Symantec Endpoint Encryption
Removable Storage
Policy Administrator Guide
Version 7.0.8
Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or
registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. GuardianEdge and
Authenti-Check are either trademarks or registered trademarks of GuardianEdge Technologies Inc. (now part of
Symantec). Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and
decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without
prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL
DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS
DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO
CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR
12.212 and subject to restricted rights as defined in FAR Section 52.227-19 “Commercial Computer Software Restricted Rights” and DFARS 227.7202, et seq. “Commercial Computer Software and Commercial Computer
Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be
solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
Policy Administrator Guide
Contents
Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Directory Service Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Active Directory and Native Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Manager Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Database Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Endpoint Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
SEE Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Policy Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Client Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2. Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Client Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Directory Services Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Admin Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Symantec Endpoint Encryption Users and Computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Symantec Endpoint Encryption Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Active Directory Forests Synchronization Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Computer Status Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Computers not Encrypting to Removable Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Computers with Decrypted Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Computers with Expired Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Computers with Specified Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Computers without Full Disk Installed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Computers without Removable Storage Installed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Non-Reporting Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Novell eDirectory Synchronization Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Custom Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Resultant Set of Policy (RSoP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Windows System Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3. Policy Creation & Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Active Directory Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Native Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Policy Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Client Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Registered Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Password Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Token Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Authentication Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Symantec Endpoint Encryption Removable Storage
iii
Policy Administrator Guide
Contents
Authenti-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
One-Time Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Security Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Encryption Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Master Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Group Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Executables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4. Policy Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Active Directory Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Order of Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Forcing a Policy Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Native Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Symantec Endpoint Encryption Managed Computer Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Policy Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Order of Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Forcing a Policy Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Appendix A. System Event Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Framework System Events List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Removable Storage System Events List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Appendix B. CD/DVD Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Operational Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Temporary Data Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Command Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
CD/DVD Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Appendix C. Authentication Method Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
User Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Symantec Endpoint Encryption Removable Storage
iv
Policy Administrator Guide
Figures
Figures
Figure 1.1—Sample Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Figure 1.2—SQL Server Logon Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Figure 2.1—Group Policy Results Wizard, User Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Figure 2.2—RSoP Report From an SEE Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 3.1—Framework Computer Policy, Client Administrators Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Figure 3.2—Add New Client Administrator Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Figure 3.3—Framework Computer Policy, Registered Users Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Figure 3.4—Framework Computer Policy, Password Authentication Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Figure 3.5—Framework Computer/User Policy, Authenti-Check Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Figure 3.6—Removable Storage Computer Policy, Security Level Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Figure 3.7—Removable Storage Computer Policy, Encryption Method Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Figure 3.8—Removable Storage Computer Policy, Group Key Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Figure 4.1—Symantec Endpoint Encryption Managed Computers, Add New Group . . . . . . . . . . . . . . . . . . . . . . . . 30
Figure 4.2—Name New Group Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Figure 4.3—SEE Unassigned, Computer Highlighted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Figure 4.4—Symantec Endpoint Encryption Managed Computers Groups Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Figure 4.5—Symantec Endpoint Encryption Managed Computers Group Selected . . . . . . . . . . . . . . . . . . . . . . . . . 32
Figure 4.6—Policy Selection Dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Figure 4.7—Native Policy Assignment Confirmation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Figure 4.8—Symantec Endpoint Encryption Managed Computers Policy Assigned . . . . . . . . . . . . . . . . . . . . . . . . 33
Symantec Endpoint Encryption Removable Storage
v
Policy Administrator Guide
Tables
Tables
Table 1.1—Active Directory and Native Policies Compared . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 1.2—Client Administrator Levels of Privilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Table 2.1—Client Computer Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Table 2.2—Associated Users Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Table 2.3—Directory Services Synchronization Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Table 2.4—Admin Log Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Table 2.5—SEE Version Numbers and Equivalent GuardianEdge Version Numbers . . . . . . . . . . . . . . . . . . . . . . . . 13
Table A.1—Framework System Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Table A.2—Removable Storage System Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Table B.1—Temporary Data Folder Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Table B.2—CD/DVD Command Line Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Table B.3—CD/DVD Messages and Error Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Table C.1—Effect of a Change in Authentication Method on Existing User Accounts . . . . . . . . . . . . . . . . . . . . . . 65
Symantec Endpoint Encryption Removable Storage
vi
Policy Administrator Guide
Introduction
1. Introduction
Overview
Symantec Endpoint Encryption Removable Storage allows enterprise organizations and government agencies to
enjoy the benefits of removable storage devices while eliminating the liability, customer service, and brand erosion
costs associated with data breach incidents. As part of Symantec Endpoint Encryption, SEE Removable Storage
leverages existing IT infrastructures for seamless deployment, administration, and operation.
SEE Removable Storage secures data in one of the following ways:
By allowing no access to removable storage devices,
By allowing only read access to removable storage devices,
By encrypting data written to removable storage devices,
By encrypting all data written to or accessed on removable storage devices, or
By encrypting data written to CD/DVD media.
SEE Removable Storage enforces access control and encryption policies on devices that use USB or FireWire ports
to attach a file system. This includes flash drives (e.g., SanDisk Cruzer and M-SysT5 Dell Memory Key), memory
cards (e.g., SanDisk CompactFlash), and USB hard drives (e.g., Samsung HM100JC 100GB).
SEE is comprised of SEE Full Disk, SEE Removable Storage, and SEE Framework. SEE Framework includes all the
functionality that is extensible across SEE. It allows behavior that is common to both SEE Removable Storage and
SEE Full Disk to be defined in one place, thus avoiding potential inconsistencies.
Symantec Endpoint Encryption Removable Storage
1
Policy Administrator Guide
Introduction
The following diagram depicts a sample network configuration of SEE.
SOAP over HTTP
Database
Server
Group Policy
LDAP
TDS
TLS/SSL
Domain
Controller
Client
Manager
Computer
eDirectory
Server
SEE
Management
Server
Client
your-org.com
Client
your_tree
Client
Figure 1.1—Sample Network Configuration
The Active Directory domain controller and SEE Management Server are required.
Multiple domains, forests, trees, and SEE Management Servers are supported.
A database server is recommended, but the SEE database can also reside on the SEE Management Server. If a
database server is chosen to host the SEE database, the database server can be located inside or outside of Active
Directory.
The Manager Console can be installed on multiple Manager Computers. It can also be installed on the SEE
Management Server. It must reside on a computer that is a member of Active Directory.
The Novell eDirectory tree, Active Directory group policy communications, and TLS/SSL encryption are optional.
Directory Service Synchronization
Synchronization with Active Directory and/or Novell eDirectory is an optional feature. If enabled, then the SEE
Management Server will obtain the organizational hierarchy of the specified forest, domain, and/or tree and store this
information in the SEE database. It also keeps this information up to date. This improves performance during Client
Computer communications with the SEE Management Server, as the SEE Management Server will be able to
identify the Client Computer without having to query the Active Directory domain controller and/or the Novell
eDirectory server.
When you open the SEE Manager, you will have your Active Directory and/or Novell endpoints organized just the
way that they are in the directory service, easing your deployment activities.
Symantec Endpoint Encryption Removable Storage
2
Policy Administrator Guide
Introduction
In addition, you will have records of computers that reside in the designated forest, domain, or tree, even if these
computers do not have any SEE products installed and/or have never checked in with the SEE Management Server.
This will allow you to run reports to assess the success of a given deployment and gauge the risk that your
organization may face due to unprotected endpoints.
The timing of the synchronization event differs according to the directory service. Whereas Novell informs the SEE
Management Server of any changes that may occur, the SEE Management Server needs to contact Active Directory
to obtain the latest information. Synchronization with Active Directory is set to occur once every fifteen minutes.
Active Directory and Native Policies
Active Directory policies are designed for deployment to the users and computers residing within your Active
Directory forest/domain. Active Directory policies can be created and deployed whether synchronization with Active
Directory is enabled or not.
Native policies are designed for deployment to computers that are not managed by Active Directory. Should you wish
to deploy native policies to computers that are managed by Active Directory, you must turn synchronization with
Active Directory off.
The following table itemizes the differences between Active Directory and native policies.
Table 1.1—Active Directory and Native Policies Compared
Active Directory Policies
Native Policies
Certain policies are deployed to users and others are
deployed to computers.
Policies can only be applied to computers.
Policies applied in Local, Site, Domain, OU
(LSDOU) order of precedence.
Policies are applied in Computer, Subgroup, Group (CSG)
order of precedence.
Single pane policy creation/deployment.
Each pane must be visited when creating the policy.
Policies are obtained from the domain controller
and applied at each reboot.
Policies are applied when the client checks in with the SEE
Management Server.
An immediate policy update can be forced using the
gpupdate \force or secedit command.
An immediate policy update can be forced by clicking
Check In Now from the User Client Console.
Manager Console
Basics
The Manager Console contains the following SEE snap-ins:
Symantec Endpoint Encryption Management Password—is not relevant to SEE Removable Storage.
Symantec Endpoint Encryption Software Setup—is used to create client installation packages.
Symantec Endpoint Encryption Native Policy Manager—escorts you through the process of creating a computer
policy for clients not managed by Active Directory, such as Novell and other clients.
Symantec Endpoint Encryption Users and Computers—displays the organizational structure of your Active
Directory forest and/or Novell tree; allows you to organize clients not managed by either Active Directory or
Novell into groups.
Symantec Endpoint Encryption Reports—includes reports to allow you to obtain endpoint data, Policy
Administrator activity logs, and directory service synchronization configuration. In addition, you will be able
tocreate your own custom reports.
Symantec Endpoint Encryption Removable Storage
3
Policy Administrator Guide
Introduction
It also contains the following Microsoft snap-ins to help you manage your Active Directory computers:
Active Directory Users and Computers—allows you to both view and modify your Active Directory
organizational hierarchy.
Group Policy Management—lets you manage group policy objects and launch the Group Policy Object Editor
(GPOE). Within the GPOE you will find SEE snap-in extensions that allow you to create and modify SEE user
and computer policies for Active Directory–managed computers.
Depending on your responsibilities, you may not have access to all of these snap-ins. These restrictions, if any, will
be effected as part of the privileges associated with your Windows account.
Database Access
Your Windows account may have been provisioned with rights to access the SEE database. If so, ensure that you are
logged on to Windows with this account before launching the Manager Console.
If you are not logged on to Windows with read and write access to the SEE database at the time that you launch the
Manager Console, you will be prompted for your SQL credentials.
Figure 1.2—SQL Server Logon Prompt
The Server name and Initial catalog fields will contain the information that was provided when this Manager
Console was installed. In general, you should not modify the default contents of these fields. Circumstances that
require you to edit these entries would be unusual, such as the loss of your primary SEE database. In such a situation,
you could edit the Server name and Initial catalog fields to connect to a disaster recovery site. The syntax used in
the Server name field is as follows:
computer name,port number\instance name
While the computer name of the server machine hosting the SEE database will always be required, the TCP port
number will only be necessary if you are using a custom port, and the instance name will only be needed if you are
using a named instance. The custom port number would need to be preceded by a comma and the instance name by a
backslash.
Type the user name of your SQL account in the User name field. Type the password of your SQL account in the
Password field. Click Connect to authenticate.
If you don’t wish to authenticate to the SEE database at this time, click Cancel. You may receive one or more error
messages following cancellation. You will receive additional prompts upon attempting to access the individual SEE
snap-ins in the console.
Endpoint Containers
Basics
The SEE Manager will place each endpoint into one or more of the following containers:
Active Directory Computers,
Symantec Endpoint Encryption Removable Storage
4
Policy Administrator Guide
Introduction
Novell eDirectory Computers, or
Symantec Endpoint Encryption Managed Computers.
Active Directory/Novell eDirectory Computers
No computers will be placed in the Active Directory Computers or Novell eDirectory Computers containers unless
synchronization with the directory service is enabled.
If synchronization with Active Directory is enabled, the Active Directory Computers container will be populated
with the computers in the Active Directory forest/domain. If synchronization with Novell is enabled, the Novell
eDirectory Computers container will hold the computers in the Novell tree. If synchronization with both directory
services is enabled and the computer is managed by both, it will appear in both containers. Computer and user objects
located within the Active Directory and/or Novell containers cannot be moved or modified with SEE snap-ins.
Symantec Endpoint Encryption Managed Computers
Computers located within the Active Directory Computers and/or Novell eDirectory Computers containers will not
be shown in the Symantec Endpoint Encryption Managed Computers container.
Only computers that have checked in with the SEE Management Server will be shown in the Symantec Endpoint
Encryption Managed Computers container. Whether a computer is placed in the Symantec Endpoint Encryption
Managed Computers container or not following check in will vary depending on whether synchronization is enabled
or not.
If synchronization is not enabled, all Client Computers that have checked in will be placed in the Symantec
Endpoint Encryption Managed Computers container.
If synchronization is enabled, only Client Computers that have checked in that do not reside within the designated
Active Directory forest/domain and/or Novell tree will be placed in the Symantec Endpoint Encryption Managed
Computers container.
Computers located within the Symantec Endpoint Encryption Managed Computers container should be grouped into
the organizational structure that you desire.
Deleted Computers
The Deleted Computers container stores SEE-managed computers that have been deleted, allowing you to restore the
computer and revert its deletion.
SEE-managed computers will remain in the Manager Console even after the client-side software has been
uninstalled. To complete the uninstallation of an SEE-managed computer, locate the computer within the Symantec
Endpoint Encryption Managed Computers container. Right-click the computer and select Delete. The computer will
be removed from the Symantec Endpoint Encryption Managed Computers container and placed in the Deleted
Computers container.
Should you fail to delete the computer from the Symantec Endpoint Encryption Managed Computers container
following uninstallation and then reinstall, you will find two computers with the same name in the Symantec
Endpoint Encryption Managed Computers container. Locate the computer with the older last check-in date,
right-click it, and select Delete.
SEE Roles
Policy Administrators
As the Policy Administrator, you perform centralized administration of SEE. Using the Manager Console and the
Manager Computer, you perform one or more of the following tasks:
Update and set client policies.
Symantec Endpoint Encryption Removable Storage
5
Policy Administrator Guide
Introduction
Run reports.
Change the Management Password.
Client Administrators
Client Administrators provide local support to SEE users.
Client Administrator accounts are created and maintained from the SEE Manager. Client Administrator accounts are
managed entirely by SEE and independent of Windows, allowing Client Administrators to support users who are not
a part of an Active Directory domain.
Client Administrators may be configured to authenticate with either a password or a token. Client Administrator
passwords are managed from the Manager Console and cannot be changed at the Client Computer. This single-source
password management allows Client Administrators to remember only one password as they move among many
Client Computers.
Each Client Administrator account is assigned one of three privilege levels. The following table itemizes the
individual privileges associated with each level.
Table 1.2—Client Administrator Levels of Privilege
Level
Can Uninstall SEE Removable Storage
Can Unregister Users
High
•
•
Medium
•
Low
•
Client Administrators should be trusted in accordance with their assigned level of privilege.
The Client Administrator is also responsible for recovering SEE Removable Storage–encrypted files when the user
has forgotten their password and a Master Certificate was used. This responsibility is not controlled by privilege
level.
Each Client Computer must have one default Client Administrator account. The default Client Administrator account
has a high privilege level and authenticates using a password. Up to 1024 total Client Administrator accounts can
exist on each Client Computer.
Client Administrators must register as a user to make use of removable storage devices at the SEE Removable
Storage–protected workstation.
User
At least one user is required to register with SEE on each Client Computer.
A wizard guides the user through the registration process, which involves a maximum of five screens. The
registration process can also be configured to occur without user intervention. Users will not be able to access their
removable storage devices until they have registered.
To ensure the success of this product in securing your encrypted assets, do not define users as local administrators or
give users local administrative privileges.
Symantec Endpoint Encryption Removable Storage
6
Policy Administrator Guide
Reporting
2. Reporting
Overview
Basics
The SEE Manager reporting tools allow you to obtain information about:
Client Computers,
Policy Administrator activities, and
Directory service synchronization.
Client Computers
At the time that a Client Computer succeeds in checking in with the SEE Management Server, it sends information
about itself that is stored in the SEE database. Any one of the following reporting tools can be used to retrieve the
data that pertains to the Client Computer(s) of interest:
“Symantec Endpoint Encryption Users and Computers” on page 11;
“Computer Status Report” on page 11;
“Computers not Encrypting to Removable Storage” on page 11;
“Computers with Decrypted Drives” on page 11;
“Computers with Expired Certificates” on page 11;
“Computers with Specified Users” on page 12;
“Computers without Full Disk Installed” on page 12;
“Computers without Removable Storage Installed” on page 12;
“Non-Reporting Computers” on page 12; and
“Custom Reports” on page 12.
The following tables itemize the data available about each of the Client Computers that has checked in.
If Active Directory and/or Novell synchronization is enabled, you will be able to obtain the computer names
and directory service location of any computer located on your forest(s), domain(s), and/or tree(s)—even if it
has never checked in with the SEE Management Server. While only the computer name and directory service
location of these machines will be available, the absence of additional data will allow you to identify
computers that are unprotected or have not checked in.
Columns that will be displayed but not populated by SEE Removable Storage are identified as not applicable (N/A).
Table 2.1—Client Computer Data
Column Heading
Data Displayed
Explanation
Computer name
computer name
Computer name
Group name*
group name
Location of the computer within Symantec Endpoint Encryption Users and
Computers
Last Check-in
time/date stamp
The time and date of the last connection that the Client Computer made with
the SEE Management Server
Decrypted
N/A
N/A
Decrypting
N/A
N/A
Symantec Endpoint Encryption Removable Storage
7
Policy Administrator Guide
Reporting
Table 2.1—Client Computer Data (Continued)
Column Heading
Data Displayed
Explanation
Encrypted
N/A
N/A
Encrypting
N/A
N/A
OS
operating system name
The name of the installed operating system
System Type
32-bit|64-bit
The number of bits of memory supported by the installed operating system
FR Version
n.n.n
The three digit version number of SEE Framework that is currently installed
FR Installation Date
time/date stamp
The time and date on which SEE Framework was installed
Version
N/A
N/A
Installation Date
N/A
N/A
Serial Number
serial number
The System Management BIOS (SMBIOS) serial number from
WMI_SystemEnclosure class. If the data does not exist on the client, the
value will be blank.
Asset Tag
asset tag
The System Management BIOS (SMBIOS) asset tag from
WMI_SystemEnclosure class. If the data does not exist on the client, the
value will be blank.
Part Number
part number
The System Management BIOS (SMBIOS) asset tag from
WMI_SystemEnclosure class. This data may not exist on the client, in
which case it will be blank.
RS Encryption Policy
encrypt all files|encrypt
new files|encrypt to CD/
DVD only|Write
unencrypted
The encryption policy currently being enforced by SEE Removable Storage
Number of Drives
N/A
N/A
RS Exempted Groups
1|2|3
If one or more multimedia groups is exempted from mandatory encryption,
the values 1, 2, and/or 3 will be displayed. 1 represents the audio group. 2
represents the video group. 3 represents the image group. See the User
Guide for an itemization of the file types that belong to each group.
RS Encryption Method
password|certificate|any
The encryption method(s) currently allowed by SEE Removable Storage
RS Executables
True|False
True will be displayed if the user has the option to save file(s)/folder(s) to a
self-extracting executable; False if the user does not
RS Access Utility
True|False
If the Removable Storage Access Utility is being automatically copied to
removable storage devices, True will be displayed. If not, False will be
displayed.
RS Master Cert
serial number
If a Master Certificate is in effect at the Client Computer, its serial number
will be displayed. Otherwise, the field will be blank.
RS Group Key
True|False
If a group key is in use, True will be displayed. If not, False will be
displayed.
RS Password Aging
Enabled|Disabled
If password aging is being applied to Default Passwords, Enabled will be
displayed. If not, Disabled will be displayed.
RS Version
n.n.n
The three digit version number of SEE Removable Storage that is currently
installed
RS Installation Date
time/date stamp
The time and date on which SEE Removable Storage was installed
SSL Certificate Expiration
Date
time/date stamp
The time and date of the client-side TLS/SSL certificate’s expiration
* This column is not shown in the Symantec Endpoint Encryption Users and Computers snap-in.
After double-clicking on a Client Computer, a dialog will be displayed that provides additional details. The dialog
will contain an Associated Users tab and a Drives tab.
Symantec Endpoint Encryption Removable Storage
8
Policy Administrator Guide
Reporting
The Associated Users tab will contain one row of data per registered user or Client Administrator on the Client
Computer.
Table 2.2—Associated Users Data
Column Heading
Data Displayed
Explanation
User Name
user name
The user name of the registered user or Client Administrator account
User Type
Reg User|Client Admin
If the account is that of a registered user, Reg User will be displayed. If the
account is that of a Client Administrator, Client Admin will be displayed.
Authentication Method
Password|Token|Password
and Token|Unauthenticated
If the user or Client Administrator uses a password to authenticate,
Password will be displayed. If the user or Client Administrator uses a token
to authenticate, Token will be displayed. If this is a user and the user has the
option to register both a password and a token, Password and Token will
be displayed. If the Client Computer has been configured to use automatic
authentication, Unauthenticated will be displayed.
User Domain
name of domain or
tree|computer name
If the computer is joined to a domain or a part of a Novell tree, the name of
the domain or tree will be displayed. If the computer does not belong to
either directory service, the name of the computer will be displayed. For
Client Administrators, this cell will be blank.
Last Logon Time
time/date stamp
If a user, the time and date of the last User Client Console logon. If a Client
Administrator, the time and date of the last Administrator Client Console
logon.
Registration Time
time/date stamp
The time and date on which this user registered. If this is a Client
Administrator account, the time and date on which the account was created
either by MSI or policy update.
The Fixed Drives tab is not applicable to SEE Removable Storage.
Directory Services Synchronization
Your current synchronization parameters are stored in the SEE database and can be retrieved using the following
Symantec Endpoint Encryption Reports:
“Active Directory Forests Synchronization Status” on page 11, and
“Novell eDirectory Synchronization Status” on page 12.
One row of data per forest or tree will be listed. The following table identifies the data that will be available from
these reports.
Table 2.3—Directory Services Synchronization Data
Column Heading
Data Displayed
Explanation
Forest/Tree Name
forest or tree name
The name of the forest or tree that you are synchronizing with will be
identified in this column.
