory named RSECTemp~1.

The CD/DVD Burner application will first try to store its temporary data directory on the drive of the operating system. The TMP, then the TEMP, and then the USERPROFILE environment variables will be checked. The first environment variable found will be used. If none of these environment variables has been set, the CD/DVD Burner application will use the Windows directory.

If the user currently logged on to Windows lacks permission to write to the path or the drive lacks space to store the temporary data directory, the CD/DVD Burner application will try the next fixed drive, in alphabetical order. Should it succeed in locating a different fixed drive with space and write permissions, it will write the temporary data directory at the root of that drive, e.g., D:\RSECTemp~1.

The CD/DVD Burner application will delete any previous temporary data directory it finds:

When it launches;

When it closes;

When it begins the burn operation; and

When it completes the burn operation.

If the encryption/burn operation gets interrupted—for example, because the user pressed CTRL+C, the user closed the command line window, or because the CD/DVD Burner application has crashed—then the normal cleanup process that deletes the temporary data directory will not occur, resulting in the user’s decrypted data remaining in the temporary data directory. If one of these conditions occurs, launching the application again will delete the temporary data directory.

Command SyntaxTo run the CD/DVD Burner application from the command line, use a single string according to the following syntax:

RSCDDVD.exe /P {Source [Source…] | Directory} /D RecorderDrvRoot [/L VolumeLabel]

Table B.1—Temporary Data Folder Paths

Sequence Attempted

Environment Variable

Windows XP Default Windows Vista Default

1 TMPsystem drive letter:\Documents and Settings\user name\Local Settings\Temp

system drive letter:\Users\user name\AppData\Local\Temp

2 TEMPsystem drive letter:\Documents and Settings\user name\Local Settings\Temp

system drive letter:\Users\user name\AppData\Local\Temp

3 USERPROFILE system drive letter:\Documents and Settings\user name system drive letter:\Users\user

4 — system drive letter:\Windows system drive letter:\Windows

Table B.2—CD/DVD Command Line Parameters

Parameter Variable(s) Explanation Sample

/P Source Directory

Specifies the file(s) and/or folder(s) to be burned to disc, where Source is the fully qualified path to one or more files, and Directory is the fully qualified path to one or more folders. File or folder names containing spaces must be enclosed in quotes. When using quotes, you cannot end the path in a backslash.

/P “C:\Confidential Files”

/P c:\files\spreadsheet.xls



Example Command Lines

RSCDDVD /P “C:\Confidential File Folder” “C:\Business Plan\HIF Business Plan.ppt” /D E:

RSCDDVD /P c:\files\spreadsheet.xls c:\files\presentation.doc /D E: /L Encrypted_Files_1

CD/DVD ErrorsThe following table lists the individual Removable Storage errors generated when executing the CD/DVD Burner application from the command line. The column headings indicate the error code (if any), the error message displayed in the UI, and an explanation of the error, along with possible ways to remediate the error.

/D RecorderDrvRootSpecifies the disc recorder, where RecorderDrvRoot is the root of the disc recorder.

/D F:

/L VolumeLabel

Specifies the volume label of the disc, where VolumeLabel is the volume label name. The volume label name can be up to 32 characters in length, and must contain only alphanumeric, hyphen, underscore or space characters. If you omit the /L parameter, the default volume label will be RS-Encrypted Disc YYYY-MM-DD, where YYYY-MM-DD is the year, month, and date the disc was burned. If the encryption policy is off, the default volume label will be YYYY-MM-DD.

/L Encrypted_Backups_1

Table B.3—CD/DVD Messages and Error Codes

Error Code Error Message Displayed in UI Explanation

0 Burned the disc successfully.The CD/DVD Burner application has completed the burn process successfully.

1 Disc volume label was not specifiedThe /L parameter (volume label) was used without specifying a volume label.

2 Disc recordable drive was not specified.The /D parameter (recordable drive) was used without specifying the letter of the recordable drive, i.e., you must specify the parameters /D F: if your recordable drive is F.

