SEE-RS 8.2.1 Policy Administrator Guide

Symantec Endpoint Encryption
Removable Storage
Policy Administrator Guide

Version 8.2.1
ii
Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are
trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries.
GuardianEdge and Authenti-Check are either trademarks or registered trademarks of GuardianEdge
Technologies Inc. (now part of Symantec). Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any
form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES
IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE
INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in
FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 “Commercial Computer
Software - Restricted Rights” and DFARS 227.7202, et seq. “Commercial Computer Software and
Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use,
modification, reproduction release, performance, display or disclosure of the Licensed Software and
Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
Contents
Chapter 1 Introduction
Overview ....................................................................................................................................................................... 1
Directory Service Synchronization ........................................................................................................................... 2
Active Directory and Native Policies ........................................................................................................................ 3
Manager Console .......................................................................................................................................................... 3
Basics ..................................................................................................................................................................... 3
Database Access ................................................................................................................................................... 4
Endpoint Containers ........................................................................................................................................... 4
Basics ............................................................................................................................................................. 4
Active Directory/Novell eDirectory Computers ...................................................................................... 5
Symantec Endpoint Encryption Managed Computers ........................................................................... 5
Deleted Computers ...................................................................................................................................... 5
Symantec Endpoint Encryption Roles ...................................................................................................................... 5
Policy Administrators ......................................................................................................................................... 5
Client Administrators ......................................................................................................................................... 6
Chapter 2 Reporting
Overview ....................................................................................................................................................................... 7
Basics ..................................................................................................................................................................... 7
Client Computers Data Available from Users and Computers and Basic Reports ..................................... 7
Basics ............................................................................................................................................................. 7
Main Window ................................................................................................................................................ 8
Computer Info Tab ....................................................................................................................................... 9
Framework Tab ..........................................................................................................................................10
Full Disk Tab ...............................................................................................................................................10
Removable Storage Tab ............................................................................................................................10
Associated Users Tab ................................................................................................................................11
Fixed Drives Tab ........................................................................................................................................12
Server Commands Tab ..............................................................................................................................12
Directory Services Synchronization Data ......................................................................................................12
Admin Log Data ..................................................................................................................................................13
Client Events Data .............................................................................................................................................15
Device Exemptions Report Data ......................................................................................................................15
Server Commands Data ....................................................................................................................................15
Command History, Decrypt Drive, and Encrypt Drive Snap-Ins ........................................................15
Symantec Endpoint Encryption Users and Computers .......................................................................................16
Symantec Endpoint Encryption Reports ...............................................................................................................16
Basics ...................................................................................................................................................................16
Active Directory Forests Synchronization Status ........................................................................................16
Client Events ...............................................................................................................................................16
Computer Status Report ...........................................................................................................................16
Computers not Encrypting to Removable Storage ...............................................................................16
Computers with Decrypted Drives ..................................................................................................................17
Computers with Expired Certificates ..............................................................................................................17
Computers with Specified Users .....................................................................................................................17
Computers without Full Disk Installed ...........................................................................................................17
Computers without Removable Storage Installed ........................................................................................17
iv Contents
Device Exemptions Report ............................................................................................................................... 17

Framework Deployment ................................................................................................................................... 18
Full Disk Client Deployment ............................................................................................................................ 18
Non-Reporting Computers ............................................................................................................................... 18
Novell eDirectory Synchronization Status .................................................................................................... 18
Opal Endpoints ................................................................................................................................................... 18
Percentage of Encrypted Endpoints ............................................................................................................... 18
Removable Storage Client Deployment Report ............................................................................................ 18
Removable Storage Details Report ................................................................................................................. 18
Removable Storage Password Aging Report ................................................................................................. 19
Custom Reports .................................................................................................................................................. 19
Server Commands ...................................................................................................................................................... 19
Resultant Set of Policy (RSoP) ................................................................................................................................. 19
Windows System Events ........................................................................................................................................... 20
Chapter 3 Policy Creation & Editing