Administrator Name
user name
The user name that is being used to authenticate to the directory service
server of this forest or tree will be provided in this column. This
corresponds to the Active Directory or Novell synchronization account.
Administrator Domain*
domain
The Active Directory domain of the Active Directory synchronization
account for this forest will be identified.
Last Synchronization
time date stamp
The time and date of the last successful synchronization with this forest or
tree will be supplied.
Symantec Endpoint Encryption Removable Storage
9
Policy Administrator Guide
Reporting
Table 2.3—Directory Services Synchronization Data (Continued)
Column Heading
Total Computers
Data Displayed
Explanation
number
The total number of computers in this forest or tree as of the last
synchronization will be noted here. This includes all of the computers, not
just the SEE–protected endpoints.
* This column is not shown in the Novell eDirectory Synchronization Status report.
Admin Log
Each time the Policy Administrator makes a change using the Manager Console, the action will be logged.
The Admin Log provides a detailed log of all Policy Administrator activities. Log entries can be filtered according to
inclusive date and time, user name, and computer name. The following table identifies the data that will be available
in the Admin Log reports.
Table 2.4—Admin Log Data
Column Heading
Data Displayed
Explanation
Date-Time
time date stamp
The time and date on which the activity
occurred
User
user name
The Windows user name of the Policy
Administrator that initiated the activity
Computer
computer name
The computer name of the Manager
Computer from which the activity was
initiated
Changed SEE management password
—
Created native policy policy name
—
Activity
Description
Renamed native policy ‘old policy name’ to ‘new policy name’
—
Deleted native policy ‘policy name’
—
Edited native policy ‘policy name’
—
Created new SEE Managed computer group ‘group name’
—
Renamed SEE Managed computer group ‘old group name’ to ‘new group
name’
—
Deleted SEE Managed computer group ‘group name’
—
Assigned native policy ‘policy name’ to group ‘group name’
—
Unassigned native policy ‘policy name’ from group ‘group name’
—
Changed assigned native policy for group ‘group name’ from native policy
‘old policy name’ to native policy ‘new policy name’
—
Deleted SEE Managed Computer ‘computer name’
—
Moved SEE Managed Computer ‘computer name’ from group ‘old group
name’ to ‘new group name’
—
Restored SEE Managed Computer ‘computer name’
—
Exported Recover DAT file for computer ‘computer name’
—
Initiated One-Time Password online method for user ‘user name’ on
computer ‘computer name’ SEE GUID ‘SEE GUID of computer’
—
Initiated One-Time Password offline method for user ‘user name’
—
Created Framework client installation package ‘MSI package name’
—
Created Full Disk client installation package ‘MSI package name’
—
Created Removable Storage client installation package ‘MSI package
name’
—
Created Autologon MSI package ‘MSI package name’
—
Symantec Endpoint Encryption Removable Storage
10
Policy Administrator Guide
Reporting
Symantec Endpoint Encryption Users and Computers
The Symantec Endpoint Encryption Users and Computers snap-in allows you to obtain data about a specific group.
This data can be printed or exported into a comma-delimited format (CSV). This can be useful for generating reports
on a per-group basis.
You might also want to consider your reporting needs when you create your groups (“Symantec Endpoint Encryption
Managed Computer Groups” on page 29).
Symantec Endpoint Encryption Reports
Basics
The Symantec Endpoint Encryption Reports snap-in contains a number of reports that will assist you in managing
your endpoints and your synchronization(s).
After obtaining the data, you can export it into comma-delimited format (CSV) for further manipulations in the tool
of your choice. Alternatively, you can print the report directly from the Manager Console.
Should you choose to print the report, you can choose which columns to include by right-clicking the report in the
console tree and selecting Configure Columns Displayed. Alternatively, select Configure Columns Displayed
from the Action menu.
Active Directory Forests Synchronization Status
The Active Directory Forest Synchronization Status report provides the latest details of your Active Directory
synchronization parameters and status.
Computer Status Report
The Computer Status Report is used to retrieve the records of specific computers when you know their computer
name. Following deployment of client installation packages, you can use this report to ensure that each client checks
in. Type or paste the computer names in the Enter Computer Names field. Each should be on a separate line. The %
character can be used as a wildcard. Once you have entered the computer names that you want to retrieve the records
of, click Run. To refresh the data, click Run again.
Computers not Encrypting to Removable Storage
The Computers not Encrypting to Removable Storage report will retrieve the records of the following computers on
your network:
Did not have SEE Removable Storage installed as of the time of last check-in.
Was not protected by a SEE Removable Storage Encrypt all, Encrypt new, or Encrypt to CD/DVD policy as of
the time of last check in.
Resides on a forest or tree that is synchronized with the SEE Management Server and has not checked in. These
clients may or may not be allowing users to write unencrypted files to removable devices.
Computers with Decrypted Drives
The Computers with Decrypted Drives report will retrieve the records of the following computers on your network:
Had one or more decrypted or decrypting drives and/or partitions as of the time of last check-in.
Resides on a forest or tree that is synchronized with the SEE Management Server and has not checked in. These
clients may or may not have a decrypted or decrypting drive or partition.
Computers with Expired Certificates
The Computers with Expired Certificates report will retrieve the records of the clients with client-side TLS/SSL
certificates due to expire within the specified number of days from the current day. Enter the number of days until
expiration in the Days the Certificate Will Expire field and click Run. For example, to see all of the clients with
Symantec Endpoint Encryption Removable Storage
11
Policy Administrator Guide
Reporting
certificates due to expire within the next ninety days, type 90 in the Days the Certificate Will Expire field and click
Run.
Computers with Specified Users
The Computers with Specified Users report allows you to find out all of the computers that one or more users have
registered on. Type the user names in the Enter User Names field. If you enter more than one user name, they
should be separated by carriage returns. The % wildcard character is supported. Once the desired report parameters
have been entered, click Run.
The records of the computers on which one or more of the specified users has registered will be retrieved and listed
in the report results.
Computers without Full Disk Installed
The Computers without Full Disk Installed report will retrieve the records of the following computers on your
network:
Did not have SEE Full Disk installed as of the time of last check-in.
Resides on a forest or tree that is synchronized with the SEE Management Server and has not checked in. These
clients may or may not have SEE Full Disk installed.
Computers without Removable Storage Installed
The Computers without Removable Storage Installed report will retrieve the records of the following computers on
your network:
Did not have SEE Removable Storage installed as of the time of last check-in.
Resides on a forest or tree that is synchronized with the SEE Management Server and has not checked in. These
clients may or may not have SEE Removable Storage installed.
Non-Reporting Computers
The Non-Reporting Computers report allows you to obtain a list of computers that have not checked in with the SEE
Management Server within a specified number of elapsed days. This report will help you ensure that the data in the
SEE database remains fresh.
Enter the number of elapsed days in the Days Since Last Check-In field and click Run. The records of the
computers on your network that have not checked in with the SEE Management Server within the specified number
of days will be retrieved and listed.
Novell eDirectory Synchronization Status
The Novell eDirectory Synchronization Status report provides the latest details of your Novell synchronization
parameters and status.
Custom Reports
The custom reports feature allows you to create your own reports that you can run or edit at a later time. You can
create subfolders to organize your custom reports. Right-click Custom Report and choose New Report to open the
Query Editor. Click Save when you are done and type in a name for the new report.
Specify the filter criteria for your custom report in the three tabs of the Query Editor. For a list of all possible filter
criteria, see Table 2.1 on page 7.
While only SEE version numbers will be available in the Client Version area, the selection of an SEE version
number will result in the retrieval of not only the records of Client Computers installed with the selected SEE
version, but also the Client Computers installed with the equivalent GuardianEdge Framework version. For example,
if you select the 7.0.3 check box, the records of 7.0.3 clients will be retrieved—as well as the records of
Symantec Endpoint Encryption Removable Storage
12
Policy Administrator Guide
Reporting
GuardianEdge Framework 9.3.0 and 9.3.1 clients. If you have GuardianEdge clients, consult the following table for
the full mapping.
Table 2.5—SEE Version Numbers and Equivalent GuardianEdge Version Numbers
SEE Version Number
Equivalent GuardianEdge Version Number(s)
7.0.0
9.2.0
7.0.1
9.2.1
7.0.2
9.2.2
7.0.3
9.3.0, 9.3.1
7.0.4
9.4.0, 9.4.1
7.0.5
9.5.0
7.0.6
9.5.1, 9.5.1 Patch 1
Resultant Set of Policy (RSoP)
The Group Policy Management snap-in features a reporting facility which allows you to verify that the Active
Directory policies you assigned to Client Computers or users were actually processed as intended. This report is
known as a Resultant Set of Policies (RSoP) or Group Policy Report.
The initial SEE installation settings as deployed using the Framework and Removable Storage client MSI
packages (even if the MSI packages were deployed as GPOs) will not appear in the RSoP report. Only the
results of Active Directory policy updates will be shown in the RSoP report.
To generate an RSoP report, perform the following steps:
1. Open the SEE Manager, and in the left pane, expand Group Policy Management, then expand Group Policy
Results.
2. With the Group Policy Results container selected, right-click and choose Group Policy Results Wizard.
3. The Group Policy Results Wizard launches. Click Next, then select the option Another Computer.
4. Browse to or type the name of the computer for which you wish to generate a Group Policy Report.
5. Click Next.
Symantec Endpoint Encryption Removable Storage
13
Policy Administrator Guide
Reporting
Figure 2.1—Group Policy Results Wizard, User Selection
6. To view both user and computer policies, select the user that you want to see the user policies of. If you are only
interested in computer policies, select Do not display user policy settings in the results.
7. Click Next.
8. Click Next at the summary screen, then click Finish.
9. The Group Policy Results snap-in connects to the Client Computer, gathers the policy information into a report,
and displays the information in several tabs of the content pane on the right.
10. Click on the Settings tab of the Group Policy Results window in the pane on the right.
11. This windows shows a collapsed view representing all the settings for the user/computer pair you selected. The
view is divided into two sections: one section named Computer Configuration, and another section beneath it
named User Configuration.
12. Within the section named Computer Configuration, locate the subsection named Administrative Templates.
SEE uses registry based policies, and any SEE computer policies you create and apply will show up within the
subsections Computer Configuration, Administrative Templates, Symantec Endpoint Encryption/
Framework, and Computer Configuration, Administrative Templates, Symantec Endpoint Encryption/
Removable Storage.
For user settings, this pattern is mirrored in the User Configuration section of the Group Policy Results window.
13. Expand the Administrative Templates and then expand the Symantec Endpoint Encryption/Framework
section by clicking on the Show link on the right. That subsection will expand to reveal all Framework policies
currently in effect.
Symantec Endpoint Encryption Removable Storage
14
Policy Administrator Guide
Reporting
Figure 2.2—RSoP Report From an SEE Client
Figure 2.2 shows that a Client Administrator policy has been applied. The Client Administrator mbrown
authenticates using a password and has a high level of privilege. The Client Administrator mwilliams authenticates
using a password and has a high level of privilege.
Any level in the report hierarchy can be exported as an HTML file by right-clicking the name (for example,
Symantec Endpoint Encryption/Framework), choosing Save Report, and selecting a target location in which to
save the HTML report.
Some SEE Active Directory policies create other settings in the client registry that are shown in the RSoP as Extra
Registry Settings. These represent internal registry values used by the particular SEE policy and can be ignored.
Windows System Events
All security-related system events are logged on the SEE Client Computer where they may be viewed remotely by an
administrator using the Windows System Event viewer. To view SEE Removable Storage–specific system events
logged on a specific computer, perform the following steps:
1. Open a Run dialog from the Windows Start menu.
2. Type eventvwr.msc and click OK.
3. An Event Viewer console window opens showing the events on your local computer.
4. In the navigation pane on the left, right-click the top-level folder named Event Viewer (Local), and choose
Connect to another computer.
5. In the Select Computer dialog, make sure that the Another computer option is selected, then click Browse.
6. In the Select Computer dialog, type the name of a computer you wish to inspect the events of, and click OK.
Symantec Endpoint Encryption Removable Storage
15
Policy Administrator Guide
Reporting
7. In the navigation pane on the left, right-click the item named Application, and choose Connect to another
computer.
8. Choose View and click Filter to open the Application Properties window.
9. From the Event Source drop-down list box, choose Removable Storage Service and click Apply.
10. This filters the event log for that computer to show SEE Removable Storage events. Drag the Application
Properties window away from the Event Viewer window, but leave it open.
11. In the right pane of the Event Viewer window, double-click the top-most event entry to open the Event Properties
window for that event.
The Description field contains information about that particular SEE Removable Storage event. To inspect other
events in the log, use the up and down arrow buttons in the upper right of the Event Properties window.
To filter out all events other than a desired event, click on the Application Properties window. In the Event ID field,
type the number of the event you are interested in, then click Apply. The Event Viewer window will update and filter
out all event IDs other than the one you specified.
For a complete list of all SEE–specific system events, their event code numbers, and descriptions of the events, refer
to Appendix A “System Event Logging” on page 34.
Symantec Endpoint Encryption Removable Storage
16
Policy Administrator Guide
Policy Creation & Editing
3. Policy Creation & Editing
Overview
Each client will have installation settings in place. Installation settings are created at the time that the client is
installed and modified each time an upgrade package is applied. Policy settings will always take precedence over any
installation settings on the client.
SEE provides two different types of policies. While each contains identical options, Active Directory policies are
created and edited in quite a different manner from native policies.
This chapter discusses the following:
How to create and/or edit Active Directory policies using SEE snap-in extensions in the Group Policy Object
Editor (GPOE) (“Active Directory Policies” on page 17);
How to create and/or edit native policies using the Symantec Endpoint Encryption Native Policy Manager
(“Native Policies” on page 18); and
The individual policy options themselves (“Policy Options” on page 18).
Active Directory Policies
To create or edit an Active Directory policy, expand the Group Policy Management snap-in, expand your forest,
expand Domains, expand the domain, and expand Group Policy Objects.
To edit an existing GPO, right-click the GPO and select Edit.
To create a new GPO, right-click Group Policy Objects and select New.
The Group Policy Object Editor (GPOE) will launch.
To edit or create a computer policy, expand Computer Configuration, expand Software Settings, and expand
Symantec Endpoint Encryption. Then expand Framework and/or Removable Storage, according to your
needs.
To edit or create a user policy, expand User Configuration, expand Software Settings, and expand Symantec
Endpoint Encryption. Then expand Framework and/or Removable Storage, according to your needs.
Each Active Directory policy panel features three option buttons at the top:
Do not change these settings—this option is the default option. It specifies that no changes to existing policies or
installation settings will be made.
Change these settings—click this option if you want to specify a policy update. When this option is selected, the
fields below it will become available. These fields will not be defaulted to the policies currently in effect, they
will just display generic defaults.
Restore the installation settings—click this option to apply a policy that instructs the client to disregard any
existing policies and return to the settings that were specified in its installation package.
When the Change these settings option is selected, your entries are validated when you click away from the panel.
Any incorrect entries will be highlighted in red, and the icon for the panel, as shown in the navigation tree of the
GPOE window, will change to a warning icon to remind you to return to that panel and make the necessary
corrections before closing the GPOE window.
For a detailed discussion of the options that will become available when the Change these settings option is selected,
refer to “Policy Options” on page 18.
Symantec Endpoint Encryption Removable Storage
17
Policy Administrator Guide
Policy Creation & Editing
Native Policies
To create a native policy, right-click the Symantec Endpoint Encryption Native Policy Manager and select Create
New Policy. When naming a policy, observe the following:
Each name must be unique and cannot have been assigned to any other native policy.
Names are case-insensitive.
Leading and trailing spaces will be deleted.
To edit a native policy, expand the Symantec Endpoint Encryption Native Policy Manager. Locate the policy that you
want to edit and highlight it.
For a detailed discussion of the options available for modification within the Symantec Endpoint Encryption Native
Policy Manager, continue to the next section.
Policy Options
Client Administrators
When creating a Client Administrator policy, it must contain all Client Administrator accounts that are authorized to
access the workstation. Any Client Administrator accounts not listed in this policy will not be able to authenticate to
the Client Computer.
Figure 3.1—Framework Computer Policy, Client Administrators Options
At least one default Client Administrator account must be specified. No more than 1024 Client Administrators
accounts can be added.
You can import a list of Client Administrators from a previously created installation settings package. Click Load
from installation settings, select the previously created SEE Framework client installer package, then click Open.
The GPO panel will populate with the Client Administrator account information specified when the installation
settings package was created.
Symantec Endpoint Encryption Removable Storage
18
Policy Administrator Guide
Policy Creation & Editing
Click Add to add a Client Administrator. Highlight an existing Client Administrator and click Edit to edit the
account.
Figure 3.2—Add New Client Administrator Dialog
Only the names of the Add New Client Administrator and Edit Client Administrator dialogs differ.
Each Client Administrator account must have credentials and a specified level of privilege.
Leave the Default admin check box selected to designate this Client Administrator as the default Client
Administrator account, otherwise deselect the check box. If you deselect the Default admin check box, the Level and
Authentication controls become available.
The Default admin check box will be deselected and unavailable if you already added a default Client Administrator.
The Level list box is only available if the Default admin check box is deselected. Click Level to set the desired
privilege level for the Client Administrator.
The Authentication list box is only available if the Default admin check box is deselected. Click Authentication to
set the Client Administrator’s authentication method. If this is a native policy and you selected None (password
authentication only) when installing the Framework Manager, the list box will display Password and be
unavailable. If you selected one of the token types when installing the Framework Manager, the list box will have
both Password and Token options available.
If you select the Password option, type the desired password for this Client Administrator account in the Password
box. The password must be a minimum of two characters and no longer than 32. Type the password a second time in
the Confirm password box.
If you select the token option, you will be prompted to locate the P7B certificate file associated with that Client
Administrator account. The selected P7B file will be validated, and you will be prompted to choose the desired
certificate from the list of valid certificates found in the P7B file.
Symantec Endpoint Encryption Removable Storage
19
Policy Administrator Guide
Policy Creation & Editing
Registered Users
Basics
The Registered Users panel can be used to change the way that users authenticate to, register with, or get unregistered
from SEE.
Figure 3.3—Framework Computer Policy, Registered Users Options
Authentication Method
In Authentication Method, select the authentication method you want SEE to effect.
Clicking on Require registered users to authenticate with ensures that users type their credentials before
gaining access to the User Client Console. Select a password to have users authenticate with a password. Select a
token to have users authenticate with a token. Select password or token to allow users authenticate using either
a password or a token.
Clicking on Do not require registered users to authenticate to SEE selects automatic authentication and allows
all registered users to access the User Client Console without providing any credentials. The registration process
itself will also be automatic and occur without user intervention—unless a registration password is specified.
Coupling automatic authentication with a registration password could serve to limit the number of users able to
use removable storage devices from the workstation, as only registered users can use removable storage devices.
Single-Sign On will be unavailable to users not using the same authentication method for both Windows and
SEE. For Single-Sign On to work, the authentication methods used in both environments must be identical.
Symantec Endpoint Encryption Removable Storage
20
Policy Administrator Guide
Policy Creation & Editing
Once the policy has been processed and the Client Computer has rebooted, the user’s experience will vary. Refer to
Appendix C “Authentication Method Changes” on page 65 for details of the user’s experience.
Registration
To allow any Windows user the ability to register, click the option Any Windows user can register for a SEE
account. To allow only those users who know a special registration password to be able to register, click Users must
know this password to register, and type the password in the adjacent field and again to confirm. Each user will be
required to know the administrator-defined registration password before they can register for an SEE account.
Specify the maximum number of SEE registered user accounts which can be created on each computer. New users
will not be permitted to register after the maximum number of accounts has been reached.
Specify a custom message users will see when they are forced to register after grace restarts expire. The custom
message can be from 0–900 characters in length, or you can use the default message. Note that the custom
registration message field ignores any carriage returns you type or paste in.
Specify the number of grace restarts, i.e., the number of times, from 0–99, that the computer can restart before the
first user who logs on will be forced to register for an SEE account and see the custom registration message. This
setting can effectively allow users to defer registration. To force the first user to register immediately, set this value to
zero.
Unregistration
Unregistration selects whether to allow users to only be unregistered manually by Client Administrators, or whether
to also automatically unregister users who do not log on after a specified period, from 1–365 days. This setting is
useful in a kiosk environment where many infrequent users can fill up the maximum number of available SEE
accounts on a given computer. Use caution with this setting so that users do not have their accounts deleted
unexpectedly.
Symantec Endpoint Encryption Removable Storage
21
Policy Administrator Guide
Policy Creation & Editing
Password Authentication
Use the Password Authentication panel to set or change the logon delay and/or to set the criteria that new passwords
must meet, if Single Sign-On is not enabled.
Figure 3.4—Framework Computer Policy, Password Authentication Options
Under Password Attempts, select the Limit password and Authenti-Check attempts check box to set the number
of incorrect passwords or Authenti-Check answers a user can type in succession before the system will introduce a
one minute delay between further logon attempts. You can also specify the time in minutes that must elapse after the
last incorrect attempt occurred, after which the one minute delay behavior is lifted.
Note that the Password Attempts settings are enforced for the SEE password, passwords used to decrypt selfextracting executables, passwords used to decrypt files, and passwords used to decrypt files using the Removable
Storage Access Utility.
Password Complexity—These include the minimum number of characters users’ SEE passwords must contain,
the set of non-alphanumeric characters users may have in their passwords, as well as the minimum number of
non-alphanumeric characters, uppercase letters, lowercase letters, and digits users must have in their passwords.
Note that the Password Complexity settings are enforced for the SEE password, the Removable Storage Default
Password, passwords used to encrypt self-extracting executables, passwords used to encrypt files from SEE
Removable Storage–protected computers, and passwords used to encrypt files using the Removable Storage
Access Utility.
Maximum Password Age—Leave this option at the default to not set an expiration date on user passwords. If
you select the option to set an expiration date on user passwords, type the number of days after which users’
passwords will expire, and type the number of days in advance users will be prompted to change their expiring
passwords.
Password History—allow users to use any previously-used SEE password, or select the other option and type the
number of different passwords users must use before reverting to old passwords.