3 The syntax of the command is incorrect. Incorrect command syntax was specified.

101There is no hard disk drive on your system, so this application can not be used for burning disc.

The CD/DVD Burner application requires a hard disk or partition for storing temporary files as part of the encryption and burn process. Verify that a hard disk or partition is accessible and try the operation again.

102You must register to Symantec Endpoint Encryption, before you can use this application for burning data to disc.

The user currently logged on to Windows has not registered with Symantec Endpoint Encryption.

104Disc burning engine could not be initialized successfully.

The CD/DVD Burner application was unable to initialize the disc burning engine.

105 Invalid disc recordable drive was specified.The selected drive is not a recordable drive. Select a different drive capable of recording, then try the operation again.

106 There is no disc in the drive.The CD/DVD Burner application didn’t find a disc in the recorder. Insert a rewritable or write-once disc into the drive.

107No disc recordable drive was found on your system.

The CD/DVD Burner application didn’t find any disc recorders present. Verify that a disc recorder is attached and functioning, then try the operation again.

108 Disc could not be ejected successfully.The CD/DVD Burner application was unable to eject the disc successfully.

109 No data was specified to be burned. No files or folders were selected for burning.

Table B.2—CD/DVD Command Line Parameters (Continued)

Parameter Variable(s) Explanation Sample



110Your access policy does not allow write access to removable media, so you cannot use this application for burning data to disc.

Removable Storage is currently enforcing a read-only access policy. The policy must be changed to allow read and write access to removable media before the CD/DVD Burner application can be used.

111 Disc burner could not be found. The CD/DVD Burner application could not find the disc recorder.

112

The disc volume label can have only alphanumericand underscore characters. The disk volume label’s length can not be more than 32 characters. Please type a valid disc volume label.

The volume label specified contains disallowed characters or is in excess of the 32 character maximum. Specify a new volume name of 32 characters or less containing only letters, numbers, hyphens, underscores, or spaces.

113 Disc could not be erased.An attempt to erase a rewritable disc was unsuccessful. Insert a different rewritable or write-once disc and try the operation again.

114

The disc that you have inserted is not writable. Please insert a blank or rewritable disc of type CD-R, CD-RW, DVD-R, DVD-RW, DVD+R, or DVD+R DL into drive.

The inserted disc cannot be written to. Insert a rewritable or write-once disc and try the operation again. Remove the disc from the drive and insert a disc that is writable.

115

Application could not locate a fixed hard disk drive with enough free space for storage of temporary data, so application won't burn the disc.

The CD/DVD Burner application requires a hard disk or partition with enough free space for storage of temporary data. Free up some space and try the operation again.

116Selected file or folder [path/]file or folder name could not be copied at your temporary data location. Please check the file or folder again.

There was a problem copying the selected file or folder to the temporary data directory. Verify that the temporary data directory is accessible and sufficient space is available, then try the operation again.

117An error occurred during the encryption of the data.

The CD/DVD Burner application encountered an error during the encryption of the data.

118Selected file [path/]file or folder name could not be encrypted. Please free up some space on your temporary data drive and try again.

The CD/DVD Burner application found that the selected file could not be encrypted due to lack of space on the hard disk or partition. Delete some files on the hard disk or partition where the temporary folder is located (usually this is the system volume) and try the operation again.

119Selected file [path/]file or folder name to be burned could not be encrypted due to security reason.

Verify that the account under which the CD/DVD Burner application is running has sufficient access rights to perform the operation.

120

SEE-RS does not have a Password and/or certificate to encrypt this file. You must specify a Password and/or certificate or a Default Password and/or certificate before the data can be encrypted and burned to disc.

The user has not specified a Default Password and/or Default Certificate(s). When prompted to provide a password and/or certificate, the user clicked Cancel.