Overview ..................................................................................................................................................................... 23
Active Directory Policies .......................................................................................................................................... 23
Native Policies ............................................................................................................................................................ 24
Policy Options ............................................................................................................................................................ 24
Client Administrators ....................................................................................................................................... 24
Registered Users ................................................................................................................................................ 26
Basics ........................................................................................................................................................... 26
Authentication Method ............................................................................................................................. 26
Registration ................................................................................................................................................ 27
Unregistration ............................................................................................................................................ 27
Password Authentication ................................................................................................................................. 27
Basics ........................................................................................................................................................... 27
Password Attempts .................................................................................................................................... 28
Password Complexity ................................................................................................................................ 29
Maximum Password Age .......................................................................................................................... 29
Password History ....................................................................................................................................... 29
Minimum Password Age ........................................................................................................................... 29
Token Authentication ....................................................................................................................................... 30
Authentication Message ................................................................................................................................... 30
Communication .................................................................................................................................................. 30
Single Sign-On .................................................................................................................................................... 30
Authenti-Check .................................................................................................................................................. 30
One-Time Password ........................................................................................................................................... 31
Access and Encryption ...................................................................................................................................... 31
Access .......................................................................................................................................................... 32
Automatic Encryption ............................................................................................................................... 32
On Demand Encryption ............................................................................................................................ 33
Device and File Type Exclusions ..................................................................................................................... 33
Exemption for Multimedia Files .............................................................................................................. 33
Device Exclusions ...................................................................................................................................... 34
Encryption Method ............................................................................................................................................ 34
Recovery Certificate .......................................................................................................................................... 35
Workgroup Key .................................................................................................................................................. 35
Portability ........................................................................................................................................................... 35
Access Utility .............................................................................................................................................. 36
Self-Extracting Executables ..................................................................................................................... 36
Default Passwords ............................................................................................................................................. 36
Default Password ....................................................................................................................................... 37
Session Default Passwords ....................................................................................................................... 37
Contents v
Device Session Default Password ............................................................................................................38
Chapter 4 Policy Deployment

Active Directory Policies ..........................................................................................................................................39
Basics ...................................................................................................................................................................39
Order of Precedence ..........................................................................................................................................39
Forcing a Policy Update ....................................................................................................................................39
Basics ...........................................................................................................................................................39
Windows XP Clients ...................................................................................................................................39
Windows 2000 Clients ...............................................................................................................................40
Native Policies ............................................................................................................................................................40
Basics ...................................................................................................................................................................40
Symantec Endpoint Encryption Managed Computer Groups .....................................................................40
Basics ...........................................................................................................................................................40
Group Creation ...........................................................................................................................................41
Move Computers ........................................................................................................................................41
Policy Assignment .............................................................................................................................................42
Order of Precedence ..........................................................................................................................................43
Forcing a Policy Update ....................................................................................................................................43
Appendix A System Event Logging

Basics ...........................................................................................................................................................................45
Framework System Events List ...............................................................................................................................45
Removable Storage System Events List .................................................................................................................65
Appendix B CD/DVD Command Line

Overview .....................................................................................................................................................................87
Basics ...................................................................................................................................................................87
Prerequisites .......................................................................................................................................................87
Operational Steps ..............................................................................................................................................88
Temporary Data Directory .......................................................................................................................................88
Command Syntax .......................................................................................................................................................89
Example Command Lines .................................................................................................................................89
CD/DVD Errors ...........................................................................................................................................................89
Appendix C Authentication Method Changes

Overview .....................................................................................................................................................................95
User Experience .........................................................................................................................................................95
Glossary ........................................................................................................... 97
Index ................................................................................................................ 99
vi Contents
Chapter 1
Introduction
This chapter includes the following topics:
■ Overview
■ Directory Service Synchronization
■ Active Directory and Native Policies
■ Manager Console
■ Symantec Endpoint Encryption Roles
Overview
Symantec Endpoint Encryption Removable Storage allows organizations to enjoy the benefits of removable
storage devices while eliminating the liability, customer service, and brand erosion costs associated with
data breach incidents. As part of Symantec Endpoint Encryption, Removable Storage leverages existing IT
infrastructures for seamless deployment, administration, and operation.
Removable Storage secures data in one of the following ways:
■ By allowing no access to removable storage devices,
■ By allowing only read access to removable storage devices,
■ By automatically encrypting all files written to or accessed on removable storage devices,
■ By automatically encrypting all files written to removable storage devices,
■ By automatically encrypting files per Symantec Data Loss Prevention for Endpoint,
■ By automatically encrypting data written to CD/DVD media, and/or
■ By encrypting files written to a removable storage device on user demand
Removable Storage enforces access control and encryption policies on devices that use USB or FireWire
ports to attach a file system.
Symantec Endpoint Encryption is comprised of Full Disk, Removable Storage, and Framework. Framework
includes all the functionality that is extensible across Symantec Endpoint Encryption. It allows behavior
that is common to both Removable Storage and Full Disk to be defined in one place, thus avoiding potential
inconsistencies.
The following diagram depicts a sample network configuration of Symantec Endpoint Encryption.
2 Introduction
Directory Service Synchronization
Figure 1-1 Sample Network Configuration
SOAP over HTTP