Symantec Endpoint Encryption Removable Storage
22
Policy Administrator Guide
Policy Creation & Editing
Minimum Password Age—Leave this option at the default to allow users to change their SEE passwords as
frequently as they wish, or select the other option and type the minimum number of days that must pass before
users can change their passwords. Note that leaving this option at the default will effectively override the
password history feature, since a user could quickly cycle through the required number of new passwords in order
to keep an old, favorite password.
Note that the Maximum Password Age, Password History, and Minimum Password Age settings can optionally
be used by SEE Removable Storage to enforce password aging restrictions on the SEE Removable Storage Default
Password chosen by users. See “Encryption Method” on page 26
Token Authentication
If token authentication is in effect and you want to allow expired certificates, check the Users can authenticate to
SEE with expired certificates check box.
Authentication Message
To change the message shown to users who are having trouble authenticating, edit the text within the Instructions
for users who are having trouble with authentication field. For example, the phone number of your help desk may
have been provided in the message and you may need to update it.
Communication
Use the Communication panel to modify the interval at which the recipient computers will attempt to make contact
with the SEE Management Server.
Single Sign-On
Select or deselect the Enable Single Sign-On check box for the desired effect.
Consider what type of policy this is when modifying these settings. If this is an Active Directory policy, it
can be deployed to individual users. If this is a native policy, it will be applied to all users of the recipient
computer(s).
Authenti-Check
Authenti-Check allows users that have forgotten their password or do not have their token to gain access to the User
Client Console. The user can then change their SEE password, if Single Sign-On is not enabled. If the user has been
issued a new token, the user can use the User Client Console to change their token.
Use the Authenti-Check panel to enable or disable Authenti-Check, and/or to change the question-answer pair
requirements.
Figure 3.5—Framework Computer/User Policy, Authenti-Check Options
Symantec Endpoint Encryption Removable Storage
23
Policy Administrator Guide
Policy Creation & Editing
Select or deselect the Enable Authenti-Check check box according to the policy that you wish to effect.
Type a value in the Minimum answer length box to set the minimum number of characters, from 1–99, that users
must include when answering Authenti-Check questions.
Type one, two, or three Predefined questions, 0–99 characters in length, that a user must correctly answer before the
user authenticates.
The number displayed in the Number of user-defined questions required drop-down list is dynamically updated
based on how many questions you have typed in the Predefined questions boxes. Number of predefined questions
shows the number of predefined questions currently specified, while Total shows the combined total of the Number
of predefined questions plus the Number of user-defined questions required.
Note that at least one question must be defined either by you or by the user.
Consider what type of policy this is when modifying these settings. If this is an Active Directory policy, it
can be deployed to individual users. If this is a native policy, it will be applied to all users of the recipient
computer(s).
One-Time Password
One-Time Password is a help-desk-assisted means for SEE Full Disk users to regain access to Windows. It is not
relevant to SEE Removable Storage.
Security Level
Use the Security Level panel to modify the encryption, access, and/or portability policies currently being enforced by
SEE Removable Storage.
Figure 3.6—Removable Storage Computer Policy, Security Level Options
Access Policy
Choose Do not allow access to files on removable storage devices to deny read and write access to files and folders
stored on removable storage devices.
Allow read-only access to files on removable storage devices allows registered SEE users to read, but not write,
files and folders stored on removable storage devices.
Allow read and write access to files on removable storage devices allows registered SEE users to read and write
files and folders stored on removable storage devices. Selecting this option allows you to set an encryption policy.
Symantec Endpoint Encryption Removable Storage
24
Policy Administrator Guide
Policy Creation & Editing
Encryption Policy
Choose Encrypt all files written to or accessed on removable storage devices to automatically encrypt both new
and pre-existing files on removable devices.
Choose Encrypt new files written to removable storage devices to automatically encrypt all files newly added to
removable storage devices.
Choose Encrypt to CD/DVD only to automatically encrypt new files written to CD/DVD removable media using the
SEE CD/DVD Burner application.
Choose Do not encrypt files on removable storage devices to not encrypt files newly added to removable storage
devices.
Exemption for Multimedia Files
When you set an encrypt all or encrypt new policy, you can exempt certain types of multimedia files from being
encrypted. Select the Exclude multimedia files from forced encryption check box, then leave selected one or more
of the following check boxes according to the type of multimedia file formats you want to exclude from encryption:
Select Audio to exclude audio files.
Select Video to exclude video files.
Select Image to exclude image files.
The individual file types included each multimedia group are itemized in the User Guide.
The Exclude multimedia files from forced encryption check box must be selected to effect any of the exemptions
you have specified using the Audio, Video, or Image check boxes.
The user will be unable to circumvent the policy by manually changing the file extension.
Portability
Select the Copy the Removable Storage Access utility to all removable storage devices check box to ensure that
the Removable Storage Access Utility will be placed on all removable devices automatically.
If the Encrypt to CD/DVD only option is selected, the name of this check box will change to Copy the Removable
Storage Access Utility to all CDs/DVDs. Select the Copy the Removable Storage Access Utility to all CDs/DVDs
check box to ensure that the Removable Storage Access Utility is written automatically to all CD/DVDs burned by
the SEE CD/DVD Burner application.
Considered munitions by many countries, encryption software is often subject to regulations. The United States, for
example, prohibits the export of strong encryption products to the following countries:
Cuba,
Iran,
Libya,
North Korea,
Sudan, and
Syria.
Legal repercussions could ensue should someone in your organization fail to comply with national and/or
international statutes. Visit http://www.bis.doc.gov for more information.
Symantec Endpoint Encryption Removable Storage
25
Policy Administrator Guide
Policy Creation & Editing
Encryption Method
Use the Encryption Method panel to modify the encryption methods currently allowed by SEE Removable Storage.
These methods will be available to users encrypting files and creating self-extracting executables from an SEE
Removable Storage–protected computer, as well as users encrypting files with the Removable Storage Access Utility
from computers not protected by SEE Removable Storage.
Figure 3.7—Removable Storage Computer Policy, Encryption Method Options
Select the appropriate option to restrict the encryption method to a password, restrict the encryption method to one
or more certificates that the user chooses, or let each user choose the encryption method.
Select the Apply password aging to Removable Storage default passwords check box to ensure that the Default
Password set by the user will conform to the restrictions set in the Maximum Password Age, Password History and
Minimum Password Age sections of the SEE Framework Password Authentication panel (“Password
Authentication” on page 22). Leaving this box unchecked will allow any previous Removable Storage Default
Password to be reused.
This setting can be used to ensure that users change their Default Password at a designated interval. Keep in mind that
availability issues could arise. Such a policy should be accompanied by clear instructions to the user to prevent
availability issues. See the User Guide for more information. Specifying a Master Certificate is also recommended.
Master Certificate
Use the Master Certificate panel to set, remove, or modify the Master Certificate used by SEE Removable Storage.
Note that this feature only applies to computers on which write access and encryption are enabled for removable
storage devices.
Choose Do not encrypt files with a master certificate if you want clients to stop using a Master Certificate.
Choose Encrypt files with a master certificate if you want clients to start using a Master Certificate or to change the
Master Certificate that the clients are using. You will be prompted for the location of the PKCS#7 format certificate
file (.p7b).
Ensure that the Master Certificate does not contain the private key and possesses the mandatory key usage
detailed in the Installation Guide.
Once you have chosen a certificate file, the Select Certificate dialog will show information about the certificate you
have chosen.
Group Key
Use the Group Key panel to set, remove, or modify a group key. The group key is used by SEE Removable Storage
and the Removable Storage Access Utility to encrypt files—in addition to the user-provided password and/or
certificate(s). The group key facilitates the sharing of encrypted files among users within a group: if the group key on
Symantec Endpoint Encryption Removable Storage
26
Policy Administrator Guide
Policy Creation & Editing
the SEE Removable Storage–protected computer matches the group key that a file was encrypted under, the user will
not be prompted to provide a password or certificate to decrypt the file.
Figure 3.8—Removable Storage Computer Policy, Group Key Options
Click Do not encrypt or decrypt files with a group key if you do not want the computers receiving this policy to
use a group key.
Click Encrypt and decrypt files with this group key to deploy a group key to the computers receiving this policy.
Clicking Generate new key will fill the key box with a randomly generated number.
If you type or paste the key in, ensure that this value is random, 64 digits, hexadecimal format, and that alphanumeric
characters are lowercase.
Descriptive optional text you type in the Memo box will be displayed in RSoP reports.
Executables
Use the Executables panel to change the self-extracting file policy on the recipient computer. To permit users to avail
of this feature, select the Allow users to save files as password-encrypted self-extracting executables check box.
Symantec Endpoint Encryption Removable Storage
27
Policy Administrator Guide
Policy Deployment
4. Policy Deployment
Overview
Policy deployment differs according to the type of policy that you are deploying.
Deployment of Active Directory policies is discussed in the next section.
Deployment of native policies is discussed in “Native Policies” on page 29.
Active Directory Policies
Basics
Active Directory policies are deployed using the Group Policy Management Console (GPMC) snap-in of the SEE
Manager.
Order of Precedence
When a single computer or user object has two or more policies assigned to it, the Local, Site, Domain, OU (LSDOU)
order of precedence and link order will be considered. Policies specific to a single computer or user object are
considered local and have the highest order of precedence in the LSDOU chain.
If the policies are at the same LSDOU level, they will then be applied according to their link order. Those lowest in
the link order will have the highest order of precedence.
Forcing a Policy Update
Basics
Active Directory policy changes take approximately 90 minutes and no more than 120 minutes to push out to Client
Computers. To accelerate this, you can force an immediate policy update.
Windows XP Clients
1. On the Client Computer, open a command prompt. Click Start, then Run. Type cmd and press ENTER.
A command prompt will open.
2. Type the following command at the command prompt:
gpupdate /force
and press ENTER.
3. A message will appear in the command prompt window after a few seconds indicating that the update has taken
place. The message will prompt you to confirm a restart. Type Y and press ENTER to restart the Client Computer.
Windows 2000 Clients
1. On the Client Computer, open a command prompt. Click Start, then Run. Type cmd and press ENTER.
A command prompt will open.
2. Type the following command at the command prompt:
secedit /refreshpolicy machine_policy /enforce
and press ENTER.
3. The secedit command will not prompt you to restart. If the policy you are updating includes any computer
policies, you will have to restart the computer manually to complete the update.
Symantec Endpoint Encryption Removable Storage
28
Policy Administrator Guide
Policy Deployment
Native Policies
Basics
Native policies are applied at the computer level: they cannot be assigned on a per user basis.
Each policy will be comprehensive and contain all of the possible configurable settings.
Only one policy can be applied to a computer at a time. If no policy is assigned to a computer, it will revert to the
settings specified in its original installation package.
Native policies are applied at the time that the Client Computer checks in with the SEE Management Server. An
immediate check-in can be performed by the user from the User Client Console on the endpoint computer.
If synchronization with Novell is enabled, the Novell computers will already be organized within the Novell
eDirectory Computers container, just as they are organized within the Novell eDirectory tree. Native policies can be
assigned to Novell computers, even if they have not checked in.
Clients in the Symantec Endpoint Encryption Managed Computers container cannot be assigned policies until:
They have checked in with the SEE Management Server.
They have been placed in a group other than SEE Unassigned.
The following section discusses the process of creating groups and placing Client Computers inside of them.
Symantec Endpoint Encryption Managed Computer Groups
Basics
Before you can assign policies to your SEE–managed computers, they need to be organized into groups. This can be
done from any Manager Computer. The structure will be saved in the SEE database and available to all other
Manager Computers.
The Symantec Endpoint Encryption Managed Computers container will only have two groups in by default: SEE
Unassigned and Deleted Computers.
Clients located within the SEE Unassigned group do not have any policies assigned to them. Clients will be placed in
the SEE Unassigned group if:
Synchronization with its directory service is not enabled.
The computer does not reside within the Active Directory forest/domain or Novell tree that you are synchronizing
with.
In general, the Client Computer will appear in SEE Unassigned at the time that it checks in. However, if the Client
Computer is manually deleted from the Active Directory domain or Novell tree, it will not appear in SEE Unassigned
until the time of the next synchronization.
Client Computers within the SEE Unassigned group do not have any policies assigned to them. Such Client
Computers are enforcing the settings specified within their original installation package.
Symantec Endpoint Encryption Removable Storage
29
Policy Administrator Guide
Policy Deployment
Group Creation
The first step in organizing your SEE–managed computers is to create the groups that they will reside in. To add a
group, right-click Symantec Endpoint Encryption Managed Computers.
Figure 4.1—Symantec Endpoint Encryption Managed Computers, Add New Group
Select Add New Group.
Figure 4.2—Name New Group Dialog
Enter the name of the new group. This name must be unique within its group. For example, the Finance group can
have two subgroups named Laptops and Desktops and the Human Resources group can also have two subgroups
named Laptops and Desktops. But there cannot be two top-level groups just below Symantec Endpoint Encryption
Managed Computers named Human Resources.
Each name must be at least one character. Leading and trailing spaces will be deleted. Enter the desired name of the
group and click OK.
Continue to add groups and subgroups until you have the desired structure.
Move Computers
Client Computers can be moved from any Symantec Endpoint Encryption Managed Computers group to another
Symantec Endpoint Encryption Managed Computers group. This section will discuss the process of moving a Client
Computer out of the SEE Unassigned group and into one of the manually created groups.
Symantec Endpoint Encryption Removable Storage
30
Policy Administrator Guide
Policy Deployment
Highlight SEE Unassigned. Locate the computer that you want to move and highlight it.
Figure 4.3—SEE Unassigned, Computer Highlighted
Click Move.
Figure 4.4—Symantec Endpoint Encryption Managed Computers Groups Dialog
Navigate to the desired destination group of the Client Computer. Highlight it and click OK.
Each Client Computer can only reside in one group at a time.
Policy Assignment
Native policies can be assigned to individual computers, subgroups, or groups located within either the Symantec
Endpoint Encryption Managed Computers container or the Novell eDirectory Computers container.
This section describes how to assign a policy to a group within the Symantec Endpoint Encryption Managed
Computers container, but the instructions are fully extensible to your individual circumstance.
Symantec Endpoint Encryption Removable Storage
31
Policy Administrator Guide
Policy Deployment
Begin by locating the recipient computer, subgroup, or group of the policy. Highlight the name of the recipient.
Figure 4.5—Symantec Endpoint Encryption Managed Computers Group Selected
Click Policy.
Figure 4.6—Policy Selection Dialog
Locate the native policy to be assigned to this group within the dialog and highlight it. Click OK.
Figure 4.7—Native Policy Assignment Confirmation
A confirmation message will be displayed. Click OK.
Symantec Endpoint Encryption Removable Storage
32
Policy Administrator Guide
Policy Deployment
Figure 4.8—Symantec Endpoint Encryption Managed Computers Policy Assigned
Following the successful assignment of the policy, the Manager Console will display the name of the policy now
assigned to the group. The next time the Client Computers in this group check in with the SEE Management Server,
they will download this policy and apply it.
Order of Precedence
Each computer can only have one policy assigned to it at any given time. Policies can be assigned to individual
computers, subgroups, or entire groups. The rules of precedence are as follows: (1) Computer, (2) Subgroup, and (3)
Group. Computer policies have the highest precedence.
For example, if a policy is applied to computer D9HCPD3, and another policy is applied to the Laptops subgroup in
which it resides, the policy applied to the computer will take precedence over the policy that was applied to the
Laptops subgroup.
Forcing a Policy Update
Registered users can force an immediate policy update by launching the User Client Console, opening the Check-In
panel, and clicking Check in Now.
Symantec Endpoint Encryption Removable Storage
33
Policy Administrator Guide
System Event Logging
Appendix A. System Event Logging
Framework System Events List
The following table lists the individual SEE Framework–generated windows system events logged on the Client
Computer. The column headings indicate the Event ID, the severity of the event (Error, Info, or Warning), and a
description of the event indicating the type, source, or policy that generated the event (Internal, Program Action,
Initial Setting, Settings Change, or Utility).
Table A.1—Framework System Events
Event
ID
Severity
Description
Explanation
0
Error
Internal: Cannot map event ID to string. Framework
The Framework event ID cannot be mapped to the string
in the Framework.
1
Info
Internal: Audit functions started. Framework
The Framework audit functions have started.
2
Info
Internal: Audit functions ended. Framework
The Framework audit functions have ended.
3
Info
Program Action: Successful client logon/authentication
attempted with password. Framework user name
An attempt to log on at pre-Windows with a password
has succeeded.
4
Warning
Program Action: Unsuccessful client logon/
authentication attempted with password. Framework
user name
An attempt to log on at pre-Windows with a password
has failed.
5
Info
Program Action: Successful client logon/authentication
attempted with token. Framework user name
An attempt to log on at pre-Windows with a token has
succeeded.
6
Warning
Program Action: Unsuccessful client logon/
authentication attempted with token. Framework
An attempt to log on at pre-Windows with a token has
failed.
7
Info
Program Action: Successful logon/authentication
attempted with One-Time Password. Framework
The One-Time Password process has succeeded in
authenticating the user.
8
Warning
Program Action: Unsuccessful logon/authentication
attempted with One-Time Password. Framework
The One-Time Password process has failed to
authenticate the user.
9
Info
Program Action: Successful logon/authentication
attempted with Authenti-Check. Framework
The Authenti-Check process has succeeded in
authenticating the user.
10
Warning
Program Action: Unsuccessful logon/authentication
attempted with Authenti-Check. Framework
The Authenti-Check process has failed to authenticate
the user.
11
Warning
Program Action: Number of client logon attempts
exceeded the maximum allowed. Framework
The number of pre-Windows logon attempts allowed
before a delay has been exceeded.
12
Info
Program Action: User password changed successfully.
Framework user name
The user has successfully changed their SEE password.
13
Info
Program Action: User password changed unsuccessfully.
Framework
The user attempted to change their SEE password, but
failed. This could be because it did not meet the
password requirements.
14
Warning
Program Action: User program uninstallation attempted.
Framework
An attempt to uninstall SEE Framework has been made.
15
Info
Program Action: User changed Authenti-Check
questions and answers successfully. Framework
The user has succeeded in changing their AuthentiCheck question(s) and/or answer(s).
16
Info
Program Action: User user name has been unregistered.
Framework
The user has successfully been unregistered.
17
Info
Program Action: User password resynchronized with
Windows password. Framework
The user’s SEE password has been resynchronized with
their Windows password to enable the Single Sign-On
feature.
Symantec Endpoint Encryption Removable Storage
34
Policy Administrator Guide
System Event Logging
Table A.1—Framework System Events (Continued)
Event
ID
Severity
Description
Explanation
18
Warning
Program Action: Computer locked due to failure to
communicate with SEE server. Framework
The Client Computer has failed to communicate with
the SEE Management Server within the mandatory
interval and, as a result, has been locked.
19
Warning
Program Action: User password expired. Framework
The user’s SEE password has expired.
20
Info
Program Action: User registration completed.
Framework user name
The user has successfully completed the registration
process.
21
Warning
Program Action: Final grace logon reached. Framework
The number of grace restarts is now zero and the next
user to log on to Windows will be forced to register.
22
Info
Program Action: User logged on after Hibernation or/
and Stand by. Framework user name
A hibernation or standby process was initiated and
ended when the user logged on to Windows.
23
Info
Program Action: Client program installation attempted.
Framework
An attempt to install SEE Framework was made.
24
Info
Program Action: Client program upgrade attempted.
Framework
An attempt to upgrade SEE Framework was made.
25
Info
Program Action: Grace logon attempted. Framework
An attempt to exercise a grace restart was made.
26
Info
Program Action: Authenti-Check questions and answers
created. Framework
The user has set their Authenti-Check questions and
answers as a part of the registration process.
27
Info
Program Action: User password created. Framework
user name
The user has set their SEE password as a part of the
registration process.
28
Info
Program Action: Token account created. Framework
user name
A token user has created their SEE account during the
registration process.
29
Info
Initial Setting: One-Time Password online|offline
method enabled; policy applied successfully. Framework
Installation Settings - Authentication Assistance.
The One-Time Password recovery method has been
enabled as an installation setting. The default method
will be online|offline, as indicated in the audit event.
30
Error
Initial Setting: One-Time Password online|offline
method enabled; policy failed. Framework Installation
Settings - Authentication Assistance.
The installation package specified that the One-Time
Password recovery method should be enabled, but this
setting failed to be applied.
31
Info
Initial Setting: One-Time Password not enabled; policy
applied successfully. Framework Installation Settings Authentication Assistance.
The One-Time Password recovery method is not
enabled for this workstation, as per the installation
setting.
32
Error
Initial Setting: One-Time Password not enabled; policy
failed. Framework Installation Settings - Authentication
Assistance.
The installation package specified that the One-Time
Password recovery method should not be enabled, but
this setting failed to be applied.
33
Info
Initial Setting: Authenti-Check enabled; policy applied
successfully. Framework Installation Settings Authentication Assistance.
The Authenti-Check recovery method has been enabled
as an installation setting.
34
Error
Initial Setting: Authenti-Check enabled; policy failed.
Framework Installation Settings - Authentication
Assistance.
The installation package specified that the AuthentiCheck recovery method should be enabled, but this
setting failed to be applied.
35
Info
Initial Setting: Authenti-Check not enabled; policy
applied successfully. Framework Installation Settings Authentication Assistance.
The Authenti-Check recovery method is not enabled for
this workstation, as per the installation setting.
36
Error
Initial Setting: Authenti-Check not enabled; policy
failed. Framework Installation Settings - Authentication
Assistance.
The installation package specified that the AuthentiCheck recovery method should not be enabled, but this
setting failed to be applied.
37
Info
Initial Setting: Authentication Assistance message;
policy applied successfully. Framework Installation
Settings - Authentication Assistance.
The authentication assistance message specified in the
installation package was set successfully.
38
Error
Initial Setting: Authentication Assistance message;
policy failed. Framework Installation Settings Authentication Assistance.
The authentication assistance message specified in the
installation package failed to be set.