121

SEE-RS does not have a certificate to encrypt this file. You must specify a certificate or a Default certificate before the data can be encrypted and burned to disc.

The user has not specified one or more Default Certificate(s) and failed to provide a certificate when prompted.

122SEE-RS does not have a password to encrypt this file. You must specify a Default Password before the data can be encrypted and burned to disc.

The user has not set a Default Password and failed to provide a password when prompted.

123 Temporary file could not be deleted.

The CD/DVD Burner application was unable to delete a temporary file. Verify that another application or process is not using this file. You should also manually delete any temporary files still remaining in the temporary data directory.

124 Disc recordable drive could not be locked.Another application or process has prevented the CD/DVD Burner application from gaining exclusive access to the disc recorder. Quit the other application or process and try the operation again.

126The SEE-RS Access Utility could not be copied to disc.

The CD/DVD Burner application was unable to copy the Removable Storage Access Utility to the disc, even though the policy in place dictates this. If the problem persists, you may need to reinstall Removable Storage.

Table B.3—CD/DVD Messages and Error Codes (Continued)




128

You have selected one or more files with very long file name. Application could not shorten file(s) name in temporary data location. If file encryption policy is set then file’s name length can exceed 102 characters, otherwise it cannot exceed 106 characters. Please rename the file(s) with long name and try again.

The operation failed because there were one or more files with names that exceeded 102–106 characters and the application could not rename these files in the temporary location. Locate the files with long names, shorten them manually, and try again. If Removable Storage is automatically encrypting files written to removable media, the file names must be no greater than 102 characters. If not, the file names should be no greater than 106 characters.

129

Selected file or folder [path/]file/folder name could not be copied at your temporary data location because path length is exceeding the limit (259 characters) imposed by Windows system. Please shorten the name of selected file/folder or sub folder(s) and try again.

The CD/DVD Burner application failed to copy the specified file or folder because its full path exceeds the 259 character limit imposed by the Windows operating system. Relocate the file closer to the root or rename the file to shorten the total number of characters.

130Selected file or folder [path/]file/folder name could not be found. Please check the file or folder and try again.

The user has specified a file or folder to be burned to disc that could not be found by the CD/DVD Burner application.

131

Selected file or folder file/folder name can not be copied at your temporary data location because path length is exceeding the limit (259 characters) imposed by Windows system. Please shorten the name of selected file/folder or sub folder(s) and try again.

The CD/DVD Burner application has calculated that the path to the file or folder that you specified to be burned exceeds the 259 character limit imposed by the Windows operating system. Relocate the file closer to the root or rename the file to shorten the total number of characters.

132

Application found a fixed hard disk drive with enough free space for storage of temporary data, but you do not have write access on temporary folder temporary folder path, so application won't burn the disc. Please get the write access on this folder and try again.

The CD/DVD Burner application failed to complete the burning process because the user does not have write privileges to the temporary data directory. Log in as a different user or increase the user’s privileges.

133Path specified using the /P parameter can not have back slash character at the end of the path when quotes are used to enclose the path.

The CD/DVD Burner application failed to complete the burning process because the path enclosed in double quotes included a backslash at the end. Remove the backslash character and try again.

134

Temporary folder temporary folder path could not be created at your temporary data location. Please make sure that no file or folder is being used/locked by any application in this temporary folder location and try again.

Another application or process may be preventing the CD/DVD Burner application from writing its temporary data to the temporary data directory. Ensure that all applications and processes that may be competing for access are shut down and try again.

501Disc could not be used for burning data. Please try again with another disc.

Either a media error, media incompatibility, or other problem has resulted in the application being unable to write data to the disc. Try the operation again using another disc and/or brand of media.

502

File “SEERemovableStorageAccessUtility.exe” cannot be specified using the /P parameter. It is SEE-RS Access Utility application, which will be burned automatically on the root of the burnt disc.