Database
Group Policy Server
LDAP
TDS
Domain
TLS/SSL Controller
Client
Manager
Computer
eDirectory
Server
Management
Server
Client your-org.com your_tree

Client Client
The Active Directory domain controller and Symantec Endpoint Encryption Management Server are
required.
Multiple domains, forests, trees, and Symantec Endpoint Encryption Management Servers are supported.
A database server is recommended, but the Symantec Endpoint Encryption database can also reside on the
Symantec Endpoint Encryption Management Server. If a database server is chosen to host the Symantec
Endpoint Encryption database, the database server can be located inside or outside of Active Directory.
The Manager Console can be installed on multiple Manager Computers. It can also be installed on the
Symantec Endpoint Encryption Management Server. It must reside on a computer that is a member of
Active Directory.
The Novell eDirectory tree, Active Directory group policy communications, and TLS/SSL encryption are
optional.
Directory Service Synchronization

Synchronization with Active Directory and/or Novell eDirectory is an optional feature. If enabled, then the
Symantec Endpoint Encryption Management Server will obtain the organizational hierarchy of the
specified forest, domain, and/or tree and store this information in the Symantec Endpoint Encryption
database. It also keeps this information up to date. This improves performance during Client Computer
communications with the Management Server, as the Management Server will be able to identify the Client
Computer without having to query the Active Directory domain controller and/or the Novell eDirectory
server.
When you open the Manager Console, you will have your Active Directory and/or Novell endpoints
organized just the way that they are in the directory service, easing your deployment activities.
In addition, you will have records of computers that reside in the designated forest, domain, or tree, even if
these computers do not have any Symantec Endpoint Encryption products installed and/or have never
checked in with the Management Server. This will allow you to run reports to assess the success of a given
deployment and gauge the risk that your organization may face due to unprotected endpoints.
The timing of the synchronization event differs according to the directory service. Whereas Novell informs
the Management Server of any changes that may occur, the Management Server needs to contact Active
Introduction 3
Active Directory and Native Policies
Directory to obtain the latest information. Synchronization with Active Directory is set to occur once every
fifteen minutes.
Active Directory and Native Policies