Symantec Endpoint Encryption Removable Storage
35
Policy Administrator Guide
System Event Logging
Table A.1—Framework System Events (Continued)
Event
ID
Severity
Description
Explanation
Info
Initial Setting: Client Administrator account name
account created with low|medium|high privileges; policy
applied successfully. Framework Installation Settings Client Administrators.
The Client Administrator account specified in the
installation package and described in the audit log
description was created successfully.
40
Error
Initial Setting: Client Administrator account name
account created with low|medium|high privileges; policy
failed. Framework Installation Settings - Client
Administrators.
The Client Administrator account specified in the
installation package and described in the audit log
description failed to be created.
41
Info
Initial Setting: the SEE Management Server
communication interval was set successfully.
Framework Installation Settings - Communication.
The SEE Management Server communication interval
specified in the installation package was set
successfully.
42
Error
Initial Setting: the SEE Management Server
communication interval failed to be set. Framework
Installation Settings - Communication.
The SEE Management Server communication interval
specified in the installation package failed to be set.
43
Info
Initial Setting: the user name of the SEE Management
Server client account was set successfully. Framework
Installation Settings - Communication.
The user name of the SEE Management Server client
IIS account specified in the installation package was set
successfully.
44
Error
Initial Setting: the user name of the SEE Management
Server client account failed to be set. Framework
Installation Settings - Communication.
The user name of the SEE Management Server client
IIS account specified in the installation package failed
to be set.
45
Info
Initial Setting: the SEE Management Server client
account password was set successfully. Framework
Installation Settings - Communication.
The SEE Management Server client IIS account
password specified in the installation package was set
successfully.
46
Error
Initial Setting: the SEE Management Server client
account password failed to be set. Framework
Installation Settings - Communication.
The SEE Management Server client IIS account
password specified in the installation package failed to
be set.
47
Info
Initial Setting: Limit password attempts enabled; policy
applied successfully. Framework Installation Settings Password Authentication.
The limitation on the number of password
authentication attempts specified in the installation
package has been set successfully.
48
Error
Initial Setting: Limit password attempts enabled; policy
failed. Framework Installation Settings - Password
Authentication.
The limitation on the number of password
authentication attempts specified in the installation
package failed to be set.
49
Info
Initial Setting: Limit password attempts not enabled;
policy applied successfully. Framework Installation
Settings - Password Authentication.
No limitation to the number of password authentication
attempts, as specified in the installation package, has
been set successfully.
50
Error
Initial Setting: Limit password attempts not enabled;
policy failed. Framework Installation Settings Password Authentication.
No limitation to the number of password authentication
attempts, as specified in the installation package, failed
to be set.
55
Info
Initial Setting: Maximum password age enabled; policy
applied successfully. Framework Installation Settings Password Authentication.
The user’s passwords will expire at the interval
designated in the installation package; this was set
successfully.
56
Error
Initial Setting: Maximum password age enabled; policy
failed. Framework Installation Settings - Password
Authentication.
The user’s passwords will not expire at the interval
designated in the installation package; this failed to be
set.
57
Info
Initial Setting: Maximum password age not enabled;
policy applied successfully. Framework Installation
Settings - Password Authentication.
The user’s passwords will not expire. This was set
successfully, as specified in the installation package.
58
Error
Initial Setting: Maximum password age not enabled;
policy failed. Framework Installation Settings Password Authentication.
Although the installation package specified that the
user’s passwords would not expire, this failed to be set.
39
Symantec Endpoint Encryption Removable Storage
36
Policy Administrator Guide
System Event Logging
Table A.1—Framework System Events (Continued)
Event
ID
Severity
Description
Explanation
59
Info
Initial Setting: Password history (any previous password
can be reused) enabled; policy applied successfully.
Framework Installation Settings - Password
Authentication.
The user will be able to reuse previous passwords, this
installation setting was applied successfully.
60
Error
Initial Setting: Password history (any previous password
can be reused) enabled; policy failed. Framework
Installation Settings - Password Authentication.
The installation package specified that the user should
be able to reuse previous passwords, but this setting
failed to be applied.
Info
Initial Setting: Password history (limit password reuse
and days between changes) enabled; policy applied
successfully. Framework Installation Settings - Password
Authentication.
The user will not be able to use previous passwords, the
limitations specified in the installation package were
applied successfully.
Error
Initial Setting: Password history (limit password reuse
and days between changes) enabled; policy failed.
Framework Installation Settings - Password
Authentication.
Even though the installation package specified certain
limitations on the ability of users to use previous
passwords, these settings failed to be applied.
Info
Initial Setting: Password complexity requirements for
minimum password length met; policy applied
successfully. Framework Installation Settings - Password
Authentication.
The installation package specified that users must set
their passwords to be of a minimum length. This was set
successfully.
Error
Initial Setting: Password complexity requirements for
minimum password length met; policy failed.
Framework Installation Settings - Password
Authentication.
The installation package specified that users must set
their passwords to be of a minimum length. This setting
failed to be applied.
65
Info
Initial Setting: Non-alphanumeric characters allowed in
password setting; policy applied successfully.
Framework Installation Settings - Password
Authentication.
The installation package specified that users will be able
to use non-alphanumeric characters in their passwords.
This was set successfully.
66
Error
Initial Setting: Non-alphanumeric characters allowed in
password setting; policy failed. Framework Installation
Settings - Password Authentication.
The installation package specified that users should be
able to use non-alphanumeric characters in their
passwords. This setting failed to be applied.
Info
Initial Setting: Password complexity requirements for
minimum number of non-alphanumeric characters met;
policy applied successfully. Framework Installation
Settings - Password Authentication.
The installation package specified that a minimum
number of non-alphanumeric characters must be present
in the user’s passwords. This was set successfully.
Error
Initial Setting: Password complexity requirements for
minimum number of non-alphanumeric characters not
met; policy failed. Framework Installation Settings Password Authentication.
The installation package specified that a minimum
number of non-alphanumeric characters must be present
in the user’s passwords. This setting failed to be applied.
Info
Initial Setting: Password complexity requirements for
minimum number of uppercase characters met; policy
applied successfully. Framework Installation Settings Password Authentication.
The installation package specified that a minimum
number of uppercase characters must be present in the
user’s passwords. This was set successfully.
Error
Initial Setting: Password complexity requirements for
minimum number of uppercase characters not met;
policy failed. Framework Installation Settings Password Authentication.
The installation package specified that a minimum
number of uppercase characters must be present in the
user’s passwords. This setting failed to be applied.
Info
Initial Setting: Password complexity requirements for
minimum number of lowercase characters met; policy
applied successfully. Framework Installation Settings Password Authentication.
The installation package specified that a minimum
number of lowercase characters must be present in the
user’s passwords. This was set successfully.
Error
Initial Setting: Password complexity requirements for
minimum number of lowercase characters not met;
policy failed. Framework Installation Settings Password Authentication.
The installation package specified that a minimum
number of lowercase characters must be present in the
user’s passwords. This setting failed to be applied.
61
62
63
64
67
68
69
70
71
72
Symantec Endpoint Encryption Removable Storage
37
Policy Administrator Guide
System Event Logging
Table A.1—Framework System Events (Continued)
Event
ID
Severity
Description
Explanation
Info
Initial Setting: Password complexity requirements for
minimum number of digits met; policy applied
successfully. Framework Installation Settings - Password
Authentication.
The installation package specified that a minimum
number of digits must be present in the user’s
passwords. This was set successfully.
74
Error
Initial Setting: Password complexity requirements for
minimum number of digits not met; policy failed.
Framework Installation Settings - Password
Authentication.
The installation package specified that a minimum
number of digits must be present in the user’s
passwords. This setting failed to be applied.
75
Info
Initial Setting: Require registration password enabled;
policy applied successfully. Framework Installation
Settings - Registered Users.
The installation package specified that the user must
provide the registration password to be able to register.
This was set successfully.
76
Error
Initial Setting: Require registration password enabled;
policy failed. Framework Installation Settings Registered Users.
The installation package specified that the user must
provide the registration password to be able to register.
This setting failed to be applied.
77
Info
Initial Setting: Require registration password not
enabled; policy applied successfully. Framework
Installation Settings - Registered Users.
The installation package specified that no registration
password is required to allow a user to register. This was
set successfully.
78
Error
Initial Setting: Require registration password not
enabled; policy failed. Framework Installation Settings Registered Users.
The installation package specified that no registration
password is required to allow a user to register. This
setting failed to be applied.
79
Info
Initial Setting: Number of allowed user accounts setting;
policy applied successfully. Framework Installation
Settings - Registered Users.
The installation package specified the maximum
number of user accounts allowed on the Client
Computer. This was set successfully.
80
Error
Initial Setting: Number of allowed user accounts setting;
policy failed. Framework Installation Settings Registered Users.
The installation package specified the maximum
number of user accounts allowed on the Client
Computer. This setting failed to be applied.
81
Info
Initial Setting: User authentication with password only
setting enabled; policy applied successfully. Framework
Installation Settings - Registered Users.
The installation package specified that users will
authenticate only using passwords. This was set
successfully.
82
Error
Initial Setting: User authentication with password only
setting enabled; policy failed. Framework Installation
Settings - Registered Users.
The installation package specified that users will
authenticate only using passwords. This setting failed to
be applied.
83
Info
Initial Setting: User authentication with token only
setting enabled; policy applied successfully. Framework
Installation Settings - Registered Users.
The installation package specified that users will
authenticate only using tokens. This was set
successfully.
84
Error
Initial Setting: User authentication with token only
setting enabled; policy failed. Framework Installation
Settings - Registered Users.
The installation package specified that users will
authenticate only using tokens. This setting failed to be
applied.
85
Info
Initial Setting: User can select authentication method
setting enabled; policy applied successfully. Framework
Installation Settings - Registered Users.
The installation package specified that users will
authenticate using the method of their choice. This was
set successfully.
86
Error
Initial Setting: User can select authentication method
setting enabled; policy failed. Framework Installation
Settings - Registered Users.
The installation package specified that users will
authenticate using the method of their choice. This
setting failed to be applied.
87
Info
Initial Setting: Registration Wizard custom message;
policy applied successfully. Framework Installation
Settings - Registered Users.
The installation package specified that users will see a
custom message during registration. This was set
successfully.
88
Error
Initial Setting: Registration Wizard custom message;
policy failed. Framework Installation Settings Registered Users.
The installation package specified that users will see a
custom message during registration. This setting failed
to be applied.
89
Info
Initial Setting: Grace restarts before registration setting;
policy applied successfully. Framework Installation
Settings - Registered Users.
The installation package specified the number of grace
restarts that users will have before being forced to
register. This was set successfully.
73
Symantec Endpoint Encryption Removable Storage
38
Policy Administrator Guide
System Event Logging
Table A.1—Framework System Events (Continued)
Event
ID
Severity
Description
Explanation
90
Error
Initial Setting: Grace restarts before registration setting;
policy failed. Framework Installation Settings Registered Users.
The installation package specified the number of grace
restarts that users will have before being forced to
register. This setting failed to be applied.
91
Info
Initial Setting: User can authenticate with expired
certificates setting enabled; policy applied successfully.
Framework Installation Settings - Token Authentication.
The installation package specified that users with
expired certificates will be allowed to authenticate. This
was set successfully.
92
Error
Initial Setting: User can authenticate with expired
certificates setting enabled; policy failed. Framework
Installation Settings - Token Authentication.
The installation package specified that users with
expired certificates will be allowed to authenticate. This
setting failed to be applied.
93
Info
Initial Setting: User can authenticate with expired
certificates setting not enabled; policy applied
successfully. Framework Installation Settings - Token
Authentication.
The installation package specified that users with
expired certificates will not be allowed to authenticate.
This was set successfully.
94
Error
Initial Setting: User can authenticate with expired
certificates setting not enabled; policy failed. Framework
Installation Settings - Token Authentication.
The installation package specified that users with
expired certificates will not be allowed to authenticate.
This setting failed to be applied.
95
Info
Initial Setting: Single Sign-On enabled; policy applied
successfully. Framework Installation Settings - Single
Sign-On.
The installation package specified that users will
authenticate using Single Sign-On. This was set
successfully.
96
Error
Initial Setting: Single Sign-On enabled; policy failed.
Framework Installation Settings - Single Sign-On.
The installation package specified that users will
authenticate using Single Sign-On. This setting failed to
be applied.
97
Info
Initial Setting: Single Sign-On not enabled; policy
applied successfully. Framework Installation Settings Single Sign-On.
The installation package specified that users will not
authenticate using Single Sign-On. This was set
successfully.
98
Error
Initial Setting: Single Sign-On not enabled; policy failed.
Framework Installation Settings - Single Sign-On.
The installation package specified that users will not
authenticate using Single Sign-On. This setting failed to
be applied.
99
Info
Initial Setting: Encryption strength setting; policy
applied successfully. Framework Installation Settings Encryption.
The installation package specified the encryption
strength. This was set successfully.
100
Error
Initial Setting: Encryption strength setting; policy failed.
Framework Installation Settings - Encryption.
The installation package specified the encryption
strength. This setting failed to be applied.
101
Info
Initial Setting: Default log file location enabled; policy
applied successfully. Framework Installation Settings Installer Customization.
The installation package specified that the client
database files will be stored in the default location. This
was set successfully.
102
Error
Initial Setting: Default log file location enabled; policy
failed. Framework Installation Settings - Installer
Customization.
The installation package specified that the client
database files will be stored in the default location. This
setting failed to be applied.
103
Info
Initial Setting: Custom log file location enabled; policy
applied successfully. Framework Installation Settings Installer Customization.
The installation package specified that the client
database files will be stored in a custom location. This
was set successfully.
104
Error
Initial Setting: Custom log file location enabled; policy
failed. Framework Installation Settings - Installer
Customization.
The installation package specified that the client
database files will be stored in a custom location. This
setting failed to be applied.
105
Info
Settings Change: Authentication Assistance message
modified; policy applied successfully. Framework
Computer Policy - Authentication Assistance.
A policy specified that users will see a modified
message when requesting authentication assistance.
This was set successfully.
106
Error
Settings Change: Authentication Assistance message
modified; policy failed. Framework Computer Policy Authentication Assistance.
A policy specified that users will see a modified
message when requesting authentication assistance.
This setting failed to be applied.
Symantec Endpoint Encryption Removable Storage
39
Policy Administrator Guide
System Event Logging
Table A.1—Framework System Events (Continued)
Event
ID
Severity
Description
Explanation
107
Info
Settings Change: One-Time Password online|offline
method enabled; policy applied successfully. Framework
User Policy - Authentication Assistance.
A policy specified the One-Time Password method that
users see when requesting authentication assistance:
either online or offline. This was set successfully.
108
Error
Settings Change: One-Time Password online|offline
method enabled; policy failed. Framework User Policy Authentication Assistance.
A policy specified the One-Time Password method that
users see when requesting authentication assistance:
either online or offline. This setting failed to be applied.
109
Info
Settings Change: One-Time Password not enabled;
policy applied successfully. Framework User Policy Authentication Assistance.
A policy specified that the One-Time Password method
will not be available to users requesting authentication
assistance. This was set successfully.
110
Error
Settings Change: One-Time Password not enabled;
policy failed. Framework User Policy - Authentication
Assistance.
A policy specified that the One-Time Password method
will not be available to users requesting authentication
assistance. This setting failed to be applied.
111
Info
Settings Change: Authenti-Check enabled; policy
applied successfully. Framework User Policy Authentication Assistance.
A policy specified that Authenti-Check will be available
to users requesting authentication assistance. This was
set successfully.
112
Error
Settings Change: Authenti-Check enabled; policy failed.
Framework User Policy - Authentication Assistance.
A policy specified that Authenti-Check will be available
to users requesting authentication assistance. This
setting failed to be applied.
113
Info
Settings Change: Authenti-Check not enabled; policy
applied successfully. Framework User Policy Authentication Assistance.
A policy specified that Authenti-Check will not be
available to users requesting authentication assistance.
This was set successfully.
114
Error
Settings Change: Authenti-Check not enabled; policy
failed. Framework User Policy - Authentication
Assistance.
A policy specified that Authenti-Check will not be
available to users requesting authentication assistance.
This setting failed to be applied.
115
Info
Settings Change: Authenti-Check settings modified;
policy applied successfully. Framework User Policy Authentication Assistance.
A policy specified that the Authenti-Check settings
were modified. This was set successfully.
116
Error
Settings Change: Authenti-Check settings modified;
policy failed. Framework User Policy - Authentication
Assistance.
A policy specified that the Authenti-Check settings
were modified. This setting failed to be applied.
Info
Settings Change: Client Administrator account name
account modified, privileges changed from
low|medium|high to low|medium|high; policy applied
successfully. Framework Computer Policy - Client
Administrators.
A policy specified that the privileges of Client
Administrator account account name were changed
from low|medium|high to low|medium|high. This was
set successfully.
118
Error
Settings Change: Client Administrator account name
account modified, privileges changed from
low|medium|high to low|medium|high; policy failed.
Framework Computer Policy - Client Administrators.
A policy specified that the privileges of Client
Administrator account account name were changed
from low|medium|high to low|medium|high. This setting
failed to be applied.
119
Info
Settings Change: the SEE Management Server
communication interval was modified successfully.
Framework Computer Policy - Communication.
A policy specified a change in how often the Client
Computer reports its status to the SEE Management
Server. This was set successfully.
120
Error
Settings Change: a policy modifying the SEE
Management Server communication interval failed to be
applied. Framework Computer Policy - Communication.
A policy specified a change in how often the Client
Computer reports its status to the SEE Management
Server. This setting failed to be applied.
Info
Settings Change: Settings Change: the SEE Management
Server client account was modified successfully.
Framework Computer Policy - Communication.
A policy specified a change to the credentials of the
SEE Management Server Client account that the Client
Computer uses when reporting status to the SEE
Management Server. This was set successfully.
Error
Settings Change: a policy modifying the SEE
Management Server client account failed to be applied.
Framework Computer Policy - Communication.
A policy specified a change to the credentials of the
SEE Management Server Client account that the Client
Computer uses when reporting status to the SEE
Management Server. This setting failed to be applied.
117
121
122
Symantec Endpoint Encryption Removable Storage
40
Policy Administrator Guide
System Event Logging
Table A.1—Framework System Events (Continued)
Event
ID
Severity
Description
Explanation
Info
Settings Change: the SEE Management Server client
account password was modified successfully.
Framework Computer Policy - Communication.
A policy specified a change to the password of the SEE
Management Server Client account that the Client
Computer uses when reporting status to the SEE
Management Server. This was set successfully.
124
Error
Settings Change: a policy modifying the SEE
Management Server client account password failed to be
applied. Framework Computer Policy - Communication.
A policy specified a change to the password of the SEE
Management Server Client account that the Client
Computer uses when reporting status to the SEE
Management Server. This setting failed to be applied.
125
Info
Settings Change: Limit password attempts enabled;
policy applied successfully. Framework Computer
Policy - Password Authentication.
A policy was specified that limits the number of times a
user can attempt to authenticate with an incorrect
password. This was set successfully.
126
Error
Settings Change: Limit password attempts enabled;
policy failed. Framework Computer Policy - Password
Authentication.
A policy was specified that limits the number of times a
user can attempt to authenticate with an incorrect
password. This setting failed to be applied.
127
Info
Settings Change: Limit password attempts not enabled;
policy applied successfully. Framework Computer
Policy - Password Authentication.
A policy was specified that does not limit the number of
times a user can attempt to authenticate with an
incorrect password. This was set successfully.
128
Error
Settings Change: Limit password attempts not enabled;
policy failed. Framework Computer Policy - Password
Authentication.
A policy was specified that does not limit the number of
times a user can attempt to authenticate with an
incorrect password. This setting failed to be applied.
129
Info
Settings Change: Limit password attempts settings
modified; policy applied successfully. Framework
Computer Policy - Password Authentication.
A policy was specified that modified the settings
controlling how often a user can attempt to authenticate
with an incorrect password. This was set successfully.
130
Error
Settings Change: Limit password attempts settings
modified; policy failed. Framework Computer Policy Password Authentication.
A policy was specified that modified the settings
controlling how often a user can attempt to authenticate
with an incorrect password. This setting failed to be
applied.
135
Info
Settings Change: Maximum password age enabled;
policy applied successfully. Framework Computer
Policy - Password Authentication.
A policy was specified that forces the user’s passwords
to expire at the designated interval. This was set
successfully.
136
Error
Settings Change: Maximum password age enabled;
policy failed. Framework Computer Policy - Password
Authentication.
A policy was specified that forces the user’s passwords
to expire at the designated interval. This setting failed to
be applied.
137
Info
Settings Change: Maximum password age not enabled;
policy applied successfully. Framework Computer
Policy - Password Authentication.
A policy was specified that does not force the user’s
passwords to expire. This was set successfully.
138
Error
Settings Change: Maximum password age not enabled;
policy failed. Framework Computer Policy - Password
Authentication.
A policy was specified that does not force the user’s
passwords to expire. This setting failed to be applied.
139
Info
Settings Change: Maximum password age settings
modified; policy applied successfully. Framework
Computer Policy - Password Authentication.
A policy was specified that modified the settings
controlling how often a user’s passwords will expire.
This was set successfully.
140
Error
Settings Change: Maximum password age settings
modified; policy failed. Framework Computer Policy Password Authentication.
A policy was specified that modified the settings
controlling how often a user’s passwords will expire.
This setting failed to be applied.
141
Info
Settings Change: Password history (any previous
password can be reused) enabled; policy applied
successfully. Framework Computer Policy - Password
Authentication.
A policy was specified that allows the user to reuse
previous passwords. This was set successfully.
142
Error
Settings Change: Password history (any previous
password can be reused) enabled; policy failed.
Framework Computer Policy - Password Authentication.
A policy was specified that allows the user to reuse
previous passwords. This setting failed to be applied.
123
Symantec Endpoint Encryption Removable Storage
41
Policy Administrator Guide
System Event Logging
Table A.1—Framework System Events (Continued)
Event
ID
Severity
Description
Explanation
143
Info
Settings Change: Password history (limit password reuse
and days between changes) enabled; policy applied
successfully. Framework Computer Policy - Password
Authentication.
A policy was specified that prevents the user from using
previous passwords. This was set successfully.
