Software-update: Symantec Endpoint Encryption 11.3.1

Symantec dat tegenwoordig onderdeel is van Broadcom, heeft in het verleden twee verschillende bedrijven overgenomen die encryptiesoftware ontwikkelden: GuardianEdge en PGP. Symantec bracht de software van deze twee acquisities lange tijd als twee verschillende encryptieproductlijnen uit. De GuardianEdge-lijn werd hernoemd in 'Endpoint Encryption' en de PGP-lijn werd hernoemd in 'Encryption Desktop', samen met 'Encryption Management Server'. Voor een buitenstaander was het verwarrend dat één bedrijf twee verschillende encryptieproducten uitbracht die met elkaar concurreerden en die niet met elkaar konden samenwerken. Daaraan is met de uitgave van Endpoint Encryption 11 in 2014 grotendeels een einde gekomen. Aangezien er geen makkelijke weg is om te upgraden van SED en SEMS naar SEE, worden er nog maintenancepacks uitgebracht voor de oude PGP-lijn. De ontwikkeling van nieuwe functies wordt echter alleen gericht op de gefuseerde Endpoint Encryption-lijn. Het ontwikkelteam heeft Endpoint Encryption versie 11.3.1 uitgebracht, met de volgende lijst veranderingen:

What's new in Symantec Endpoint Encryption 11.3.1

Platform certifications

• Added support for Microsoft Windows 10 Enterprise October 2020 Update (version 20H2)
• Added compatibility with the following operating system for Symantec Endpoint Encryption for FileVault and Removable Media Access Utility: macOS 11.0.x (Big Sur)

Drive Encryption

• Support for DMA. Symantec Endpoint Encryption Drive Encryption is now compatible with Direct Memory Access (DMA) enabled systems.
• Enhancements for Drive Encryption Autologon. Enabling autologon for a client computer is now part of the Drive Encryption installer. The support for generating a separate Autologon MSI using the Autologon snap-in is removed from the Symantec Endpoint Encryption Management Server console. There is now a compact Drive Encryption MSI installer that combines the autologon policies along with the Drive Encryption policies. You can disable the autologon completely through the install-time Do not use Autologon policy option from the Drive Encryption - Autologon page. In this case, you cannot enable autologon on the client computers even through Drive Encryption Administrator Command Line or using policies. To enable autologon in such a case, you need to uninstall the client and install again with the Do not use Autologon policy option deselected. To better manage the use of Trusted Platform Module (TPM), the TPM settings for autologon are added to the Drive Encryption - Autologon native and GPO policies. The default TPM PCR values are updated to 0,2 in the de.autoLogon.pcrList field on the Management Agent - Advanced Settings page. In the earlier releases, these default values were 0,2,4. When you upgrade to Symantec Endpoint Encryption version 11.3.1, the default value of TPM PCR in all native and GPO policies will be 0,2. The Autologon Status report is added on the Symantec Endpoint Encryption Management Server console to display the status of autologon on the client computers.
• Support for single sign-on with hibernation. A Management Agent advanced setting lets you enable single sign-on when resumed from hibernation on a client computer. This setting comes into effect only when the Drive Encryption – Single Sign-On policy option is enabled. If single sign-on with hibernation is enabled, then after resume from hibernation, a user is automatically logged on to Windows after the user authenticates with Windows credentials at preboot. This Advanced Settings policy can be enabled as an install-time setting, GPO, or native policy. This setting is disabled by default.
• Prompt for user details when using Symantec Endpoint Encryption self-recovery for all users. When the Drive Encryption - Self-Recovery feature for recovery at the preboot authentication screen is used, users are now prompted to enter their user name and their domain details before answering preconfigured security questions for authentication. This feature is applicable for all types of users, including token and smart card users. This feature is applicable for UEFI boot mode only.

Management Agent

• Support for ability to assign a policy group to client computers at install-time. You can use the Management Agent - Communication policy page to assign a policy group to client computers at install-time. Previously, assigning a policy group to client computers required an administrator to manually move client computers from a SEE Managed Computer group to another group. An organization could have comparable client computers, which required an administrator to manually move all of them to the required groups. Assigning a native policy group at install-time lets the administrator to quickly assign client computers to a specified group for a rapid deployment. However, if a computer is already assigned to a particular group, then after upgrade this computer will continue to be assigned to the same group. This computer will not be assigned to the policy group selected while creating the client install-time policy.
• Support to restrict the uninstallation of Symantec Endpoint Encryption clients to Active Director group. A Management Agent advanced setting lets you specify an Active Directory group whose members can uninstall a standalone Removable Media Encryption client from end-user systems. Earlier a client administrator could uninstall a Removable Media Encryption client only if Drive Encryption was also installed on the same system. A standalone Removable Media Encryption client could never be uninstalled. The existing Do not allow users to uninstall the product policy option is removed from the Removable Media Encryption - Access and Encryption policy page. Along with Removable Media Encryption, the members of the Active Directory group can uninstall a standalone Drive Encryption or Symantec Endpoint Encryption for BitLocker client from end-user systems. Only the members of the specified Active Directory group can uninstall these Symantec Endpoint Encryption clients. Other users, such as Windows administrators, cannot uninstall the Symantec Endpoint Encryption clients. However, if you do not specify an active directory group in the advanced setting, then any user having local admin rights can uninstall the Symantec Endpoint Encryption clients. This Advanced Settings policy can be enabled as an install-time setting, GPO, or native policy.