The user has specified that the Symantec Endpoint Encryption Access Utility executable be burned at the root of the disc. However, Removable Storage is already burning the Removable Storage Access Utility automatically, according to policy. The Removable Storage Access Utility specified in the input file list will be ignored, and the Removable Storage Access Utility will be copied to the root of the disc as per policy.

504 Disc could not be burned due to an error. There was an unknown error with the disc recorder.

505 The disc drive could not be used to burn the disc.There was an error with the disc recorder. Try the operation again using a different disc recorder.

506Disc could not be burned with selected data because your temporary data location is EFS enabled.

The CD/DVD Burner application cannot use an EFS-encrypted temporary data directory. The user can either turn off EFS protection for the temporary data directory’s parent folder, or the user can manually relocate the temporary data directory by editing the TMP or TEMP environment variables.





508

File “Autorun.inf” cannot be specified using the /P parameter. File “Autorun.inf” will be burned automatically on the root of the burnt disc to run SEE-RS Access Utility application.

The user has specified that the Autorun.inf file be burned at the root of the disc. However, Removable Storage is currently burning the Removable Storage Access Utility to disc automatically, as per policy and this file is one of the files that comprises the Removable Storage Access Utility. The Autorun.inf specified in the input file list will be ignored, and the Removable Storage Access Utility’s Autorun.inf will be copied to the root of the disc according to policy.

509

File “Platform.ico” cannot be specified using the /P parameter. File “Platform.ico” will be burned automatically on the root of the burnt disc to run SEE-RS Access Utility application.

The user has specified that the Platform.ico file be burned at the root of the disc. However, Removable Storage is currently burning the Removable Storage Access Utility to disc automatically, as per policy and this file is one of the files that comprises the Removable Storage Access Utility. The Platform.ico specified in the input file list will be ignored, and the Removable Storage Access Utility’s Platform.ico will be copied to the root of the disc according to policy.

None Processing the burn request The application has started processing the disc burning request.

NoneEFS-encrypted file(s) will be decrypted by EFS before being burned.

EFS-encrypted files have been selected for burning. The CD/DVD Burner application will attempt to decrypt them prior to burning. If an encryption policy is in effect, the CD/DVD Burner application will encrypt the files prior to burning.

NoneThe disc is not blank, disc data will be erased during disc burning process.

The CD/DVD Burner application has detected a rewritable disc that contains existing data. The CD/DVD Burner application will attempt to erase the disc prior to burning the new data.

None

The estimated size of data which will be burned on disc exceeds disc capacity. If this estimation is correct, the data will not be burned to disc successfully.

The estimated size of the data to be burned exceeds the capacity of the target disc, but the CD/DVD Burner application will attempt to burn the selected data anyway.

NonePreparing data for burning to disc. Percentage: percent of data prepared%

The CD/DVD Burner application is copying the data to be burned to the temporary data directory prior to burning the disc.

NoneEncrypting data to be burned to disc. Percentage: percent of data encrypted%

The CD/DVD Burner application is encrypting the data to be burned in the temporary data directory prior to burning the disc.

None Erasing disc...The CD/DVD Burner application is erasing rewritable media containing previously recorded data prior to burning.

None Preparing to write data to the disc... The CD/DVD Burner application is preparing to burn the disc.

NoneWriting sector current sector of total sectors. Percentage: percent of data written%

The CD/DVD Burner application is currently writing data to disc.

NoneFinalizing the disc. Percentage: percent of finalized data%

The CD/DVD Burner application is nearing the end of the burn process and is writing the table of contents to disc.

None

You have selected one or more files with names that exceed 102 characters or path length in temporary data location is exceeding the 259 characters limit imposed by Windows system. Files’ names will be shortened in temporary data location.

One or more of the files specified to be burned had a file name of more than 102 characters, or else the full path to the temporary data directory, including this file, exceeded 259 characters. When this file or these files are written to the temporary location, their names will be shortened so that the maximum character restrictions are not exceeded.