144
Error
Settings Change: Password history (limit password reuse
and days between changes) enabled; policy failed.
Framework Computer Policy - Password Authentication.
A policy was specified that prevents the user from using
previous passwords. This setting failed to be applied.
Info
Settings Change: Password history (limit password reuse
and days between changes) settings modified; policy
applied successfully. Framework Computer Policy Password Authentication.
A policy was specified that modified the settings
controlling how often the user is prevented from using
previous passwords. This was set successfully.
146
Error
Settings Change: Password history (limit password reuse
and days between changes) settings modified; policy
failed. Framework Computer Policy - Password
Authentication.
A policy was specified that modified the settings
controlling how often the user is prevented from using
previous passwords. This setting failed to be applied.
147
Info
Settings Change: Minimum password length setting
modified; policy applied successfully. Framework
Computer Policy - Password Authentication.
A policy was specified that modified the minimum
length for user passwords. This was set successfully.
148
Error
Settings Change: Minimum password length setting
modified; policy failed. Framework Computer Policy Password Authentication.
A policy was specified that modified the minimum
length necessary for user passwords. This setting failed
to be applied.
149
Info
Settings Change: Non-alphanumeric characters allowed
in password setting modified; policy applied
successfully. Framework Computer Policy - Password
Authentication.
A policy was specified that modified the number of nonalphanumeric characters allowed in user passwords.
This was set successfully.
150
Error
Settings Change: Non-alphanumeric characters allowed
in password setting modified; policy failed. Framework
Computer Policy - Password Authentication.
A policy was specified that modified the number of nonalphanumeric characters allowed in user passwords.
This setting failed to be applied.
Info
Settings Change: Change password complexity
requirements for minimum number of non-alphanumeric
characters; policy applied successfully. Framework
Computer Policy - Password Authentication.
A policy was specified that changed the minimum
number of non-alphanumeric characters that must be
present in the user’s passwords. This was set
successfully.
Error
Settings Change: Change password complexity
requirements for minimum number of non-alphanumeric
characters; policy failed. Framework Computer Policy Password Authentication.
A policy was specified that changed the minimum
number of non-alphanumeric characters that must be
present in the user’s passwords. This setting failed to be
applied.
Info
Settings Change: Change password complexity
requirements for minimum number of uppercase
characters; policy applied successfully. Framework
Computer Policy - Password Authentication.
A policy was specified that changed the minimum
number of uppercase characters that must be present in
the user’s passwords. This was set successfully.
Error
Settings Change: Change password complexity
requirements for minimum number of uppercase
characters; policy failed. Framework Computer Policy Password Authentication.
A policy was specified that changed the minimum
number of uppercase characters that must be present in
the user’s passwords. This setting failed to be applied.
Info
Settings Change: Change password complexity
requirements for minimum number of lowercase
characters; policy applied successfully. Framework
Computer Policy - Password Authentication.
A policy was specified that changed the minimum
number of lowercase characters that must be present in
the user’s passwords. This was set successfully.
Error
Settings Change: Change password complexity
requirements for minimum number of lowercase
characters; policy failed. Framework Computer Policy Password Authentication.
A policy was specified that changed the minimum
number of lowercase characters that must be present in
the user’s passwords. This setting failed to be applied.
145
151
152
153
154
155
156
Symantec Endpoint Encryption Removable Storage
42
Policy Administrator Guide
System Event Logging
Table A.1—Framework System Events (Continued)
Event
ID
Severity
Description
Explanation
Info
Settings Change: Change password complexity
requirements for minimum number of digits; policy
applied successfully. Framework Computer Policy Password Authentication.
A policy was specified that changed the minimum
number of digits that must be present in the user’s
passwords. This was set successfully.
158
Error
Settings Change: Change password complexity
requirements for minimum number of digits; policy
failed. Framework Computer Policy - Password
Authentication.
A policy was specified that changed the minimum
number of digits that must be present in the user’s
passwords. This setting failed to be applied.
159
Info
Settings Change: Require registration password enabled;
policy applied successfully. Framework Computer
Policy - Registered Users.
A policy was specified that the user must provide the
registration password to be able to register. This was set
successfully.
160
Error
Settings Change: Require registration password enabled;
policy failed. Framework Computer Policy - Registered
Users.
A policy was specified that the user must provide the
registration password to be able to register. This setting
failed to be applied.
161
Info
Settings Change: Require registration password not
enabled; policy applied successfully. Framework
Computer Policy - Registered Users.
A policy was specified that no registration password is
required to allow a user to register. This was set
successfully.
162
Error
Settings Change: Require registration password not
enabled; policy failed. Framework Computer Policy Registered Users.
A policy was specified that no registration password is
required to allow a user to register. This setting failed to
be applied.
163
Info
Settings Change: Registration password modified; policy
applied successfully. Framework Computer Policy Registered Users.
A policy was specified that modified the registration
password users must know to be able to register. This
was set successfully.
164
Error
Settings Change: Registration password modified; policy
failed. Framework Computer Policy - Registered Users.
A policy was specified that modified the registration
password users must know to be able to register. This
setting failed to be applied.
165
Info
Settings Change: Number of allowed user accounts
setting modified; policy applied successfully.
Framework Computer Policy - Registered Users.
A policy was specified that modified the maximum
number of user accounts allowed on the Client
Computer. This was set successfully.
166
Error
Settings Change: Number of allowed user accounts
setting modified; policy failed. Framework Computer
Policy - Registered Users.
A policy was specified that modified the maximum
number of user accounts allowed on the Client
Computer. This setting failed to be applied.
167
Info
Settings Change: User authentication with password
only setting enabled; policy applied successfully.
Framework Computer Policy - Registered Users.
A policy was specified that users will authenticate only
using passwords. This was set successfully.
168
Error
Settings Change: User authentication with password
only setting enabled; policy failed. Framework
Computer Policy - Registered Users.
A policy was specified that users will authenticate only
using passwords. This setting failed to be applied.
169
Info
Settings Change: User authentication with token only
setting enabled; policy applied successfully. Framework
Computer Policy - Registered Users.
A policy was specified that users will authenticate only
using tokens. This was set successfully.
170
Error
Settings Change: User authentication with token only
setting enabled; policy failed. Framework Computer
Policy - Registered Users.
A policy was specified that users will authenticate only
using tokens. This setting failed to be applied.
173
Info
Settings Change: Registration Wizard custom message
modified; policy applied successfully. Framework
Computer Policy - Registered Users.
A policy was specified that modified the custom
message users will see during registration. This was set
successfully.
174
Error
Settings Change: Registration Wizard custom message
modified; policy failed. Framework Computer Policy Registered Users.
A policy was specified that modified the custom
message users will see during registration. This setting
failed to be applied.
175
Info
Settings Change: User can authenticate with expired
certificates setting enabled; policy applied successfully.
Framework User Policy - Token Authentication.
A policy was specified that users with expired
certificates will be allowed to authenticate. This was set
successfully.
157
Symantec Endpoint Encryption Removable Storage
43
Policy Administrator Guide
System Event Logging
Table A.1—Framework System Events (Continued)
Event
ID
Severity
Description
Explanation
176
Error
Settings Change: User can authenticate with expired
certificates setting enabled; policy failed. Framework
User Policy - Token Authentication.
A policy was specified that users with expired
certificates will be allowed to authenticate. This setting
failed to be applied.
177
Info
Settings Change: User can authenticate with expired
certificates setting not enabled; policy applied
successfully. Framework User Policy - Token
Authentication.
A policy was specified that users with expired
certificates will not be allowed to authenticate. This was
set successfully.
178
Error
Settings Change: User can authenticate with expired
certificates setting not enabled; policy failed. Framework
User Policy - Token Authentication.
A policy was specified that users with expired
certificates will not be allowed to authenticate. This
setting failed to be applied.
179
Info
Settings Change: Single Sign-On enabled; policy applied
successfully. Framework User Policy - Single Sign-On.
A policy was specified that users will authenticate using
Single Sign-On. This was set successfully.
180
Error
Settings Change: Single Sign-On enabled; policy failed.
Framework User Policy - Single Sign-On.
A policy was specified that users will authenticate using
Single Sign-On. This setting failed to be applied.
181
Info
Settings Change: Single Sign-On not enabled; policy
applied successfully. Framework User Policy - Single
Sign-On.
A policy was specified that users will not authenticate
using Single Sign-On. This was set successfully.
182
Error
Settings Change: Single Sign-On not enabled; policy
failed. Framework User Policy - Single Sign-On.
A policy was specified that users will not authenticate
using Single Sign-On. This setting failed to be applied.
183
Info
Program Action: The user was provided access to
Windows using cached credentials and was not required
to change their Windows password following successful
completion of the password recovery process because
there was no connectivity to a domain controller.
After a user successfully completes the password
recovery process in pre-Windows, they will be forced to
select a new password when they log on to Windows. If
the Client Computer was offline and cached credentials
were used, this password synchronization is deferred
until after the Client Computer regains network
connectivity.
184
Info
Program Action: Client Administrator account name
unregistered user user name. Framework
The Client Administrator account name has
unregistered the user user name on the Client Computer.
185
Info
Settings Change: Client Administrator account name
was added with low|medium|high privileges; policy
applied successfully.
A policy was specified that added account name as a
Client Administrator having low|medium|high
privileges. This was set successfully.
186
Info
Initial Setting: Minimum password age enabled; policy
applied successfully. Framework Computer Policy Password Authentication.
The installation package specified that users must wait
the designated interval before changing their passwords.
This was set successfully.
187
Error
Initial Setting: Minimum password age enabled; policy
failed. Framework Computer Policy - Password
Authentication.
The installation package specified that users must wait
the designated interval before changing their passwords.
This setting failed to be applied.
188
Info
Initial Setting: Minimum password age not enabled;
policy applied successfully. Framework Computer
Policy - Password Authentication.
The installation package specified that users will not be
forced to wait before changing their passwords. This
was set successfully.
189
Error
Initial Setting: Minimum password age not enabled;
policy failed. Framework Computer Policy - Password
Authentication.
The installation package specified that users will not be
forced to wait before changing their passwords. This
setting failed to be applied.
190
Info
Settings Change: Minimum password age enabled;
policy applied successfully. Framework Computer
Policy - Password Authentication.
A policy was specified that forces users to wait the
designated interval before allowing them to change their
passwords. This was set successfully.
191
Error
Settings Change: Minimum password age enabled;
policy failed. Framework Computer Policy - Password
Authentication.
A policy was specified that forces users to wait the
designated interval before allowing them to change their
passwords. This setting failed to be applied.
192
Info
Settings Change: Minimum password age not enabled;
policy applied successfully. Framework Computer
Policy - Password Authentication.
A policy was specified that users will not be forced to
wait before changing their passwords. This was set
successfully.
Symantec Endpoint Encryption Removable Storage
44
Policy Administrator Guide
System Event Logging
Table A.1—Framework System Events (Continued)
Event
ID
Severity
Description
Explanation
193
Error
Settings Change: Minimum password age not enabled;
policy failed. Framework Computer Policy - Password
Authentication.
A policy was specified that users will not be forced to
wait before changing their passwords. This setting
failed to be applied.
194
Info
Settings Change: Minimum password age settings
modified; policy applied successfully. Framework
Computer Policy - Password Authentication.
A policy was specified that modified whether users
must wait the designated interval before being allowed
to change their passwords. This was set successfully.
Error
Settings Change: Minimum password age settings
modified; policy failed. Framework Computer Policy Password Authentication.
A policy was specified that modified whether users
must wait the designated interval before being allowed
to change their passwords. This setting failed to be
applied.
Info
Settings Change: Do not require registered users to
authenticate to SEE; policy applied successfully.
Framework Computer Policy - Registered Users.
A policy was specified that automatically authenticates
SEE users. If SEE Full Disk has been installed, the preWindows authentication will be bypassed. This was set
successfully.
Error
Settings Change: Do not require registered users to
authenticate to SEE; policy failed. Framework Computer
Policy - Registered Users.
A policy was specified that automatically authenticates
SEE users. If SEE Full Disk has been installed, the preWindows authentication will be bypassed. This setting
failed to be applied.
Info
Settings Change: Require registered users to authenticate
to SEE; policy applied successfully. Framework
Computer Policy - Registered Users.
A policy was specified that SEE users will authenticate
normally. If SEE Full Disk has been installed, the preWindows authentication will not be bypassed. This was
set successfully.
Error
Settings Change: Require registered users to authenticate
to SEE; policy failed. Framework Computer Policy Registered Users.
A policy was specified that SEE users will authenticate
normally. If SEE Full Disk has been installed, the preWindows authentication will not be bypassed. This
setting failed to be applied.
Info
Settings Change: Users can only be unregistered
manually by client administrators; policy applied
successfully. Framework Computer Policy - Registered
Users.
A policy was specified that users will not be
automatically unregistered, but can only be unregistered
manually by a suitable level Client Administrator who
logs on at the Client Computer. This was set
successfully.
Error
Settings Change: Users can only be unregistered
manually by client administrators; policy failed.
Framework Computer Policy - Registered Users.
A policy was specified that users will not be
automatically unregistered, but can only be unregistered
manually by a suitable level Client Administrator who
logs on at the Client Computer. This setting failed to be
applied.
202
Info
Settings Change: Users who do not log on for number
days will be automatically unregistered; policy applied
successfully. Framework Computer Policy - Registered
Users.
A policy was specified that inactive user accounts will
be automatically unregistered after number days. This
was set successfully.
203
Error
Settings Change: Users who do not log on for number
days will be automatically unregistered; policy failed.
Framework Computer Policy - Registered Users.
A policy was specified that inactive user accounts will
be automatically unregistered after number days. This
setting failed to be applied.
Info
Initial Setting: Do not require registered users to
authenticate to SEE; policy applied successfully.
Framework Computer Policy - Registered Users.
The installation package specified that SEE users will
be automatically authenticated. If SEE Full Disk has
been installed, the pre-Windows authentication will be
bypassed. This was set successfully.
Error
Initial Setting: Do not require registered users to
authenticate to SEE; policy failed. Framework Computer
Policy - Registered Users.
The installation package specified that SEE users will
be automatically authenticated. If SEE Full Disk has
been installed, the pre-Windows authentication will be
bypassed. This setting failed to be applied.
195
196
197
198
199
200
201
204
205
Symantec Endpoint Encryption Removable Storage
45
Policy Administrator Guide
System Event Logging
Table A.1—Framework System Events (Continued)
Event
ID
Severity
Description
Explanation
Info
Initial Setting: Require registered users to authenticate to
SEE; policy applied successfully. Framework Computer
Policy - Registered Users.
The installation package specified that SEE users will
authenticate normally. If SEE Full Disk has been
installed, the pre-Windows authentication will not be
bypassed. This was set successfully.
Error
Initial Setting: Require registered users to authenticate to
SEE; policy failed. Framework Computer Policy Registered Users.
The installation package specified that SEE users will
authenticate normally. If SEE Full Disk has been
installed, the pre-Windows authentication will not be
bypassed. This setting failed to be applied.
Info
Initial Setting: Users can only be unregistered manually
by client administrators; policy applied successfully.
Framework Computer Policy - Registered Users.
The installation package specified that users will not be
automatically unregistered, but can only be unregistered
manually by a suitable level Client Administrator who
logs on at the Client Computer. This was set
successfully.
Error
Initial Setting: Users can only be unregistered manually
by client administrators; policy failed. Framework
Computer Policy - Registered Users.
The installation package specified that users will not be
automatically unregistered, but can only be unregistered
manually by a suitable level Client Administrator who
logs on at the Client Computer. This setting failed to be
applied.
210
Info
Initial Setting: Users who do not log on for number days
will be automatically unregistered; policy applied
successfully. Framework Computer Policy - Registered
Users.
The installation package specified that inactive user
accounts will be automatically unregistered after
number days. This was set successfully.
211
Error
Initial Setting: Users who do not log on for number days
will be automatically unregistered; policy failed.
Framework Computer Policy - Registered Users.
The installation package specified that inactive user
accounts will be automatically unregistered after
number days. This setting failed to be applied.
Info
Initial Setting: the client will not communicate with the
SEE Management Server and is a silent client;
installation setting applied successfully. Framework
Installation Settings - Communication.
The installation package specified that the Client
Computer will not communicate with the SEE
Management Server. This was set successfully.
Error
Initial Setting: the installation setting dictated that the
client would not attempt to communicate with the SEE
Management Server and was a silent client, but this
failed to be applied. Framework Installation Settings Communication.
The installation package specified that the Client
Computer will not communicate with the SEE
Management Server. This setting failed to be applied.
Info
Settings Change: this client will no longer attempt to
communicate with the SEE Management Server and is
now a silent client; policy applied successfully.
Framework Computer Policy - Communication.
A policy was specified that a Client Computer
previously able to contact a SEE Management Server
will now have all SEE Management Server
communications suppressed. This was set successfully.
215
Error
Settings Change: a policy dictating that this client would
no longer communicate with the SEE Management
Server and would become a silent client failed to be
applied. Framework Computer Policy - Communication.
A policy was specified that a Client Computer
previously able to contact a SEE Management Server
will now have all SEE Management Server
communications suppressed. This setting failed to be
applied.
216
Info
Program Action: User user name successfully modified
their One-Time Password personal identifier. Framework
user name
A user has successfully modified their One-Time
Password personal identifier. This was set successfully.
217
Error
Program Action: User user name failed to modify their
One-Time Password personal identifier. Framework user
name
A user has successfully modified their One-Time
Password personal identifier. This setting failed to be
applied.
218
Info
Settings Change: Client Administrator account name
password modified; policy applied successfully.
Framework Computer Policy - Client Administrators.
A policy was specified that modified the SEE password
of one or more Client Administrator accounts. This was
set successfully.
206
207
208
209
212
213
214
Symantec Endpoint Encryption Removable Storage
46
Policy Administrator Guide
System Event Logging
Table A.1—Framework System Events (Continued)
Event
ID
Severity
Description
Explanation
219
Error
Settings Change: Client Administrator account name
password modified; policy failed. Framework Computer
Policy - Client Administrators.
A policy was specified that modified the SEE password
of one or more Client Administrator accounts. This
setting failed to be applied.
Info
Settings Change: Client Administrator account name
certificate modified; policy applied successfully.
Framework Computer Policy - Client Administrators.
A policy was specified that modified the certificate
associated with the token used to authenticate to one or
more Client Administrator accounts. This was set
successfully.
221
Error
Settings Change: Client Administrator account name
certificate modified; policy failed. Framework Computer
Policy - Client Administrators.
A policy was specified that modified the certificate
associated with the token used to authenticate to one or
more Client Administrator accounts. This setting failed
to be applied.
222
Info
Settings Change: Client Administrator account name has
unregistered. Framework Computer Policy - Client
Administrators.
A policy or installation setting was specified that
unregistered the Client Administrator account name on
the Client Computer.
223
Info
Initial Setting: the address of the SEE Management
Server was set successfully. Framework Installation
Settings - Communication.
The address of the SEE Management Server was
successfully set during installation.
224
Error
Initial Setting: the address of the SEE Management
Server failed to be set. Framework Installation Settings Communication.
The address of the SEE Management Server was not set
during installation.
225
Info
Initial Setting: the domain of the SEE Management
Server client account was set successfully. Framework
Installation Settings - Communication.
The domain of the SEE Management Server client
account was successfully set during installation.
226
Error
Initial Setting: the domain of the SEE Management
Server client account failed to be set. Framework
Installation Settings - Communication.
The domain of the SEE Management Server client
account was not set during installation.
Info
Initial Setting: the certificate to be used for HTTPS
communications with the SEE Management Server was
set successfully. Framework Installation Settings Communication.
The certificate for HTTPS communication with the SEE
Management Server was successfully set.
228
Error
Initial Setting: the certificate to be used for HTTPS
communications with the SEE Management Server
failed to be set. Framework Installation Settings Communication.
The certificate for HTTPS communication with the SEE
Management Server was not set during installation.
229
Info
Program Action: User token changed successfully.
A user has successfully changed their token using the
User Client Console.
230
Info
Program Action: User token changed unsuccessfully.
A user was unable to change their token using the User
Client Console.
231
Info
Program Action: User token registered successfully.
A user registered a token using the Registration wizard.
232
Info
Program Action: User token registered unsuccessfully.
A user was unable to register a token using the
Registration wizard.
233
Info
Program Action: User password registered successfully.
A user registered a password using the Registration
wizard.
234
Info
Program Action: User password registered
unsuccessfully.
A user was unable to register a password using the
Registration wizard.
235
Info
Settings Change: Client Administrator account name
authentication method modified; policy applied
successfully. Framework Computer Policy - Client
Administrators.
A policy was applied that resulted in a change to the
authentication method used by the specified Client
Administrator.
236
Error
Settings Change: Client Administrator account name
authentication method modified; policy failed.
Framework Computer Policy - Client Administrators.
A policy that would have resulted in a change to the
authentication method used by the specified Client
Administrator failed to be applied.
220
227
Symantec Endpoint Encryption Removable Storage
47
Policy Administrator Guide
System Event Logging
Table A.1—Framework System Events (Continued)
Event
ID
Severity
Description
Explanation
Info
Settings Change: One-Time Password communication
unlock enabled; policy applied successfully. Framework
Computer Policy - Authentication Assistance.
A policy specified that one or more users will have
access to the One-Time Password Program as a means
for regaining access to the computer after it has been
locked for a failure to communicate. This was set
successfully.
Error
Settings Change: One-Time Password communication
unlock enabled; policy failed. Framework Computer
Policy - Authentication Assistance.
A policy specified that one or more users will have
access to the One-Time Password Program as a means
for regaining access to the computer after it has been
locked for a failure to communicate. This policy failed
to be applied.
Info
Settings Change: One-Time Password communication
unlock not enabled; policy applied successfully.
Framework Computer Policy - Authentication
Assistance.
A policy specified that one or more users will not have
access to the One-Time Password Program as a means
for regaining access to the computer after it has been
locked for a failure to communicate. This was set
successfully.
240
Error
Settings Change: One-Time Password communication
unlock not enabled; policy failed. Framework Computer
Policy - Authentication Assistance.
