Software Update: Symantec Endpoint Encryption 11.3.1

Symantec, which is now part of Broadcom, has historically acquired two different companies that developed encryption software: GuardianEdge and PGP. Symantec has long released the software from these two acquisitions as two different encryption product lines. The GuardianEdge line was renamed ‘Endpoint Encryption’ and the PGP line was renamed ‘Encryption Desktop’ along with ‘Encryption Management Server’. To an outsider, it was confusing for one company to release two different encryption products that competed and couldn’t work together. With the release of Endpoint Encryption 11 largely came to an end in 2014. Since there is no easy way to upgrade from SED and SEMS to SEE, maintenance packs are still being released for the old PGP line. However, new feature development is focused only on the merged Endpoint Encryption line. The development team has released Endpoint Encryption version 11.3.1 with the following list of changes:

What’s new in Symantec Endpoint Encryption 11.3.1

Platform certifications

• Added support for Microsoft Windows 10 Enterprise October 2020 Update (version 20H2)
• Added compatibility with the following operating system for Symantec Endpoint Encryption for FileVault and Removable Media Access Utility: macOS 11.0.x (Big Sur)

Drive Encryption

• Support for DMA. Symantec Endpoint Encryption Drive Encryption is now compatible with Direct Memory Access (DMA) enabled systems.
• Enhancements for Drive Encryption Autologon. Enabling autologon for a client computer is now part of the Drive Encryption installer. The support for generating a separate Autologon MSI using the Autologon snap-in is removed from the Symantec Endpoint Encryption Management Server console. There is now a compact Drive Encryption MSI installer that combines the autologon policies along with the Drive Encryption policies. You can disable the autologon completely through the install-time Do not use Autologon policy option from the Drive Encryption – Autologon page. In this case, you cannot enable autologon on the client computers even through Drive Encryption Administrator Command Line or using policies. To enable autologon in such a case, you need to uninstall the client and install again with the Do not use Autologon policy option deselected. To better manage the use of Trusted Platform Module (TPM), the TPM settings for autologon are added to the Drive Encryption – Autologon native and GPO policies. The default TPM PCR values ​​are updated to 0.2 in the de.autoLogon.pcrList field on the Management Agent – Advanced Settings page. In the earlier releases, these default values ​​were 0.2,4. When you upgrade to Symantec Endpoint Encryption version 11.3.1, the default value of TPM PCR in all native and GPO policies will be 0.2. The Autologon Status report is added on the Symantec Endpoint Encryption Management Server console to display the status of autologon on the client computers.
• Support for single sign-on with hibernation. A Management Agent advanced setting lets you enable single sign-on when resumed from hibernation on a client computer. This setting comes into effect only when the Drive Encryption – Single Sign-On policy option is enabled. If single sign-on with hibernation is enabled, then after resume from hibernation, a user is automatically logged on to Windows after the user authenticates with Windows credentials at preboot. This Advanced Settings policy can be enabled as an install-time setting, GPO, or native policy. This setting is disabled by default.
• Prompt for user details when using Symantec Endpoint Encryption self-recovery for all users. When the Drive Encryption – Self-Recovery feature for recovery at the preboot authentication screen is used, users are now prompted to enter their user name and their domain details before answering preconfigured security questions for authentication. This feature is applicable for all types of users, including token and smart card users. This feature is applicable for UEFI boot mode only.

Management Agent

• Support for ability to assign a policy group to client computers at install-time. You can use the Management Agent – Communication policy page to assign a policy group to client computers at install-time. Previously, assigning a policy group to client computers required an administrator to manually move client computers from a SEE Managed Computer group to another group. An organization could have comparable client computers, which required an administrator to manually move all of them to the required groups. Assigning a native policy group at install-time lets the administrator to quickly assign client computers to a specified group for a rapid deployment. However, if a computer is already assigned to a particular group, then after upgrade this computer will continue to be assigned to the same group. This computer will not be assigned to the policy group selected while creating the client install-time policy.
• Support to restrict the uninstallation of Symantec Endpoint Encryption clients to Active Director group. A Management Agent advanced setting lets you specify an Active Directory group whose members can uninstall a standalone Removable Media Encryption client from end-user systems. Earlier a client administrator could uninstall a Removable Media Encryption client only if Drive Encryption was also installed on the same system. A standalone Removable Media Encryption client could never be uninstalled. The existing Do not allow users to uninstall the product policy option is removed from the Removable Media Encryption – Access and Encryption policy page. Along with Removable Media Encryption, the members of the Active Directory group can uninstall a standalone Drive Encryption or Symantec Endpoint Encryption for BitLocker client from end-user systems. Only the members of the specified Active Directory group can uninstall these Symantec Endpoint Encryption clients. Other users, such as Windows administrators, cannot uninstall the Symantec Endpoint Encryption clients. However, if you do not specify an active directory group in the advanced setting, then any user having local admin rights can uninstall the Symantec Endpoint Encryption clients. This Advanced Settings policy can be enabled as an install-time setting, GPO, or native policy.

