About Autologon
Beginning with the Symantec Endpoint Encryption 11.3.1 release, the Autologon policy options are bundled with the Drive Encryption MSI, and no separate Autologon utility is required to install on the client system.
Use Autologon to configure Microsoft Windows client computers to bypass the preboot authentication screen that the
Symantec Endpoint Encryption Management Server
enforces. By default, the Autologon
function is not in effect for a computer. As an administrator, you can use Autologon
when you want to update or deploy software on a client computer that requires multiple restarts. Patch management is an example of a process that can require multiple restarts.A client computer running
Autologon
is in a state of heightened vulnerability. Using Autologon
weakens the data protection that Drive Encryption
provides. To minimize the associated risks, carefully review your procedures for enabling and disabling the Autologon
function. The Autologon
function should be disabled immediately when its intended use is achieved. For example, you should disable the Autologon
function immediately after you finish updating client computers.Client administrators can use the
Drive Encryption
Administrator Command Line
to manage Autologon
. They can override the existing policy and enable or disable the Autologon
functionality, as needed.Autologon
commands can be run by two groups of users in addition to client administrators: privileged users and local SYSTEM users. Neither of these groups enters client administrator credentials, but both must authenticate to a UAC prompt and have Windows Administrator rights. Both of these groups are defined by a policy administrator on the Advanced Settings page of the Symantec Endpoint Encryption
Management Agent
. The policy can be deployed as an installation setting, GPO, or native policy.- Privileged users--The policy administrator enables privileged users by specifying an AD User Group that has client administrator privileges. The user members can access the Drive Encryption Administrator Command Line and execute Autologon commands without including client administrator credentials. (These users also have access to the Client Administrator Console and have the privileges of a default client administrator, including disk management, user management, and client-server check-ins.)
- SYSTEM users--The policy administrator can enable SYSTEM users to run Autologon commands. SYSTEM users can run only Autologon commands and do not have privileges for other Drive Encryption capabilities. The benefit is largely in allowing scripts that run remotely to be more secure, by invoking commands that enable and disable Autologon without including client administrator credentials in the clear.
The Advanced Settings page is not applicable to FileVault, BitLocker, or Removable Media Encryption (RME) installers.