Policy Administrator Guide Authentication Method Changes

Appendix C. Authentication Method

Changes

OverviewEach client will effect a single method of authentication for all of its users. This method of authentication is established in three different Manager Console locations:

The selection made in the Token Authentication page of the Manager Console InstallShield wizard,

The selection made in the Authentication Method area of the Registered Users panel (Symantec Endpoint Encryption Software Setup, Symantec Endpoint Encryption Native Policy Manager, or Active Directory policy).

Either an upgrade of the client or a policy update can be used to cause a change to the user’s method of authentication. Since policy settings will always take precedence, the use of a policy is more certain to achieve your desired ends.

User ExperienceThe following table details the effects of a change to the user’s authentication method mandated using the Authentication Method area of the Registered Users panel.

Table C.1—Effect of a Change in Authentication Method on Existing User Accounts

Previous Authentication Method

New Authentication Method

Authentication Method(s) User Has Registered

User Must Re-register?

Details

a password a token Password Yes

a password password or token Password NoThe user will have the option to add a token in the User Client Console.

a password | a token | password or token

AutomaticPassword, Token,Password and Token

No

a token a password Token Yes

a token password or token Token NoThe user will have the option to add a password in the User Client Console.

Automatica password | a token | password or token

Automatic Yes

password or token a password Password and Token No The token is deleted.

password or token a password Token Yes

password or token a token Password and Token No The password is deleted.

password or token a token Password Yes

Policy Administrator Guide Glossary

Glossary

Active Directory Active Directory is the directory service included with Windows Server 2003 and Windows Server 2008. This service stores information about objects on a network and makes that information available to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network. Active Directory provides network administrators with a hierarchical view of the network and a single point of administration for all network objects.

Active Directory Policies

Active Directory policies are one of two types of policies that can be created and deployed from the Symantec Endpoint Encryption Manager. They feature seamless integration with well-known Active Directory toolsets and include user as well as computer policies.

Active Directory Users and Computers Snap-in

The Users and Computers snap-in from Microsoft is used to find and organize the User and Computer objects in an Active Directory structure.

Authenti-Check Authenti-Check allows users missing their credentials to gain access to the User Client Console without assistance. A set of up to three question-answer pairs authenticates the user. Authenti-Check is not available to Client Administrators.

Automatic Authentication

If the Client Computer is set for automatic authentication, Removable Storage will allow any registered user to launch the User Client Console. The registration process itself will also be automatic and occur without user intervention—unless a registration password is required.

Client Administrator Client Administrators provide local support to Symantec Endpoint Encryption users. Client Administrators are always able to log on to the Administrator Client Console, but may or may not be able to unregister users. The ability to unregister users is a privilege that Client Administrators may or may not have.

The Client Administrator is also responsible for recovering Removable Storage–encrypted files. This responsibility is not controlled by privilege level.

Client Administrators cannot change their own passwords or use any password-recovery methods. Client Administrators must register as a user to make use of removable storage devices at the Removable Storage–protected workstation.

Default Password/Certificate

Registered users and Client Administrators have the option of setting a Default Password and/or Default Certificate(s) in the User Client Console. Removable Storage will use Default Passwords and/or Default Certificates for encrypting files. In addition, if the Default Password and/or Default Certificate(s) set in the User Client Console match the password or certificate(s) that a file was encrypted under, Removable Storage will decrypt the file without a prompt.



Expand, Expanded, to Expand

To reveal the contents of a container. This action is initiated by clicking the plus sign to the left of the container as displayed in the left pane of the Microsoft Management Console.

Framework Framework provides Symantec Endpoint Encryption–wide features, such as authentication methods and settings, as well as registered user and Client Administrator accounts and information.

Group Filtering Also known as Security Group Filtering or Security Filters. Security Filters applied to a Group Policy Object limit the scope for that Group Policy Object.