A policy specified that one or more users will have
access to the One-Time Password Program as a means
for regaining access to the computer after it has been
locked for a failure to communicate. This policy failed
to be applied.
241
Info
Settings Change: User authentication with password or
token setting enabled; policy applied successfully.
Framework Computer Policy - Registered Users.
A policy specifying that users on this computer should
be able to authenticate with either a password or a token
has been set successfully.
242
Error
Settings Change: User authentication with password or
token setting enabled; policy failed. Framework
Computer Policy - Registered Users.
A policy specifying that users on this computer should
be able to authenticate with either a password or a token
failed to be applied.
Info
Program Action: User account name has been
unregistered due to applying new authentication method
policy. Framework
Automatic authentication is no longer in place on this
computer, as the result of either an upgrade or a policy
update. The account that was automatically created for
the specified user has been deleted.
244
Info
Program Action: User account name has been
unregistered due to account expiration. Framework
The account of the specified user has been deleted
because the user failed to log on within the number of
days specified in the Unregistration area of the
Registered Users panel.
245
Info
Program Action: Successful Client Console logon/
authentication attempted with Authenti-Check.
Framework
The specified user successfully authenticated using
Authenti-Check.
246
Warning
Program Action: Unsuccessful Client Console logon/
authentication attempted with Authenti-Check.
Framework
The specified user failed to successfully authenticate
using Authenti-Check.
237
238
239
243
Symantec Endpoint Encryption Removable Storage
48
Policy Administrator Guide
System Event Logging
Removable Storage System Events List
The following table lists the individual SEE Removable Storage–generated Windows system events logged on the
client. These events are logged in the Application section of the Windows Event Log.
Table A.2—Removable Storage System Events
Event
ID
Severity
Description
Explanation
100
Info
The Removable Storage service was installed.
SEE Removable Storage was installed.
101
Info
The Removable Storage service was removed.
SEE Removable Storage was uninstalled.
102
Error
The Removable Storage service could not be removed.
An uninstallation of SEE Removable Storage was
attempted, but due to some problem with the MSI, the
SEE Removable Storage Service was not removed
during the uninstallation.
103
Error
The control handler could not be installed.
The SEE Removable Storage Service could not be
started.
104
Error
The initialization process failed.
SEE Removable Storage experienced problems with an
important component of its operations, such as the
Registry, device detection, named pipes, or the filter
driver. This could be remedied by unplugging all devices
and rebooting.
105
Info
The service was started.
This routine event should be logged each time the
computer boots up.
106
Error
The service received an unsupported request.
A request was made to the SEE Removable Storage
service that is not supported.
108
Info
The service was stopped.
This routine event should be logged each time the
computer is shut down.
109
Info
Detected logon by user domain name or local machine
name/user name.
This routine event should be recorded each time a user
logs on to Windows.
110
Info
Detected logoff by user domain name or local machine
name/user name.
This routine event should be recorded each time a user
logs off of Windows.
111
Info
Could not impersonate user domain name or local
machine name/user name.
This event indicates a serious problem and should not
occur.
112
Error
Notification Package could not connect to service to load
or unload user domain name or local machine name/user
name.
This event indicates an issue with the SEE Removable
Storage Service. It should follow either Removable
Storage event 109 or 110. If this message occurs, the
machine should be rebooted.
113
Error
Could not start the RS GUI process for user domain
name or local machine name/user name.
This event indicates a serious problem with the GUI or
named pipes communications.
114
Info
Successfully started the RS GUI process for user domain
name or local machine name/user name.
This routine event should always follow Removable
Storage event 109.
115
Info
Could not connect to the RS GUI process for user
domain name or local machine name/user name.
The SEE Removable Storage Service attempted to
display a GUI element to the user, but failed.
116
Info
The RS GUI process for user domain name or local
machine name/user name has shut down.
This routine event should always follow Removable
Storage event 110.
117
Info
The service was unable to retrieve settings for user
domain name or local machine name/user name.
SEE Removable Storage was unable to read the Registry
and cannot determine user policy settings for the
specified user. This could cause unexpected behavior.
118
Info
The service was unable to retrieve settings for the local
machine.
SEE Removable Storage was unable to read the Registry
and cannot determine policy settings and/or the group
key. This could cause unexpected behavior.
119
Info
A removable device type was detected under user
domain name or local machine name/user name and
successfully activated.
This routine event should be logged each time a user
inserts a device of interest.
Symantec Endpoint Encryption Removable Storage
49
Policy Administrator Guide
System Event Logging
Table A.2—Removable Storage System Events (Continued)
Event
ID
Severity
Description
Explanation
120
Info
A removable device type was detected under user
domain name or local machine name/user name and
failed to activate. It is the correct behavior for media
readers without inserted media (such as a floppy drive
with no floppy inserted) to not activate.
This event indicates a user inserted a device of interest,
but it failed to be activated by SEE Removable Storage.
The Removable Storage could not establish
communication with the device. The user may have
pulled the device out. If not, there may be a more serious
problem.
121
Info
User domain name or local machine name/user name
successfully created an XML header for file name.
This routine event should be logged each time an
encrypted file is placed on a device of interest.
Info
User domain name or local machine name/user name
failed to create an XML header for file name.
This event indicates a failed attempt to create a header
for an encrypted file. This could occur for a variety of
reasons, such as the failure of a cryptographic library or
the XML library to initialize, or if the Master Certificate
could not be found.
123
Warning
The service was started manually. A user is already
logged in.
This event indicates a user manually started the SEE
Removable Storage Service and it will not function
properly. A reboot of the machine should solve this
problem.
124
Warning
User domain name or local machine name/user name is
not registered with the Framework and is being denied
access to a removable volume.
A user is attempting to access a removable storage
device, but has not registered with the SEE Framework.
125
Error
User domain name or local machine name/user name
failed to parse the XML header for file name.
This event indicates a failed attempt to parse the header
for an encrypted file.
126
Warning
A failure occurred generating the password node of the
XML header.
This event indicates a failed attempt to create the
password node of a header for an encrypted file.
127
Warning
A failure occurred generating the group key node of the
XML header.
This event indicates a failed attempt to create the group
key node of a header for an encrypted file.
128
Warning
A failure occurred generating the certificate node of the
XML header for Serial Number serial number.
This event indicates a specific failure while creating the
certificate key node of a header for an encrypted file.
129
Warning
A failure occurred generating the certificate node of the
XML header.
This event indicates a general failure while creating the
certificate key node of a header for an encrypted file.
130
Info
The SEE-RS Access Utility has been copied to drive
letter
This event indicates that the SEE Removable Storage
Access Utility has been copied to the specified device.
135
Info
The self-extracting file file name was successfully
created.
The specified self extracting file was created.
136
Error
The file file name could not be decrypted because the
current user's logon information was not received.
The Removable Storage service did not receive login
information about the user and cannot proceed.
139
Error
The SEE-RS Access Utility could not be copied to drive
letter. error
This event indicates a failed attempt to distribute the
SEE Removable Storage Access Utility to a device.
The newly created file file name has been exempted
from encryption because of encryption exemption policy
setting(multimedia file description) for the user user
name.
A new file of the name indicated was added to a
removable storage device by the specified user. The file
would normally have been encrypted because an encrypt
all or an encrypt new policy is in place. The file was not
encrypted because it belongs to an exempted multimedia
file group. See the User Guide for more information
about the exempted files.
The existing file file name has been exempted from
encryption because of encryption exemption policy
setting(multimedia file description) for the user user
name.
A file of the name indicated existed on a removable
storage device that was inserted into the SEE Removable
Storage–protected workstation by the specified user. The
file would normally have been encrypted because an
encrypt all policy is in place. The file was not encrypted
because it belongs to an exempted multimedia file
group. See the User Guide for more information about
the exempted files.
122
144
145
Info
Info
Symantec Endpoint Encryption Removable Storage
50
Policy Administrator Guide
System Event Logging
Table A.2—Removable Storage System Events (Continued)
Event
ID
Severity
Description
Explanation
534
Info
GPO and SEE Framework policy synchronization
completed.
Policy synchronization has been completed.
535
Error
A failure occurred during the device mount process for
device drive letter. Applying a No Access policy to the
device. Please disconnect and reconnect device to
remount the device properly.
This event indicates a failed attempt to mount a
removable storage device. The user will not be able to
access the device.
565
Info
Encryption of a file file name completed successfully.
The user attempted to encrypt a file and the operation
completed successfully.
566
Info
Encryption of a file file name did not complete
successfully.
The user attempted to encrypt a file and the operation
failed.
567
Info
Decryption of a file file name completed successfully.
The user attempted to decrypt a file and the operation
completed successfully.
568
Info
Decryption of a file file name did not complete
successfully.
The user attempted to decrypt a file and the operation
failed.
569
Info
Threshold reached for failed authentication attempts to
encrypt or decrypt a file.
The user reached the maximum number of incorrect
passwords allowed while attempting to encrypt or
decrypt a file.
570
Info
Delay instituted because threshold for failed
authentication attempts to encrypt or decrypt a file was
reached. success.
The user exceeded the number of incorrect passwords
allowed while attempting to encrypt or decrypt a file and
must wait for 1 minute before further attempts.
571
Info
Delay instituted because threshold for failed
authentication attempts to encrypt or decrypt a file was
reached. failure.
The one minute delay caused when a user exceeded the
number of incorrect passwords allowed while attempting
to encrypt or decrypt a file could not be instituted.
572
Info
Expiration of the delay instituted because of failed
authentication attempts. success.
The one minute delay caused when a user exceeded the
number of incorrect passwords allowed while attempting
to encrypt or decrypt a file has expired.
573
Info
Expiration of the delay instituted because of failed
authentication attempts. failure.
The one minute delay caused when a user exceeded the
number of incorrect passwords allowed while attempting
to encrypt or decrypt a file could not be expired.
579
Info
The Default Password for user user name has reached
maximum age.
Password aging is enabled. The user must use the User
Client Console to change their Default Password. The
expired Default Password can still be used for
decryption.
2000
Info
Initial Setting: Do not allow access to files on removable
storage devices; policy applied successfully. Removable
Storage Installation Settings - Security Level.
An access policy of Do not allow access to files on
removable storage devices has been applied
successfully as an installation setting.
2001
Error
Initial Setting: Do not allow access to files on removable
storage devices; policy failed. Removable Storage
Installation Settings - Security Level.
An access policy of Do not allow access to files on
removable storage devices has failed to be applied as
an installation setting.
2002
Info
Initial Setting: Allow read-only access to files on
removable storage devices; policy applied successfully.
Removable Storage Installation Settings - Security
Level.
An access policy of Allow read-only access to files on
removable storage devices has been applied
successfully as an installation setting.
2003
Error
Initial Setting: Allow read-only access to files on
removable storage devices; policy failed. Removable
Storage Installation Settings - Security Level.
An access policy of Allow read-only access to files on
removable storage devices has failed to be applied as
an installation setting.
Info
Initial Setting: Allow read and write access to files on
removable storage devices; policy applied successfully.
Removable Storage Installation Settings - Security
Level.
An access policy of Allow read and write access to
files on removable storage devices has been applied
successfully as an installation setting.
2004
Symantec Endpoint Encryption Removable Storage
51
Policy Administrator Guide
System Event Logging
Table A.2—Removable Storage System Events (Continued)
Event
ID
Severity
Description
Explanation
2005
Error
Initial Setting: Allow read and write access to files on
removable storage devices; policy failed. Removable
Storage Installation Settings - Security Level.
An access policy of Allow read and write access to
files on removable storage devices has failed to be
applied as an installation setting.
2006
Info
Initial Setting: Encrypt all files read from or written to
removable storage devices; policy applied successfully.
Removable Storage Installation Settings - Security
Level.
An encryption policy of Encrypt all files accessed on
removable storage devices has been applied
successfully as an installation setting.
2007
Error
Initial Setting: Encrypt all files read from or written to
removable storage devices; policy failed. Removable
Storage Installation Settings - Security Level.
An encryption policy of Encrypt all files accessed on
removable storage devices has failed to be applied as
an installation setting.
2008
Info
Initial Setting: Encrypt all files written to removable
storage devices; policy applied successfully. Removable
Storage Installation Settings - Security Level.
An encryption policy of Encrypt new files written to
removable storage devices has been applied
successfully as an installation setting.
2009
Error
Initial Setting: Encrypt all files written to removable
storage devices; policy failed. Removable Storage
Installation Settings - Security Level.
An encryption policy of Encrypt new files written to
removable storage devices has failed to be applied as
an installation setting.
2010
Info
Initial Setting: Do not encrypt files written to removable
storage devices; policy applied successfully. Removable
Storage Installation Settings - Security Level.
An encryption policy of Do not encrypt files on
removable storage devices has been applied
successfully as an installation setting.
2011
Error
Initial Setting: Do not encrypt files written to removable
storage devices; policy failed. Removable Storage
Installation Settings - Security Level.
An encryption policy of Do not encrypt files on
removable storage devices has failed to be applied as
an installation setting.
2012
Info
Initial Setting: Copy the Access Utility to all removable
storage devices enabled; policy applied successfully.
Removable Storage Installation Settings - Security
Level.
A portability policy of Copy the Removable Storage
Access utility to all removable storage devices has
been applied successfully as an installation setting.
2013
Error
Initial Setting: Copy the Access Utility to all removable
storage devices enabled; policy failed. Removable
Storage Installation Settings - Security Level.
A portability policy of Copy the Removable Storage
Access utility to all removable storage devices has
failed to be applied as an installation setting.
Info
Initial Setting: Copy the Access Utility to all removable
storage devices not enabled; policy applied successfully.
Removable Storage Installation Settings - Security
Level.
The portability policy of not copying the SEE
Removable Storage Access Utility to all removable
storage devices has been applied successfully as an
installation setting.
Error
Initial Setting: Copy the Access Utility to all removable
storage devices not enabled; policy failed. Removable
Storage Installation Settings - Security Level.
The portability policy of not copying the SEE
Removable Storage Access Utility to all removable
storage devices has failed to be applied as an installation
setting.
2016
Info
Initial Setting: Encrypt files on removable storage
devices with password; policy applied successfully.
Removable Storage Installation Settings - Encryption
Method.
Users will only be able to use a password to encrypt files
written to removable storage devices; this installation
setting was applied successfully.
2017
Error
Initial Setting: Encrypt files on removable storage
devices with password; policy failed. Removable
Storage Installation Settings - Encryption Method.
An installation setting of only allowing users to use a
password to encrypt files written to removable storage
devices was specified but failed to be applied.
Info
Initial Setting: Encrypt files on removable storage
devices with one or more certificates; policy applied
successfully. Removable Storage Installation Settings Encryption Method.
Users will only be able to use from one to ten certificates
to encrypt files written to removable storage devices;
this installation setting was applied successfully.
Error
Initial Setting: Encrypt files on removable storage
devices with one or more certificates; policy failed.
Removable Storage Installation Settings - Encryption
Method.
An installation setting of only allowing users to use one
or more certificates to encrypt files written to removable
storage devices was specified but failed to be applied.
2014
2015
2018
2019
Symantec Endpoint Encryption Removable Storage
52
Policy Administrator Guide
System Event Logging
Table A.2—Removable Storage System Events (Continued)
Event
ID
Severity
Description
Explanation
Info
Initial Setting: Encrypt files on removable storage
devices with password and/or one or more certificates;
policy applied successfully. Removable Storage
Installation Settings - Encryption Method.
Users can select a password, certificate(s), or both to
encrypt files written to removable storage devices; this
installation setting was applied successfully.
2021
Error
Initial Setting: Encrypt files on removable storage
devices with password and/or one or more certificates;
policy failed. Removable Storage Installation Settings Encryption Method.
An installation setting of allowing users to use a
password, certificate(s), or both to encrypt files written
to removable storage devices was specified but failed to
be applied.
2022
Info
Initial Setting: Do not encrypt files with a master
certificate; policy applied successfully. Removable
Storage Installation Settings - Master Certificate.
A policy of Do not encrypt files with a master
certificate has been applied successfully as an
installation setting.
2023
Error
Initial Setting: Do not encrypt files with a master
certificate; policy failed. Removable Storage Installation
Settings - Master Certificate.
A policy of Do not encrypt files with a master
certificate has failed to be applied as an installation
setting.
2024
Info
Initial Setting: Encrypt files with a master certificate;
policy applied successfully. Removable Storage
Installation Settings - Master Certificate.
A policy of Encrypt files with a master certificate has
been applied successfully as an installation setting.
2025
Error
Initial Setting: Encrypt files with a master certificate;
policy failed. Removable Storage Installation Settings Master Certificate.
A policy of Encrypt files with a master certificate has
failed to be applied as an installation setting.
2026
Info
Initial Setting: Do not encrypt or decrypt files with
group key; policy applied successfully. Removable
Storage Installation Settings - Group Key.
A policy of Do not encrypt or decrypt files with a
group key has been applied successfully as an
installation setting.
2027
Error
Initial Setting: Do not encrypt or decrypt files with
group key; policy failed. Removable Storage Installation
Settings - Group Key.
A policy of Do not encrypt or decrypt files with a
group key has failed to be applied as an installation
setting.
2028
Info
Initial Setting: Encrypt or decrypt files with a group key
unique to each workstation; policy applied successfully.
Removable Storage Installation Settings - Group Key.
A policy of Encrypt and decrypt files with a group
key unique to each workstation has been applied
successfully as an installation setting.
2029
Error
Initial Setting: Encrypt or decrypt files with a group key
unique to each workstation; policy failed. Removable
Storage Installation Settings - Group Key.
A policy of Encrypt and decrypt files with a group
key unique to each workstation has failed to be applied
as an installation setting.
2030
Info
Initial Setting: Encrypt or decrypt files with specified
group key; policy applied successfully. Removable
Storage Installation Settings - Group Key.
A policy of Encrypt and decrypt files with this group
key has been applied successfully as an installation
setting.
2031
Error
Initial Setting: Encrypt or decrypt files with specified
group key; policy failed. Removable Storage Installation
Settings - Group Key.
A policy of Encrypt and decrypt files with this group
key has failed to be applied as an installation setting.
2032
Info
Initial Setting: Set group key memo; policy applied
successfully. Removable Storage Installation Settings Group Key.
An optional memo was added to identify the group key
used to encrypt and decrypt files; this installation setting
was applied successfully.
2033
Error
Initial Setting: Set group key memo; policy failed.
Removable Storage Installation Settings - Group Key.
The optional memo that was specified to identify the
group key used to encrypt and decrypt files did not get
added; this installation setting failed to be applied.
Info
Initial Setting: Allow users to save files as passwordencrypted self-extracting executables enabled; policy
applied successfully. Removable Storage Installation
Settings - Executables.
A policy of Allow users to save files as passwordencrypted self-extracting executables has been applied
successfully as an installation setting.
Error
Initial Setting: Allow users to save files as passwordencrypted self-extracting executables enabled; policy
failed. Removable Storage Installation Settings Executables.
A policy of Allow users to save files as passwordencrypted self-extracting executables failed to be
applied as an installation setting.
2020
2034
2035
Symantec Endpoint Encryption Removable Storage
53
Policy Administrator Guide
System Event Logging
Table A.2—Removable Storage System Events (Continued)
Event
ID
Severity
Description
Explanation
Info
Initial Setting: Allow users to save files as passwordencrypted self-extracting executables not enabled; policy
applied successfully. Removable Storage Installation
Settings - Executables.
A policy of do not Allow users to save files as
password-encrypted self-extracting executables has
been applied successfully as an installation setting.
2037
Error
Initial Setting: Allow users to save files as passwordencrypted self-extracting executables not enabled; policy
failed. Removable Storage Installation Settings Executables.
A policy of do not Allow users to save files as
password-encrypted self-extracting executables failed
to be applied as an installation setting.
2038
Info
Initial Setting: 128-bit encryption strength; policy
applied successfully. Removable Storage Installation
Settings - Encryption.
An AES encryption strength of 128-bit has been applied
successfully as an installation setting.
2039
Error
Initial Setting: 128-bit encryption strength; policy failed.
Removable Storage Installation Settings - Encryption.
An AES encryption strength of 128-bit failed to be
applied as an installation setting.
2040
Info
Initial Setting: 256-bit encryption strength; policy
applied successfully. Removable Storage Installation
Settings - Encryption.
An AES encryption strength of 256-bit has been applied
successfully as an installation setting.
2041
Error
Initial Setting: 256-bit encryption strength; policy failed.
Removable Storage Installation Settings - Encryption.
An AES encryption strength of 256-bit failed to be
applied as an installation setting.
2042
Info
Settings Changed: Do not allow access to files on
removable storage devices; policy applied successfully.
Removable Storage Computer Policy - Security Level.
An access policy of Do not allow access to files on
removable storage devices has been applied
successfully as a policy update.
2043
Error
Settings Changed: Do not allow access to files on
removable storage devices; policy failed. Removable
Storage Computer Policy - Security Level.
An access policy of Do not allow access to files on
removable storage devices has failed to be applied as a
policy update.
2044
Info
Settings Change: Allow read-only access to files on
removable storage devices; policy applied successfully.
Removable Storage Computer Policy - Security Level.
An access policy of Allow read-only access to files on
removable storage devices has been applied
successfully as a policy update.
2045
Error
Settings Change: Allow read-only access to files on
removable storage devices; policy failed. Removable
Storage Computer Policy - Security Level.
An access policy of Allow read-only access to files on
removable storage devices has failed to be applied as a
policy update.
2046
Info
Settings Change: Allow read and write access to files on
removable storage devices; policy applied successfully.
Removable Storage Computer Policy - Security Level.
An access policy of Allow read and write access to
files on removable storage devices has been applied
successfully as a policy update.
2047
Error
Settings Change: Allow read and write access to files on
removable storage devices; policy failed. Removable
Storage Computer Policy - Security Level.
An access policy of Allow read and write access to
files on removable storage devices has failed to be
applied as a policy update.
2048
Info
Settings Change: Encrypt all files accessed on
removable storage devices; policy applied successfully.
Removable Storage Computer Policy - Security Level.
An encryption policy of Encrypt all files accessed on
removable storage devices has been applied
successfully as a policy update.