Removable Media Encryption

• Support for manual check-in button for Removable Media Encryption. A standalone Removable Media Encryption user can manually communicate with the server by clicking the Check In button. This attempts to establish a client-server connection between the Removable Media Encryption client computer and Symantec Endpoint Encryption Management Server. When the client-server communication is successful, the native policy is applied on the client and the client status is sent to the server. Previously, manually checking in with the server was available for Drive Encryption and Symantec Endpoint Encryption for BitLocker users. A standalone Removable Media Encryption user was not able to manually check in with the server. All the Symantec Endpoint Encryption clients can manually communicate with the server through the common Agent - Status page.

Symantec Endpoint Encryption Management Server

• Support for client-monitor and admin server roles reports. You can view the summary of the client-monitor status for the client computers and admin server roles details on the Symantec Endpoint Encryption Management Server console through the following reports.
  • Client Monitor Report - Displays the records of the client computers that have Drive Encryption - Client Monitor policy enabled and displays their client monitor status.
  • Admin Server Roles Report - Displays the records of the administrators and their configured roles, such as server, setup, report, policy and helpdesk. These administrators are assigned the server roles through the Symantec Endpoint Encryption Configuration Manager console.

Symantec Endpoint Encryption client

• Access to Symantec Endpoint Encryption client help online at Tech Docs Portal

Fixed issues in Symantec Endpoint Encryption 11.3.1

• EPG-19426 Users can now successfully use the German (QWERTZ) keyboard layout and authenticate at preboot authentication screen on the Dell Latitude 3400 systems.
• EPG-19455 The Registration Time field in the Computer Status Report > Associated Users tab correctly displays the date and time when the Symantec Endpoint Encryption Client Administrator was registered on the client computer. In this scenario, the client computers are connected in a domain and are managed through Active Directory.
• EPG-19469 The Database Access screen is authenticated successfully with Active Directory user at 100th and above position, and Symantec Endpoint Encryption Management Server is successfully installed. This server is installed on supported Microsoft Windows Server 2016 that is managed by Microsoft Windows Server 2019.
• EPG-19550 If the Drive Encryption fails due to insufficient space in an Extensible Firmware Interface (EFI) partition, then the Drive Encryption service logs now contains an explicit failure message.
• EPG-19470 When you export a report from the Symantec Endpoint Encryption Management Server to a CSV file, the report is successfully generated with the columns that not have a leading space, a trailing comma, and a space after each line.
• EPG-19471 When the Active Directory is synchronized with the Symantec Endpoint Encryption Management Server, then the Last Synchronization field is successfully updated with the latest synchronization date and time on the Symantec Endpoint Encryption Configuration Manager console.
• EPG-19472 PIV 8.1 smart cards work successfully at preboot authentication on the Dell Latitude E5470s systems.
• EPG-19473 The status of the Opal v2 compliant drives that are software encrypted by Drive Encryption is correctly displayed on the Symantec Endpoint Encryption Management Server console reports as software encrypted instead of hardware-encrypted.
• EPG-19475 After full disk decryption of all partitions, the Symantec Endpoint Encryption decryption status is correctly updated in the registry and their status is displayed as Not Encrypted on the Symantec Endpoint Encryption Management Agent.
• EPG-19662 The Change Web Access command runs successfully from the Symantec Endpoint Encryption Management Server even if it has TLS 1.0 and TLS 1.1 disabled.
• EPG-19982 System boots properly after installing Symantec Endpoint Encryption Removable Media Encryption with Secure Boot enabled and with virtualization-based security running.
• EPG-20214 When you upgrade the server, you can use a database account that is either a Symantec Endpoint Encryption Management Server database owner or has sysadmin role in the Microsoft SQL authentication dialog. In the releases prior to Symantec Endpoint Encryption 11.3.1, while upgrading the server, it was mandatory to enter the credentials of an account that had the sysadmin role.