Group Policy Management, Group Policy Management Console Snap-in

A snap-in from Microsoft that a Symantec Endpoint Encryption Policy Administrator can use to assign Symantec Endpoint Encryption client MSI packages and policies to users and computers.

Group Policy Object (GPO)

An object in Active Directory that contains user and/or computer policies, and possibly software deployment policies.

LSDOU This acronym describes the order in which GPOs are applied: Local (1), Site (2), Domain (3), OU (4). Local policies have the highest precedence.

Management Password, Management Password Snap-in

The Management Password is not relevant to Removable Storage.

Microsoft Management Console (MMC)

Microsoft Management Console is a container User Interface (UI) that provides no functionality by itself. Each Microsoft Management Console process can host a set of snap-ins displayed in one or more windows. The layout of a Microsoft Management Console can be saved as a file with an .msc extension.

Microsoft Management Console Tree

The folder-like structure of snap-ins in a Microsoft Management Console. Snap-ins can be standalone, i.e., added to the root of the MMC tree, or they can be extensions of other snap-ins.

Microsoft Windows Installer (MSI)

A format for self-contained database files containing the requirements and instructions that the Windows Installer uses when installing applications. MSI packages can be deployed via Group Policy Objects.

Native Policies Native policies are one of two types of policies that can be created and deployed from the Symantec Endpoint Encryption Manager. Native policies do not rely on any existing directory service for managing Symantec Endpoint Encryption Client Computers. Unlike Symantec Endpoint Encryption Active Directory policies, native policies apply to computers only and cannot be applied to users.



Novell eDirectory An LDAP-based directory service from Novell. Computers that are members of an eDirectory domain can be managed using Symantec Endpoint Encryption native policies. Information from eDirectory can optionally be synchronized to the Management Server, allowing Symantec Endpoint Encryption native policies to be applied according to the organizational structure maintained in eDirectory.

Objects The term objects is used to refer to any Active Directory object. This includes individual Users, Computers, or Policies, as well as Groups of Users or Computers. See also Containers.

One-Time Password (OTP)

The One-Time Password (OTP) Program allows Full Disk users to recover from a forgotten password, PIN, or token with help desk assistance. It is not relevant to Removable Storage.

Policy Administrator Policy Administrators perform centralized administration of Symantec Endpoint Encryption. Using the Manager Console and the Manager Computer, the Policy Administrator:

Updates and sets client policies.

Runs reports.

Access to Symantec Endpoint Encryption snap-ins can be restricted on a per snap-in basis, giving the domain or higher-level administrator flexibility when assigning specific Policy Administrator duties.

Recovery Certificate Recovery Certificates can be used to decrypt encrypted files even if the user-provided credentials are not available, allowing organizations to recover from forgotten passwords and lost certificates.

The same Recovery Certificate must be issued twice, once with the private key and once without.

Without Private Key—the Recovery Certificate without the private key is deployed to clients using an installation package or a policy. Upon receipt, clients will encrypt files using the Recovery Certificate in addition to the credentials provided by the user.

With Private Key—the Recovery Certificate with the private key is exported using the P7B format. It should be stored in a safe, physically secure location. Symantec recommends exporting it to a token or smart card and then securing the token or smart card in a fire-proof vault.

Self-Extracting Executables

A feature of Removable Storage that allows registered users to create encrypted self-extracting files for secure transport. Self-extracting files can be decrypted from any computer, without any need for Removable Storage or the Removable Storage Access Utility. The ability to produce self-extracting executables is prescribed by installation setting or policy.



Silent Client A silent client does not communicate with the Management Server. Client installation packages generated from Manager Consoles that were installed in serverless mode will create silent clients.

Single Sign-On (SSO) A feature that allows Symantec Endpoint Encryption users to log on to both Windows and Symantec Endpoint Encryption with their Windows password. To activate an SSO policy, the Client Computer must reboot.