2049
Error
Settings Change: Encrypt all files accessed to removable
storage devices; policy failed. Removable Storage
Computer Policy - Security Level.
An encryption policy of Encrypt all files accessed on
removable storage devices has failed to be applied as a
policy update.
2050
Info
Settings Change: Encrypt new files written to removable
storage devices; policy applied successfully. Removable
Storage Computer Policy - Security Level.
An encryption policy of Encrypt new files written to
removable storage devices has been applied
successfully as a policy update.
2051
Error
Settings Change: Encrypt new files written to removable
storage devices; policy failed. Removable Storage
Computer Policy - Security Level.
An encryption policy of Encrypt new files written to
removable storage devices has failed to be applied as a
policy update.
2052
Info
Settings Change: Do not encrypt files written to
removable storage devices; policy applied successfully.
Removable Storage Computer Policy - Security Level.
An encryption policy of Do not encrypt files on
removable storage devices has been applied
successfully as a policy update.
2036
Symantec Endpoint Encryption Removable Storage
54
Policy Administrator Guide
System Event Logging
Table A.2—Removable Storage System Events (Continued)
Event
ID
Severity
Description
Explanation
2053
Error
Settings Change: Do not encrypt files written to
removable storage devices; policy failed. Removable
Storage Computer Policy - Security Level.
An encryption policy of Do not encrypt files on
removable storage devices has failed to be applied as a
policy update.
2054
Info
Settings Change: Copy the Removable Storage Access
utility to all removable storage devices enable.
Removable Storage Computer Policy - Security Level.
A portability policy of Copy the Removable Storage
Access utility to all removable storage devices has
been applied successfully as a policy update.
Error
Settings Change: Copy the Removable Storage Access
utility to all removable storage devices enable; policy
failed. Removable Storage Computer Policy - Security
Level.
A portability policy of Copy the Removable Storage
Access utility to all removable storage devices has
failed to be applied as a policy update.
Info
Settings Change: The Removable Storage Access Utility
will no longer be copied to all removable storage
devices. Removable Storage Computer Policy - Security
Level.
The portability policy of not copying the SEE
Removable Storage Access Utility to all removable
storage devices has been applied successfully as a policy
update.
Error
Settings Change: The Removable Storage Access Utility
will no longer be copied to all removable storage
devices; policy failed. Removable Storage Computer
Policy - Security Level.
The portability policy of not copying the SEE
Removable Storage Access Utility to all removable
storage devices has failed to be applied as a policy
update.
2058
Info
Settings Change: Users encrypt files on removable
storage devices with password; policy applied
successfully. Removable Storage Computer Policy Encryption Method.
Users will only be able to use a password to encrypt files
written to removable storage devices; this policy update
was applied successfully.
2059
Error
Settings Change: Users encrypt files on removable
storage devices with password; policy failed. Removable
Storage Computer Policy - Encryption Method.
A policy update of only allowing users to use a password
to encrypt files written to removable storage devices was
specified but failed to be applied.
Info
Settings Change: Users encrypt files on removable
storage devices with one or more certificates; policy
applied successfully. Removable Storage Computer
Policy - Encryption Method.
Users will only be able to use one or more certificates to
encrypt files written to removable storage devices; this
policy update was applied successfully.
Error
Settings Change: Users encrypt files on removable
storage devices with one or more certificates; policy
failed. Removable Storage Computer Policy Encryption Method.
A policy update of only allowing users to use one or
more certificates to encrypt files written to removable
storage devices was specified but failed to be applied.
Info
Settings Change: Users encrypt files on removable
storage devices with password and/or one or more
certificates; policy applied successfully. Removable
Storage Computer Policy - Encryption Method.
Users can select a password, certificate(s), or both to
encrypt files written to removable storage devices; this
policy update was applied successfully.
2063
Error
Settings Change: Users encrypt files on removable
storage devices with password and/or one or more
certificates; policy failed. Removable Storage Computer
Policy - Encryption Method
A policy update of allowing users to use a password,
certificate(s), or both to encrypt files written to
removable storage devices was specified but failed to be
applied.
2064
Info
Settings Change: Do not encrypt files with a master
certificate; policy applied successfully. Removable
Storage Computer Policy - Master Certificate.
A policy of Do not encrypt files with a master
certificate has been applied successfully as a policy
update.
2065
Error
Settings Change: Do not encrypt files with a master
certificate; policy failed. Removable Storage Computer
Policy - Master Certificate.
A policy of Do not encrypt files with a master
certificate has failed to be applied as a policy update.
2066
Info
Settings Change: Encrypt files with a master certificate;
policy applied successfully. Removable Storage
Computer Policy - Master Certificate.
A policy of Encrypt files with a master certificate has
been applied successfully as a policy update.
2067
Error
Settings Change: Encrypt files with a master certificate;
policy failed. Removable Storage Computer Policy Master Certificate.
A policy of Encrypt files with a master certificate has
failed to be applied as a policy update.
2055
2056
2057
2060
2061
2062
Symantec Endpoint Encryption Removable Storage
55
Policy Administrator Guide
System Event Logging
Table A.2—Removable Storage System Events (Continued)
Event
ID
Severity
Description
Explanation
2068
Info
Settings Change: Encrypt files with a master certificate
issuer changed; policy applied successfully. Removable
Storage Computer Policy - Master Certificate.
The master certificate has been changed successfully by
policy update. The name of the issuer of the new master
certificate is provided.
2069
Error
Settings Change: Encrypt files with a master certificate
issuer changed; policy failed. Removable Storage
Computer Policy - Master Certificate.
An attempt to apply a policy update and change the
master certificate failed. The name of the issuer of the
new master certificate is provided.
2070
Info
Settings Change: Encrypt files with a master certificate
serial number changed; policy applied successfully.
Removable Storage Computer Policy - Master
Certificate.
The master certificate has been changed successfully by
policy update. The serial number of the new master
certificate is provided in the log.
2071
Error
Settings Change: Encrypt files with a master certificate
serial number changed; policy failed. Removable
Storage Computer Policy - Master Certificate.
An attempt to apply a policy update and change the
master certificate failed.
2072
Info
Settings Change: Encrypt files with a master certificate
enable; policy applied successfully. Removable Storage
Computer Policy - Master Certificate.
A policy of Encrypt files with a master certificate has
been applied successfully as a policy update.
2073
Error
Settings Change: Encrypt files with a master certificate
enable; policy failed. Removable Storage Computer
Policy - Master Certificate.
A policy of Encrypt files with a master certificate has
failed to be applied as a policy update.
2074
Info
Settings Change: Encrypt files with a master certificate
not enable; policy applied successfully. Removable
Storage Computer Policy - Master Certificate.
A policy of Do not encrypt files with a master
certificate has been applied successfully as a policy
update.
2075
Error
Settings Change: Encrypt files with a master certificate
not enable; policy failed. Removable Storage Computer
Policy - Master Certificate.
A policy of Do not encrypt files with a master
certificate has failed to be applied as a policy update.
2076
Info
Settings Change: Do not encrypt or decrypt files with
group key; policy applied successfully. Removable
Storage Computer Policy - Group Key.
A policy of Do not encrypt or decrypt files with a
group key has been applied successfully as a policy
update.
2077
Error
Settings Change: Do not encrypt or decrypt files with
group key; policy failed. Removable Storage Computer
Policy - Group Key.
A policy of Do not encrypt or decrypt files with a
group key has failed to be applied as a policy update.
2078
Info
Settings Change: Encrypt or decrypt files with group
key; policy applied successfully. Removable Storage
Computer Policy - Group Key.
A policy of Encrypt and decrypt files with this group
key has been applied successfully as a policy update.
2079
Error
Settings Change: Encrypt or decrypt files with group
key; policy failed. Removable Storage Computer Policy
- Group Key.
A policy of Encrypt and decrypt files with this group
key has failed to be applied as a policy update.
2080
Info
Settings Change: Encrypt or decrypt files with group key
and Memo; policy applied successfully. Removable
Storage Computer Policy - Group Key.
A policy of Encrypt and decrypt files with this group
key identified by a certain memo has been applied
successfully as a policy update.
2081
Error
Settings Change: Encrypt or decrypt files with group key
and Memo; policy failed. Removable Storage Computer
Policy - Group Key.
A policy of Encrypt and decrypt files with this group
key identified by a certain memo has failed to be applied
as a policy update.
2082
Info
Settings Change: Memo for Group Key changed; policy
applied successfully. Removable Storage Computer
Policy - Group Key.
An existing memo was changed; this installation setting
was applied successfully.
2083
Error
Settings Change: Memo for Group Key changed.
Removable Storage Computer Policy - Group Key.
An existing memo was changed; this installation setting
was applied successfully.
2084
Info
Settings Change: Memo for Group Key not changed;
policy applied successfully. Removable Storage
Computer Policy - Group Key.
A policy update to change an existing memo failed to be
applied; the memo was not changed.
Symantec Endpoint Encryption Removable Storage
56
Policy Administrator Guide
System Event Logging
Table A.2—Removable Storage System Events (Continued)
Event
ID
Severity
Description
Explanation
2085
Error
Settings Change: Memo for Group Key not changed.
Removable Storage Computer Policy - Group Key.
A policy update to change an existing memo failed to be
applied; the memo was not changed.
2086
Info
Settings Change: Allow users to save files as passwordencrypted self-extracting executables enable.
Removable Storage Computer Policy - Executables.
A policy of Allow users to save files as passwordencrypted self-extracting executables has been applied
successfully as a policy update.
2087
Error
Settings Change: Allow users to save files as passwordencrypted self-extracting executables enable; policy
failed. Removable Storage Computer Policy Executables.
A policy of Allow users to save files as passwordencrypted self-extracting executables failed to be
applied as a policy update.
2088
Info
Settings Change: Allow users to save files as passwordencrypted self-extracting executables not enable.
Removable Storage Computer Policy - Executables.
A policy of do not Allow users to save files as
password-encrypted self-extracting executables has
been applied successfully as a policy update.
2089
Error
Settings Change: Allow users to save files as passwordencrypted self-extracting executables not enable; policy
failed. Removable Storage Computer Policy Executables.
A policy of do not Allow users to save files as
password-encrypted self-extracting executables failed
to be applied as a policy update.
2090
Info
Program Action: Client program installation attempted.
Removable Storage
An attempt was made to execute a SEE Removable
Storage client MSI package.
2091
Info
Program Action: Client program installation success.
Removable Storage
The SEE Removable Storage client software was
successfully installed.
2092
Error
Program Action: Client program installation failed.
Removable Storage
The SEE Removable Storage client software failed to be
installed.
2093
Info
Program Action: Client program upgrade attempted.
Removable Storage
An attempt was made to upgrade an existing installation
of the SEE Removable Storage client software.
2094
Info
Program Action: Client program upgrade success.
Removable Storage
The SEE Removable Storage client software was
successfully upgraded.
2095
Error
Program Action: Client program upgrade failed.
Removable Storage
The SEE Removable Storage client software failed to be
upgraded.
2096
Warning
Program Action: User program uninstallation attempted.
Removable Storage
An attempt was made to uninstall a SEE Removable
Storage client installation.
2097
Warning
Program Action: User program uninstallation success.
Removable Storage
The SEE Removable Storage client software was
successfully uninstalled.
2098
Warning
Program Action: User program uninstallation failed.
Removable Storage
The SEE Removable Storage client software failed to be
uninstalled.
Info
Settings Change: Allow Encryption exemption for
group(s) of file for removable storage devices; policy
applied successfully. Removable Storage Computer
Policy - Security Level.Following group(s) would be
exempted from encryption:group name(s)
A policy of excluding the identified multimedia file
groups from encryption has been applied successfully as
a policy update.
Info
Settings Change: Turn off Encryption exemption for
group(s) of file for removable storage devices policy;
policy applied successfully. Removable Storage
Computer Policy - Security Level.
A policy of excluding multimedia file groups from
encryption has been lifted successfully: multimedia files
will no longer be excluded from mandatory encryption.
Error
Settings Change: Allow Encryption exemption for
group(s) of file for removable storage devices; policy
failed. Removable Storage Computer Policy - Security
Level.The Policy failed for following group(s): group
name(s)
A policy of excluding the identified multimedia file
groups from encryption was sent, but failed to be
applied.
Error
Settings Change: Turn off Encryption exemption for
group(s) of file for removable storage devices; policy
failed. Removable Storage Computer Policy - Security
Level.
A policy lifting the exclusion of multimedia file groups
from encryption failed to be applied; multimedia files
will continue to be excluded.
2099
2100
2101
2102
Symantec Endpoint Encryption Removable Storage
57
Policy Administrator Guide
System Event Logging
Table A.2—Removable Storage System Events (Continued)
Event
ID
Severity
Description
Explanation
Info
Initial Setting: Allow Encryption exemption for group(s)
of file for removable storage devices; policy applied
successfully. Removable Storage Computer Policy Security Level.Following group(s) would be exempted
from encryption: group name(s)
Multimedia files belonging to the groups specified will
be excluded from mandatory encryption; this installation
setting was applied successfully.
Info
Initial Setting: Turn off Encryption exemption for
group(s) of file(s) for removable storage devices policy;
policy applied successfully. Removable Storage
Computer Policy - Security Level. group name(s)
Multimedia files belonging to the groups specified will
not be excluded from mandatory encryption; this
installation setting was applied successfully.
Error
Initial Setting: Allow Encryption exemption for group(s)
of file(s) for removable storage devices; policy failed.
Removable Storage Computer Policy - Security
Level.The Policy failed for following group(s): group
name(s)]
Multimedia files belonging to the groups specified will
be excluded from mandatory encryption; this installation
setting failed to be applied.
2106
Error
Initial Setting: Turn off Encryption exemption for
group(s) of file for removable storage devices; policy
failed. Removable Storage Computer Policy - Security
Level.
An installation setting specifying that multimedia file
groups should not be excluded from encryption failed to
be applied.
2107
Info
Initial Setting: Encrypt to CDs/DVDs only; policy
applied successfully. Removable Storage Installation
Setting
An encryption policy of Encrypt to CD/DVD only has
been applied successfully as an installation setting.
2108
Error
Initial Setting: Encrypt to CDs/DVDs only; policy
failed. Removable Storage Installation Setting
An encryption policy of Encrypt to CD/DVD only
failed to be applied as an installation setting.
2109
Info
Settings Change: Encrypt to CDs/DVDs only; policy
applied successfully. Removable Storage Computer
Policy - Security Level.
An encryption policy of Encrypt to CD/DVD only has
been applied successfully as a policy update or as part of
an upgrade package.
2110
Error
Settings Change: Encrypt to CDs/DVDs only; policy
failed. Removable Storage Computer Policy - Security
Level.
An encryption policy of Encrypt to CD/DVD only was
specified as a policy update or as part of an upgrade
package but failed to be applied.
2103
2104
2105
Symantec Endpoint Encryption Removable Storage
58
Policy Administrator Guide
CD/DVD Command Line
Appendix B. CD/DVD Command Line
Overview
Basics
The SEE Removable Storage CD/DVD Burner application offers the ability to burn selected files and folders from
the command line. This allows you to integrate SEE Removable Storage with your custom applications, such as
backup programs or scripts.
Prerequisites
Requirements for running the CD/DVD Burner application from the command line include:
SEE Removable Storage is installed on the Client Computer.
The user logged on to Windows has registered to SEE.
Sufficient temporary data storage space is available on a local hard disk volume. The required space can be
estimated according to the following formula:
( 1.1 × Total size of all files and folders to be burned ) + ( 2 × ( 1.1 × Size of the largest individual file to be burned ) )
The Client Computer is equipped with a CD/DVD disc recorder.
The currently enforced installation and policy settings allow for read/write access.
A blank write-once or rewritable CD or DVD disc is inserted into the disc recorder.
Note that multi-session recording is not supported, and that previously recorded rewritable media will be erased
before use. Any EFS-encrypted files will be decrypted, then re-encrypted by SEE Removable Storage prior to
burning. These requirements are the same as running the CD/DVD Burner application from the GUI. To achieve a
seamless experience, it is recommended that the user set a Default Password and/or Default Certificate(s).
Depending on the particular application or script, a user may be required to be physically present to perform tasks
requiring manual intervention. These include:
Selecting individual files or folders for burning;
Inserting media;
Initiating the burn operation;
Providing a password and/or a certificate(s) should a Default Password and/or Default Certificate(s) not be set;
and
Responding to error conditions.
Operational Steps
Once the list of source files and folders have been specified and the burn operation has been initiated, the CD/DVD
Burner application performs the following steps:
Verifies that sufficient temporary data storage space exists to allow encryption and burning.
Copies all files and folders selected for burning to the temporary data directory.
Encrypts the data according to the currently enforced encryption policy.
Burns the encrypted files and folders to disc.
Deletes the temporary data directory.
Symantec Endpoint Encryption Removable Storage
59
Policy Administrator Guide
CD/DVD Command Line
Temporary Data Directory
The CD/DVD Burner application requires a place to store temporary data. When run from the command line, it
creates a temporary data directory named RSECTemp~1.
The CD/DVD Burner application will first try to store its temporary data directory on the drive of the operating
system. The TMP, then the TEMP, and then the USERPROFILE environment variables will be checked. The first
environment variable found will be used. If none of these environment variables has been set, the CD/DVD Burner
application will use the Windows directory.
Table B.1—Temporary Data Folder Paths
Sequence
Attempted
Environment
Variable
Windows XP Default
Windows Vista Default
1
TMP
system drive letter:\Documents and Settings\user
name\Local Settings\Temp
system drive letter:\Users\user
name\AppData\Local\Temp
2
TEMP
system drive letter:\Documents and Settings\user
name\Local Settings\Temp
system drive letter:\Users\user
name\AppData\Local\Temp
3
USERPROFILE
system drive letter:\Documents and Settings\user name
system drive letter:\Users\user
4
—
system drive letter:\Windows
system drive letter:\Windows
If the user currently logged on to Windows lacks permission to write to the path or the drive lacks space to store the
temporary data directory, the CD/DVD Burner application will try the next fixed drive, in alphabetical order. Should
it succeed in locating a different fixed drive with space and write permissions, it will write the temporary data
directory at the root of that drive, e.g., D:\RSECTemp~1.
The CD/DVD Burner application will delete any previous temporary data directory it finds:
When it launches;
When it closes;
When it begins the burn operation; and
When it completes the burn operation.
If the encryption/burn operation gets interrupted—for example, because the user pressed CTRL+C, the user closed
the command line window, or because the CD/DVD Burner application has crashed—then the normal cleanup
process that deletes the temporary data directory will not occur, resulting in the user’s decrypted data remaining in the
temporary data directory. If one of these conditions occurs, launching the application again will delete the temporary
data directory.
Command Syntax
To run the CD/DVD Burner application from the command line, use a single string according to the following syntax:
RSCDDVD.exe /P {Source [Source…] | Directory} /D RecorderDrvRoot [/L VolumeLabel]
Table B.2—CD/DVD Command Line Parameters
Parameter
/P
Variable(s)
Explanation
Source Directory
Specifies the file(s) and/or folder(s) to be burned to disc, where Source is
the fully qualified path to one or more files, and Directory is the fully
qualified path to one or more folders. File or folder names containing
spaces must be enclosed in quotes. When using quotes, you cannot end the
path in a backslash.
Symantec Endpoint Encryption Removable Storage
Sample
/P “C:\Confidential Files”
/P c:\files\spreadsheet.xls
60
Policy Administrator Guide
CD/DVD Command Line
Table B.2—CD/DVD Command Line Parameters (Continued)
Parameter
Variable(s)
Explanation
Sample
/D
RecorderDrvRoot
Specifies the disc recorder, where RecorderDrvRoot is the root of the disc
recorder.
/D F:
VolumeLabel
Specifies the volume label of the disc, where VolumeLabel is the volume
label name. The volume label name can be up to 32 characters in length,
and must contain only alphanumeric, hyphen, underscore or space
characters. If you omit the /L parameter, the default volume label will be
RS-Encrypted Disc YYYY-MM-DD, where YYYY-MM-DD is the year,
month, and date the disc was burned. If the encryption policy is off, the
default volume label will be YYYY-MM-DD.
/L Encrypted_Backups_1
/L
Example Command Lines
RSCDDVD /P “C:\Confidential File Folder” “C:\Business Plan\HIF Business Plan.ppt” /D E:
RSCDDVD /P c:\files\spreadsheet.xls c:\files\presentation.doc /D E: /L Encrypted_Files_1
CD/DVD Errors
The following table lists the individual SEE Removable Storage errors generated when executing the CD/DVD
Burner application from the command line. The column headings indicate the error code (if any), the error message
displayed in the UI, and an explanation of the error, along with possible ways to remediate the error.
Table B.3—CD/DVD Messages and Error Codes
Error Code
Error Message Displayed in UI
Explanation
0
Burned the disc successfully.
The CD/DVD Burner application has completed the burn process
successfully.
1
Disc volume label was not specified
The /L parameter (volume label) was used without specifying a volume
label.
2
Disc recordable drive was not specified.
The /D parameter (recordable drive) was used without specifying the
letter of the recordable drive, i.e., you must specify the parameters /D F:
if your recordable drive is F.
3
The syntax of the command is incorrect.
Incorrect command syntax was specified.
101
There is no hard disk drive on your system, so
this application can not be used for burning disc.
The CD/DVD Burner application requires a hard disk or partition for
storing temporary files as part of the encryption and burn process. Verify
that a hard disk or partition is accessible and try the operation again.
102
You must register to SEE, before you can use this
application for burning data to disc.
The user currently logged on to Windows has not registered to SEE.
104
Disc burning engine could not be initialized
successfully.
The CD/DVD Burner application was unable to initialize the disc
burning engine.
105
Invalid disc recordable drive was specified.
The selected drive is not a recordable drive. Select a different drive
capable of recording, then try the operation again.
106
There is no disc in the drive.
The CD/DVD Burner application didn’t find a disc in the recorder.
Insert a rewritable or write-once disc into the drive.
107
No disc recordable drive was found on your
system.
The CD/DVD Burner application didn’t find any disc recorders present.
Verify that a disc recorder is attached and functioning, then try the
operation again.
108
Disc could not be ejected successfully.