Active Directory policies are designed for deployment to the users and computers residing within your
Active Directory forest/domain. Active Directory policies can be created and deployed whether
synchronization with Active Directory is enabled or not.
Native policies are designed for deployment to computers that are not managed by Active Directory. Should
you wish to deploy native policies to computers that are managed by Active Directory, you must turn
synchronization with Active Directory off.
The following table itemizes the differences between Active Directory and native policies.
Table 1-1 Active Directory and Native Policies Compared
Active Directory Policies Native Policies
Certain policies are deployed to users and others are Policies can only be applied to computers.
deployed to computers.
Policies applied in Local, Site, Domain, OU (LSDOU) Policies are applied in Computer, Subgroup, Group (CSG) order
order of precedence. of precedence.
Single pane policy creation/deployment. Each pane must be visited when creating the policy.
Policies are obtained from the domain controller and Policies are applied when the client checks in with the
applied at each reboot. Symantec Endpoint Encryption Management Server.
An immediate policy update can be forced using the An immediate policy update can be forced by clicking Check
gpupdate \force or secedit command. In Now from the User Client Console.
Manager Console
Basics
The Manager Console contains the following Symantec Endpoint Encryption snap-ins:
■ Symantec Endpoint Encryption Management Password—is not relevant to Removable Storage.
■ Symantec Endpoint Encryption Software Setup—is used to create client installation packages.
■ Symantec Endpoint Encryption Native Policy Manager—escorts you through the process of creating a
computer policy for clients not managed by Active Directory, such as Novell and other clients.
■ Symantec Endpoint Encryption Users and Computers—displays the organizational structure of your
Active Directory forest and/or Novell tree; allows you to organize clients not managed by either Active
Directory or Novell into groups.
■ Symantec Endpoint Encryption Reports—includes reports to allow you to obtain endpoint data, Policy
Administrator activity logs, and directory service synchronization configuration. In addition, you will
be able to create your own custom reports.
■ Symantec Endpoint Encryption Server Commands—is not applicable to Removable Storage.
It also contains the following Microsoft snap-ins to help you manage your Active Directory computers:
■ Active Directory Users and Computers—allows you to both view and modify your Active Directory
organizational hierarchy.
■ Group Policy Management—lets you manage group policy objects and launch the Group Policy Object
Editor (GPOE). Within the GPOE you will find Symantec Endpoint Encryption snap-in extensions that
4 Introduction
Manager Console
allow you to create and modify Symantec Endpoint Encryption user and computer policies for Active
Directory–managed computers.
Depending on your responsibilities, you may not have access to all of these snap-ins. These restrictions, if
any, will be effected as part of the privileges associated with your Windows account.
Database Access
Your Windows account may have been provisioned with rights to access the Symantec Endpoint
Encryption database. If so, ensure that you are logged on to Windows with this account before launching
the Manager Console.
If you are not logged on to Windows with read and write access to the Symantec Endpoint Encryption
database at the time that you launch the Manager Console, you will be prompted for your SQL or Windows
credentials.
Figure 1-2 SQL Server Logon Prompt
The Server name and Initial catalog fields will contain the information that was provided when this
Manager Console was installed. In general, you should not modify the default contents of these fields.
Circumstances that require you to edit these entries would be unusual, such as the loss of your primary
Symantec Endpoint Encryption database. In such a situation, you could edit the Server name and Initial
catalog fields to connect to a disaster recovery site. The syntax used in the Server name field is as follows:
computer name,port number\instance name
While the NetBIOS name of the server hosting the Symantec Endpoint Encryption database will always be
required, the TCP port number will only be necessary if you are using a custom port, and the instance name
will only be needed if you are using a named instance. The custom port number would need to be preceded
by a comma and the instance name by a backslash.
To use a SQL account, select SQL Authentication and type the SQL user name in the User name field.
Otherwise, select Windows Authentication and type the Windows account name in NetBIOS format in the
User name field. Type the account password in the Password field. Click Connect to authenticate.
If you don’t wish to authenticate to the Symantec Endpoint Encryption database at this time, click Cancel.
You may receive one or more error messages following cancellation. You will receive additional prompts
upon attempting to access the individual Symantec Endpoint Encryption snap-ins in the console.
Endpoint Containers
Basics
The Symantec Endpoint Encryption Manager will place each endpoint into one or more of the following
containers:
■ Active Directory Computers,
■ Novell eDirectory Computers, or
■ Symantec Endpoint Encryption Managed Computers.
Introduction 5
Symantec Endpoint Encryption Roles
Active Directory/Novell eDirectory Computers

No computers will be placed in the Active Directory Computers or Novell eDirectory Computers containers
unless synchronization with the directory service is enabled.
If synchronization with Active Directory is enabled, the Active Directory Computers container will be
populated with the computers in the Active Directory forest/domain. If synchronization with Novell is
enabled, the Novell eDirectory Computers container will hold the computers in the Novell tree. If
synchronization with both directory services is enabled and the computer is managed by both, it will
appear in both containers. Computer and user objects located within the Active Directory and/or Novell
containers cannot be moved or modified with Symantec Endpoint Encryption snap-ins.
Symantec Endpoint Encryption Managed Computers