SSO is not relevant to automatically authenticated users.

Snap-in A Dynamic Link Library (DLL) file user interface module designed to be loaded into a Microsoft Management Console.

Symantec Endpoint Encryption Software Setup Snap-in

A snap-in from Symantec that allows the Symantec Endpoint Encryption Policy Administrators to customize Symantec Endpoint Encryption client installation settings before deployment.

Temporary Data Directory

The CD/DVD Burner application requires a place to store temporary data. It will first try to store its temporary data directory on the drive of the operating system. The TMP, then the TEMP, and then the USERPROFILE environment variables will be checked. The first environment variable found will be used. If none of these environment variables has been set, the CD/DVD Burner Application will use the Windows directory.

User At least one user is required to register with Symantec Endpoint Encryption on each Client Computer. A wizard guides the user through the registration process, which involves a maximum of five screens. The registration process can also be configured to occur without user intervention. Users will not be able to access their removable storage devices until they have registered.

Workgroup Key The workgroup key facilitates the sharing of encrypted files among users within a group: if the workgroup key on the Removable Storage–protected computer matches the workgroup key that a file was encrypted under, the user will not be prompted to provide a password or certificate to decrypt the file.


Policy Administrator Guide Index

Index

A

access policyno access 1read and write 1read only 1

Active Directory policies 3, 17, 19, 21, 27, 28, 36, 79, 80Authenti-Check 28

C

CD/DVD Burner applicationEFS encryption and 72, 76, 77temporary data directory 72, 73, 75, 76, 77, 82

Client Administratorauthentication method (password or token) 23policy 22privilege levels 23single-source passwords 6

Client Computerscommunication with 27

D

Default Certificates 79default passwords 26, 34, 35

password aging 34session default passwords 34

persistence of 34device exclusions 31device exemptions from encryption 70

E

encryption policyCD/DVD only 1encrypt all 1encrypt as per Symantec DLP 1encrypt new 1encrypt on user demand 1

G

gpupdate /force 36grace restarts 25, 43, 47group key. See workgroup keyGroup Policy Object Editor (GPOE) 4, 21

L

Local, Site, Domain, OU (LSDOU) 3, 36, 80

M

Management Passwordsnap-in 3use of 80

Manager Consoleendpoint containers 5location of 2SQL prompt 4

Master Certificates. See Recovery Certificates

multimedia file type exclusion 31

N

native policies 3, 22, 37, 39names of 22

Native Policy Manager 3, 21, 22

O

on demand encryption 68, 69One-Time Password

about 81offline method 48online method 48

P

P7B files 23policy update

forcing an immediate update 3, 36, 37

R

Recovery Certificates 32, 34, 62, 64, 65removable storage access policy 29Removable Storage Access Utility 8, 10, 26, 31, 32, 33,

59, 61, 64, 81removable storage encryption methods 31removable storage encryption policy 29, 30

CD/DVD only 29device exclusion 31do not encrypt 29encrypt new 29encrypt per Symantec DLP 29multimedia exclusion 31on demand encryption 30user choice 30

Removable Storage installation settingsEncryption Method 34

removable storage portability policy 33Resultant Set of Policy (RSoP) 17, 19

S

self-extracting executables 33, 63, 66, 81Session Default Passwords 67, 68Symantec Endpoint Encryption administrator roles 6Symantec Endpoint Encryption Framework

about 1Symantec Endpoint Encryption Managed Computers 5,

37synchronization

about 2, 3, 7, 37timing of 3with both Active Directory and Novell 5

T

Temporary Passwords. See Session Default Passwords

U

user choice encryption 68, 69users

automatic unregistration of 25


Policy Administrator Guide Index

local administrative rights and 6registration password and 25

W

Windows system events 42workgroup key 32, 58, 59, 62, 65


Symantec Endpoint Encryption Removable...

Documents

Transcript of Symantec Endpoint Encryption Removable...