The CD/DVD Burner application was unable to eject the disc
successfully.
109
No data was specified to be burned.
No files or folders were selected for burning.
110
Your access policy does not allow write access to
removable media, so you cannot use this
application for burning data to disc.
SEE Removable Storage is currently enforcing a read-only access
policy. The policy must be changed to allow read and write access to
removable media before the CD/DVD Burner application can be used.
Symantec Endpoint Encryption Removable Storage
61
Policy Administrator Guide
CD/DVD Command Line
Table B.3—CD/DVD Messages and Error Codes (Continued)
Error Code
Error Message Displayed in UI
Explanation
111
Disc burner could not be found.
The CD/DVD Burner application could not find the disc recorder.
112
The disc volume label can have only
alphanumericand underscore characters. The disk
volume label’s length can not be more than 32
characters. Please type a valid disc volume label.
The volume label specified contains disallowed characters or is in
excess of the 32 character maximum. Specify a new volume name of 32
characters or less containing only letters, numbers, hyphens,
underscores, or spaces.
113
Disc could not be erased.
An attempt to erase a rewritable disc was unsuccessful. Insert a different
rewritable or write-once disc and try the operation again.
114
The disc that you have inserted is not writable.
Please insert a blank or rewritable disc of type
CD-R, CD-RW, DVD-R, DVD-RW, DVD+R, or
DVD+R DL into drive.
The inserted disc cannot be written to. Insert a rewritable or write-once
disc and try the operation again. Remove the disc from the drive and
insert a disc that is writable.
115
Application could not locate a fixed hard disk
drive with enough free space for storage of
temporary data, so application won't burn the
disc.
The CD/DVD Burner application requires a hard disk or partition with
enough free space for storage of temporary data. Free up some space and
try the operation again.
116
Selected file or folder [path/]file or folder name
could not be copied at your temporary data
location. Please check the file or folder again.
There was a problem copying the selected file or folder to the temporary
data directory. Verify that the temporary data directory is accessible and
sufficient space is available, then try the operation again.
117
An error occurred during the encryption of the
data.
The CD/DVD Burner application encountered an error during the
encryption of the data.
118
Selected file [path/]file or folder name could not
be encrypted. Please free up some space on your
temporary data drive and try again.
The CD/DVD Burner application found that the selected file could not
be encrypted due to lack of space on the hard disk or partition. Delete
some files on the hard disk or partition where the temporary folder is
located (usually this is the system volume) and try the operation again.
119
Selected file [path/]file or folder name to be
burned could not be encrypted due to security
reason.
Verify that the account under which the CD/DVD Burner application is
running has sufficient access rights to perform the operation.
120
SEE-RS does not have a Password and/or
certificate to encrypt this file. You must specify a
Password and/or certificate or a Default Password
and/or certificate before the data can be encrypted
and burned to disc.
The user has not specified a Default Password and/or Default
Certificate(s). When prompted to provide a password and/or certificate,
the user clicked Cancel.
121
SEE-RS does not have a certificate to encrypt this
file. You must specify a certificate or a Default
certificate before the data can be encrypted and
burned to disc.
The user has not specified one or more Default Certificate(s) and failed
to provide a certificate when prompted.
122
SEE-RS does not have a password to encrypt this
file. You must specify a Default Password before
the data can be encrypted and burned to disc.
The user has not set a Default Password and failed to provide a
password when prompted.
123
Temporary file could not be deleted.
The CD/DVD Burner application was unable to delete a temporary file.
Verify that another application or process is not using this file. You
should also manually delete any temporary files still remaining in the
temporary data directory.
124
Disc recordable drive could not be locked.
Another application or process has prevented the CD/DVD Burner
application from gaining exclusive access to the disc recorder. Quit the
other application or process and try the operation again.
126
The SEE-RS Access Utility could not be copied
to disc.
The CD/DVD Burner application was unable to copy the Removable
Storage Access Utility to the disc, even though the policy in place
dictates this. If the problem persists, you may need to reinstall SEE
Removable Storage.
Symantec Endpoint Encryption Removable Storage
62
Policy Administrator Guide
CD/DVD Command Line
Table B.3—CD/DVD Messages and Error Codes (Continued)
Error Code
Error Message Displayed in UI
Explanation
128
You have selected one or more files with very
long file name. Application could not shorten
file(s) name in temporary data location. If file
encryption policy is set then file’s name length
can exceed 102 characters, otherwise it cannot
exceed 106 characters. Please rename the file(s)
with long name and try again.
The operation failed because there were one or more files with names
that exceeded 102–106 characters and the application could not rename
these files in the temporary location. Locate the files with long names,
shorten them manually, and try again. If SEE Removable Storage is
automatically encrypting files written to removable media, the file
names must be no greater than 102 characters. If not, the file names
should be no greater than 106 characters.
129
Selected file or folder [path/]file/folder name
could not be copied at your temporary data
location because path length is exceeding the
limit (259 characters) imposed by Windows
system. Please shorten the name of selected file/
folder or sub folder(s) and try again.
The CD/DVD Burner application failed to copy the specified file or
folder because its full path exceeds the 259 character limit imposed by
the Windows operating system. Relocate the file closer to the root or
rename the file to shorten the total number of characters.
130
Selected file or folder [path/]file/folder name
could not be found. Please check the file or folder
and try again.
The user has specified a file or folder to be burned to disc that could not
be found by the CD/DVD Burner application.
131
Selected file or folder file/folder name can not be
copied at your temporary data location because
path length is exceeding the limit (259 characters)
imposed by Windows system. Please shorten the
name of selected file/folder or sub folder(s) and
try again.
The CD/DVD Burner application has calculated that the path to the file
or folder that you specified to be burned exceeds the 259 character limit
imposed by the Windows operating system. Relocate the file closer to
the root or rename the file to shorten the total number of characters.
132
Application found a fixed hard disk drive with
enough free space for storage of temporary data,
but you do not have write access on temporary
folder temporary folder path, so application won't
burn the disc. Please get the write access on this
folder and try again.
The CD/DVD Burner application failed to complete the burning process
because the user does not have write privileges to the temporary data
directory. Log in as a different user or increase the user’s privileges.
133
Path specified using the /P parameter can not
have back slash character at the end of the path
when quotes are used to enclose the path.
The CD/DVD Burner application failed to complete the burning process
because the path enclosed in double quotes included a backslash at the
end. Remove the backslash character and try again.
134
Temporary folder temporary folder path could
not be created at your temporary data location.
Please make sure that no file or folder is being
used/locked by any application in this temporary
folder location and try again.
Another application or process may be preventing the CD/DVD Burner
application from writing its temporary data to the temporary data
directory. Ensure that all applications and processes that may be
competing for access are shut down and try again.
501
Disc could not be used for burning data. Please
try again with another disc.
Either a media error, media incompatibility, or other problem has
resulted in the application being unable to write data to the disc. Try the
operation again using another disc and/or brand of media.
502
File “SEERemovableStorageAccessUtility.exe”
cannot be specified using the /P parameter. It is
SEE-RS Access Utility application, which will be
burned automatically on the root of the burnt disc.
The user has specified that the SEE Access Utility executable be burned
at the root of the disc. However, SEE Removable Storage is already
burning the Removable Storage Access Utility automatically, according
to policy. The SEE Removable Storage Access Utility specified in the
input file list will be ignored, and the SEE Removable Storage Access
Utility will be copied to the root of the disc as per policy.
504
Disc could not be burned due to an error.
There was an unknown error with the disc recorder.
505
The disc drive could not be used to burn the disc.
There was an error with the disc recorder. Try the operation again using
a different disc recorder.
506
Disc could not be burned with selected data
because your temporary data location is EFS
enabled.
The CD/DVD Burner application cannot use an EFS-encrypted
temporary data directory. The user can either turn off EFS protection for
the temporary data directory’s parent folder, or the user can manually
relocate the temporary data directory by editing the TMP or TEMP
environment variables.
Symantec Endpoint Encryption Removable Storage
63
Policy Administrator Guide
CD/DVD Command Line
Table B.3—CD/DVD Messages and Error Codes (Continued)
Error Code
Error Message Displayed in UI
Explanation
File “Autorun.inf” cannot be specified using the
/P parameter. File “Autorun.inf” will be burned
automatically on the root of the burnt disc to run
SEE-RS Access Utility application.
The user has specified that the Autorun.inf file be burned at the root of
the disc. However, SEE Removable Storage is currently burning the
Removable Storage Access Utility to disc automatically, as per policy
and this file is one of the files that comprises the Removable Storage
Access Utility. The Autorun.inf specified in the input file list will be
ignored, and the SEE Removable Storage Access Utility’s Autorun.inf
will be copied to the root of the disc according to policy.
509
File “Platform.ico” cannot be specified using the
/P parameter. File “Platform.ico” will be burned
automatically on the root of the burnt disc to run
SEE-RS Access Utility application.
The user has specified that the Platform.ico file be burned at the root of
the disc. However, SEE Removable Storage is currently burning the
Removable Storage Access Utility to disc automatically, as per policy
and this file is one of the files that comprises the Removable Storage
Access Utility. The Platform.ico specified in the input file list will be
ignored, and the SEE Removable Storage Access Utility’s Platform.ico
will be copied to the root of the disc according to policy.
None
Processing the burn request
The application has started processing the disc burning request.
None
EFS-encrypted file(s) will be decrypted by EFS
before being burned.
EFS-encrypted files have been selected for burning. The CD/DVD
Burner application will attempt to decrypt them prior to burning. If an
encryption policy is in effect, the CD/DVD Burner application will
encrypt the files prior to burning.
None
The disc is not blank, disc data will be erased
during disc burning process.
The CD/DVD Burner application has detected a rewritable disc that
contains existing data. The CD/DVD Burner application will attempt to
erase the disc prior to burning the new data.
None
The estimated size of data which will be burned
on disc exceeds disc capacity. If this estimation is
correct, the data will not be burned to disc
successfully.
The estimated size of the data to be burned exceeds the capacity of the
target disc, but the CD/DVD Burner application will attempt to burn the
selected data anyway.
None
Preparing data for burning to disc. Percentage:
percent of data prepared%
The CD/DVD Burner application is copying the data to be burned to the
temporary data directory prior to burning the disc.
None
Encrypting data to be burned to disc. Percentage:
percent of data encrypted%
The CD/DVD Burner application is encrypting the data to be burned in
the temporary data directory prior to burning the disc.
None
Erasing disc...
The CD/DVD Burner application is erasing rewritable media containing
previously recorded data prior to burning.
None
Preparing to write data to the disc...
The CD/DVD Burner application is preparing to burn the disc.
None
Writing sector current sector of total sectors.
Percentage: percent of data written%
The CD/DVD Burner application is currently writing data to disc.
None
Finalizing the disc. Percentage: percent of
finalized data%
The CD/DVD Burner application is nearing the end of the burn process
and is writing the table of contents to disc.
None
You have selected one or more files with names
that exceed 102 characters or path length in
temporary data location is exceeding the 259
characters limit imposed by Windows system.
Files’ names will be shortened in temporary data
location.
One or more of the files specified to be burned had a file name of more
than 102 characters, or else the full path to the temporary data directory,
including this file, exceeded 259 characters. When this file or these files
are written to the temporary location, their names will be shortened so
that the maximum character restrictions are not exceeded.
508
Symantec Endpoint Encryption Removable Storage
64
Policy Administrator Guide
Authentication Method Changes
Appendix C. Authentication Method
Changes
Overview
Each client will effect a single method of authentication for all of its users. This method of authentication is
established in three different Manager Console locations:
The selection made in the Token Authentication page of the Manager Console InstallShield wizard,
The selection made in the Authentication Method area of the Registered Users panel (Symantec Endpoint
Encryption Software Setup, Symantec Endpoint Encryption Native Policy Manager, or Active Directory policy).
Either an upgrade of the client or a policy update can be used to cause a change to the user’s method of
authentication. Since policy settings will always take precedence, the use of a policy is more certain to achieve your
desired ends.
User Experience
The following table details the effects of a change to the user’s authentication method mandated using the
Authentication Method area of the Registered Users panel.
Table C.1—Effect of a Change in Authentication Method on Existing User Accounts
Previous
Authentication Method
New Authentication
Method
Authentication
Method(s) User Has
Registered
User Must
Re-register?
a password
a token
Password
Yes
a password
password or token
Password
No
a password | a token |
password or token
Automatic
Password, Token,
Password and Token
No
a token
a password
Token
Yes
a token
password or token
Token
No
Automatic
a password | a token |
password or token
Automatic
Yes
password or token
a password
Password and Token
No
password or token
a password
Token
Yes
password or token
a token
Password and Token
No
password or token
a token
Password
Yes
Symantec Endpoint Encryption Removable Storage
Details
The user will have the option to add a token
in the User Client Console.
The user will have the option to add a
password in the User Client Console.
The token is deleted.
The password is deleted.
65
Policy Administrator Guide
Glossary
Glossary
Active Directory
Active Directory is the directory service included with Windows Server 2003 and
Windows Server 2008. This service stores information about objects on a network and
makes that information available to users and network administrators. Active
Directory gives network users access to permitted resources anywhere on the network.
Active Directory provides network administrators with a hierarchical view of the
network and a single point of administration for all network objects.
Active Directory
Policies
Active Directory policies are one of two types of policies that can be created and
deployed from the SEE Manager. They feature seamless integration with well-known
Active Directory toolsets and include user as well as computer policies.
Active Directory Users
and Computers Snap-in
The Users and Computers snap-in from Microsoft is used to find and organize the User
and Computer objects in an Active Directory structure.
Authenti-Check
Authenti-Check allows users missing their credentials to gain access to the User Client
Console without assistance. A set of up to three question-answer pairs authenticates
the user. Authenti-Check is not available to Client Administrators.
Automatic
Authentication
If the Client Computer is set for automatic authentication, SEE Removable Storage
will allow any registered user to launch the User Client Console. The registration
process itself will also be automatic and occur without user intervention—unless a
registration password is required.
Client Administrator
Client Administrators provide local support to SEE users. When creating or updating
Client Administrator accounts, the Policy Administrator assigns one of three privilege
levels.
Client Administrators with a privilege level of high will be able to unregister users.
The Client Administrator is also responsible for recovering SEE Removable Storage–
encrypted files.
Client Administrators cannot change their own passwords or use any passwordrecovery methods. Client Administrators must register as a user to make use of
removable storage devices at the SEE Removable Storage–protected workstation.
Default Password/
Certificate
Registered users and Client Administrators have the option of setting a Default
Password and/or Default Certificate(s) in the User Client Console. SEE Removable
Storage will use Default Passwords and/or Default Certificates for encrypting files. In
addition, if the Default Password and/or Default Certificate(s) set in the User Client
Console match the password or certificate(s) that a file was encrypted under, SEE
Removable Storage will decrypt the file without a prompt.
Expand, Expanded, to
Expand
To reveal the contents of a container. This action is initiated by clicking the plus sign to
the left of the container as displayed in the left pane of the Microsoft Management
Console.
Symantec Endpoint Encryption Removable Storage
66
Policy Administrator Guide
Glossary
Group Filtering
Also known as Security Group Filtering or Security Filters. Security Filters applied to
a Group Policy Object limit the scope for that Group Policy Object.
Group Key
The group key facilitates the sharing of encrypted files among users within a group: if
the group key on the SEE Removable Storage–protected computer matches the group
key that a file was encrypted under, the user will not be prompted to provide a
password or certificate to decrypt the file.
Group Policy
Management, Group
Policy Management
Console Snap-in
A snap-in from Microsoft that an SEE Policy Administrator can use to assign SEE
client MSI packages and policies to users and computers.
Group Policy Object
(GPO)
An object in Active Directory that contains user and/or computer policies, and
possibly software deployment policies.
LSDOU
This acronym describes the order in which GPOs are applied: Local (1), Site (2),
Domain (3), OU (4). Local policies have the highest precedence.
Management
Password,
Management Password
Snap-in
The Management Password is not relevant to SEE Removable Storage.
Master Certificate
Master Certificates can be used to decrypt encrypted files even if the user-provided
credentials are not available, allowing organizations to recover from forgotten
passwords and lost certificates.
The same Master Certificate must be issued twice, once with the private key and once
without.
Without Private Key—the Master Certificate without the private key is deployed to
clients using an installation package or a policy. Upon receipt, clients will encrypt
files using the Master Certificate in addition to the credentials provided by the user.
With Private Key—the Master Certificate with the private key is exported using the
P7B format. It should be stored in a safe, physically secure location. Symantec
recommends exporting it to a token or smart card and then securing the token or
smart card in a fire-proof vault.
Microsoft Management
Console (MMC)
Microsoft Management Console is a container User Interface (UI) that provides no
functionality by itself. Each Microsoft Management Console process can host a set of
snap-ins displayed in one or more windows. The layout of a Microsoft Management
Console can be saved as a file with an .msc extension.
Microsoft Management
Console Tree
The folder-like structure of snap-ins in a Microsoft Management Console. Snap-ins
can be standalone, i.e., added to the root of the MMC tree, or they can be extensions of
other snap-ins.
Symantec Endpoint Encryption Removable Storage
67
Policy Administrator Guide
Glossary
Microsoft Windows
Installer (MSI)
A format for self-contained database files containing the requirements and instructions
that the Windows Installer uses when installing applications. MSI packages can be
deployed via Group Policy Objects.
Native Policies
Native policies are one of two types of policies that can be created and deployed from
the SEE Manager. Native policies do not rely on any existing directory service for
managing SEE Client Computers. Unlike SEE Active Directory policies, native
policies apply to computers only and cannot be applied to users.
Novell eDirectory
An LDAP-based directory service from Novell. Computers that are members of an
eDirectory domain can be managed using SEE native policies. Information from
eDirectory can optionally be synchronized to the SEE Management Server, allowing
SEE native policies to be applied according to the organizational structure maintained
in eDirectory.
Objects
The term objects is used to refer to any Active Directory object. This includes
individual Users, Computers, or Policies, as well as Groups of Users or Computers.
See also Containers.
One-Time Password
(OTP)
The One-Time Password (OTP) Program allows SEE Full Disk users to recover from a
forgotten password, PIN, or token with help desk assistance. It is not relevant to SEE
Removable Storage.
Policy Administrator
Policy Administrators perform centralized administration of SEE. Using the Manager
Console and the Manager Computer, the Policy Administrator:
Updates and sets client policies.
Runs reports.
Access to SEE snap-ins can be restricted on a per snap-in basis, giving the domain or
higher-level administrator flexibility when assigning specific Policy Administrator
duties.
SEE Framework
SEE Framework provides SEE–wide features, such as authentication methods and
settings, as well as registered user and Client Administrator accounts and information.
Self-Extracting
Executables
A feature of SEE Removable Storage that allows registered users to create encrypted
self-extracting files for secure transport. Self-extracting files can be decrypted from
any computer, without any need for SEE Removable Storage or the Removable
Storage Access Utility. The ability to produce self-extracting executables is prescribed
by installation setting or policy.
Silent Client
A silent client does not communicate with the SEE Management Server. Client
installation packages generated from Manager Consoles that were installed in
serverless mode will create silent clients.
Symantec Endpoint Encryption Removable Storage
68
Policy Administrator Guide
Single Sign-On (SSO)
Glossary
A feature that allows SEE users to log on to both Windows and SEE with their
Windows password. To activate an SSO policy, the Client Computer must reboot.
SSO is not relevant to automatically authenticated users.
Snap-in
A Dynamic Link Library (DLL) file user interface module designed to be loaded into a
Microsoft Management Console.
Symantec Endpoint
Encryption Software
Setup Snap-in
A snap-in from Symantec that allows the SEE Policy Administrators to customize SEE
client installation settings before deployment.
Temporary Data
Directory
The CD/DVD Burner application requires a place to store temporary data. It will first
try to store its temporary data directory on the drive of the operating system. The TMP,
then the TEMP, and then the USERPROFILE environment variables will be checked.
The first environment variable found will be used. If none of these environment
variables has been set, the CD/DVD Burner Application will use the Windows
directory.
User
At least one user is required to register with SEE on each Client Computer. A wizard
guides the user through the registration process, which involves a maximum of five
screens. The registration process can also be configured to occur without user
intervention. Users will not be able to access their removable storage devices until they
have registered.
Symantec Endpoint Encryption Removable Storage
69
Policy Administrator Guide
Index
A
Active Directory policies 3, 13, 15, 17, 23, 24, 28, 66, 68
Authenti-Check 23
C
CD/DVD Burner application
EFS encryption and 59, 63, 64
temporary data directory 59, 60, 62, 63, 64, 69
Client Administrator
authentication method (password or token) 19
policy 18
privilege levels 19
single-source passwords 6
Client Computers
communication with 23
D
Default Certificates 66
Default Passwords 22, 26
G
gpupdate /force 28
grace restarts 21, 35, 38, 39
group key 26, 49, 50, 53, 56
Group Policy Object Editor (GPOE) 4, 17
L
Local, Site, Domain, OU (LSDOU) 3, 28, 67
M
Management Password
snap-in 3
use of 67
Manager Console
endpoint containers 4
location of 2
SQL prompt 4
Master Certificates 26, 53, 55, 56
Index
O
One-Time Password
about 68
offline method 40
online method 40
P
P7B files 19
policy update
forcing an immediate update 3, 28, 29
R
removable storage access policy 24
no access 1
read only 1
read write 1
Removable Storage Access Utility 8, 22, 25, 26, 50, 52,
55, 68
removable storage encryption methods 26
removable storage encryption policy 24, 25
CD/DVD only 1, 25
do not encrypt 25
encrypt all 1
encrypt new 1, 25
removable storage portability policy 25
Resultant Set of Policy (RSoP) 13, 15
S
SEE administrator roles 5
SEE Framework
about 1
SEE Managed Computers 5, 29
self-extracting executables 27, 53, 54, 57, 68
synchronization
about 2, 3, 7, 29
timing of 3
with both Active Directory and Novell 5
U
N
users
automatic unregistration of 21
local administrative rights and 6
registration password and 21
native policies 3, 18, 29, 31
names of 18
Native Policy Manager 3, 17, 18
Windows system events 34
Symantec Endpoint Encryption Removable Storage
W
70