Removable Media Encryption

• Support for manual check-in button for Removable Media Encryption. A standalone Removable Media Encryption user can manually communicate with the server by clicking the Check In button. This attempts to establish a client-server connection between the Removable Media Encryption client computer and Symantec Endpoint Encryption Management Server. When the client-server communication is successful, the native policy is applied on the client and the client status is sent to the server. Previously, manually checking in with the server was available for Drive Encryption and Symantec Endpoint Encryption for BitLocker users. A standalone Removable Media Encryption user was not able to manually check in with the server. All the Symantec Endpoint Encryption clients can manually communicate with the server through the common Agent – Status page.

Symantec Endpoint Encryption Management Server

• Support for client monitor and admin server roles reports. You can view the summary of the client-monitor status for the client computers and admin server roles details on the Symantec Endpoint Encryption Management Server console through the following reports.
  • Client Monitor Report – Displays the records of the client computers that have Drive Encryption – Client Monitor policy enabled and displays their client monitor status.
  • Admin Server Roles Report – Displays the records of the administrators and their configured roles, such as server, setup, report, policy and helpdesk. These administrators are assigned the server roles through the Symantec Endpoint Encryption Configuration Manager console.

Symantec Endpoint Encryption client

• Access to Symantec Endpoint Encryption client help online at Tech Docs Portal

Fixed issues in Symantec Endpoint Encryption 11.3.1

• EPG-19426 Users can now successfully use the German (QWERTZ) keyboard layout and authenticate at preboot authentication screen on the Dell Latitude 3400 systems.
• EPG-19455 The Registration Time field in the Computer Status Report > Associated Users tab correctly displays the date and time when the Symantec Endpoint Encryption Client Administrator was registered on the client computer. In this scenario, the client computers are connected in a domain and are managed through Active Directory.
• EPG-19469 The Database Access screen is authenticated successfully with Active Directory user at 100th and above position, and Symantec Endpoint Encryption Management Server is successfully installed. This server is installed on supported Microsoft Windows Server 2016 that is managed by Microsoft Windows Server 2019.
• EPG-19550 If the Drive Encryption fails due to insufficient space in an Extensible Firmware Interface (EFI) partition, then the Drive Encryption service logs now contains an explicit failure message.
• EPG-19470 When you export a report from the Symantec Endpoint Encryption Management Server to a CSV file, the report is successfully generated with the columns that not have a leading space, a trailing comma, and a space after each line.
• EPG-19471 When the Active Directory is synchronized with the Symantec Endpoint Encryption Management Server, then the Last Synchronization field is successfully updated with the latest synchronization date and time on the Symantec Endpoint Encryption Configuration Manager console.
• EPG-19472 PIV 8.1 smart cards work successfully at preboot authentication on the Dell Latitude E5470s systems.
• EPG-19473 The status of the Opal v2 compliant drives that are software encrypted by Drive Encryption is correctly displayed on the Symantec Endpoint Encryption Management Server console reports as software encrypted instead of hardware-encrypted.
• EPG-19475 After full disk decryption of all partitions, the Symantec Endpoint Encryption decryption status is correctly updated in the registry and their status is displayed as Not Encrypted on the Symantec Endpoint Encryption Management Agent.
• EPG-19662 The Change Web Access command runs successfully from the Symantec Endpoint Encryption Management Server even if it has TLS 1.0 and TLS 1.1 disabled.
• EPG-19982 System boots properly after installing Symantec Endpoint Encryption Removable Media Encryption with Secure Boot enabled and with virtualization-based security running.
• EPG-20214 When you upgrade the server, you can use a database account that is either a Symantec Endpoint Encryption Management Server database owner or has sysadmin role in the Microsoft SQL authentication dialog. In the releases prior to Symantec Endpoint Encryption 11.3.1, while upgrading the server, it was mandatory to enter the credentials of an account that had the sysadmin role.