Computers located within the Active Directory Computers and/or Novell eDirectory Computers containers
will not be shown in the Symantec Endpoint Encryption Managed Computers container.
Only computers that have checked in with the Management Server will be shown in the Symantec Endpoint
Encryption Managed Computers container. Whether a computer is placed in the Symantec Endpoint
Encryption Managed Computers container or not following check in will vary depending on whether
synchronization is enabled or not.
■ If synchronization is not enabled, all Client Computers that have checked in will be placed in the
Symantec Endpoint Encryption Managed Computers container.
■ If synchronization is enabled, only Client Computers that have checked in that do not reside within the
designated Active Directory forest/domain and/or Novell tree will be placed in the Symantec Endpoint
Encryption Managed Computers container.
Computers located within the Symantec Endpoint Encryption Managed Computers container should be
grouped into the organizational structure that you desire.
Deleted Computers
The Deleted Computers container stores Symantec Endpoint Encryption–managed computers that have
been deleted, allowing you to restore the computer and revert its deletion.
Symantec Endpoint Encryption–managed computers will remain in the Manager Console even after the
client-side software has been uninstalled. To complete the uninstallation of a Symantec Endpoint
Encryption–managed computer, locate the computer within the Symantec Endpoint Encryption Managed
Computers container. Right-click the computer and select Delete. The computer will be removed from the
Symantec Endpoint Encryption Managed Computers container and placed in the Deleted Computers
container.
Should you fail to delete the computer from the Symantec Endpoint Encryption Managed Computers
container following uninstallation and then reinstall, you will find two computers with the same name in
the Symantec Endpoint Encryption Managed Computers container. Locate the computer with the older last
check-in date, right-click it, and select Delete.

Policy Administrators
As the Policy Administrator, you perform centralized administration of Symantec Endpoint Encryption.
Using the Manager Console and the Manager Computer, you perform one or more of the following tasks:
■ Update and set client policies.
■ Issue server-based commands to encrypt or decrypt drives on fixed disks that are not Opal-compliant.
■ Run reports.
6 Introduction
■ Change the Management Password.
Client Administrators
Client Administrators provide local support to Symantec Endpoint Encryption users.
Client Administrator accounts are created and maintained from the Symantec Endpoint Encryption
Manager. Client Administrator accounts are managed entirely by Symantec Endpoint Encryption,
independent of operating system or directory service, allowing Client Administrators to support a wide
range of users.
Client Administrator passwords are managed from the Manager Console and cannot be changed at the
Client Computer. This single-source password management allows Client Administrators to remember only
one password as they move among many Client Computers.
Client Administrators may be configured to authenticate with either a password or a token.
Each Client Administrator account can be assigned an administrative privilege allowing them to unregister
users. Other administrative privileges assigned to the Client Administrator account will be ignored by
Removable Storage.
Client Administrators should be trusted in accordance with their assigned level of privilege.
The Client Administrator is also responsible for recovering Removable Storage–encrypted files when the
user has forgotten their password and a Recovery Certificate was used. This responsibility is not controlled
by privilege.
Each Client Computer must have one default Client Administrator account. The default Client
Administrator account has all administrative privileges and authenticates using a password. Up to 1024
total Client Administrator accounts can exist on each Client Computer.
Chapter 2
Reporting
■ Overview
■ Symantec Endpoint Encryption Users and Computers
■ Symantec Endpoint Encryption Reports
■ Server Commands
■ Resultant Set of Policy (RSoP)
■ Windows System Events
Overview
Basics
The Manager Console reporting tools allow you to obtain information about:
■ Client Computers
■ Policy Administrator activities
■ Directory service synchronization
Client Computers Data Available from Users and Computers and Basic Reports
Basics
At the time that a Client Computer succeeds in checking in with the Symantec Endpoint Encryption
Management Server, it sends information about itself that is stored in the Symantec Endpoint Encryption
database. This section discusses the data available about Client Computers from the following:
■ “Symantec Endpoint Encryption Users and Computers” on page 16;
■ “Computer Status Report” on page 16;
■ “Computers not Encrypting to Removable Storage” on page 16;
■ “Computers with Decrypted Drives” on page 17;
■ “Computers with Expired Certificates” on page 17;
■ “Computers with Specified Users” on page 17;
■ “Computers without Full Disk Installed” on page 17;
■ “Computers without Removable Storage Installed” on page 17; and
■ “Non-Reporting Computers” on page 18.
8 Reporting
Overview
Basic data is shown in the main window and you can double-click a record of interest or right-click it and
select Show Selection to obtain further details.
Note: If Active Directory and/or Novell synchronization is enabled, you will be able to obtain the computer
names and directory service location of any computer located on your forest(s), domain(s), and/or tree(s)—
even if it has never checked in with the Management Server. While only the computer name and directory
service location of these machines will be available, the absence of additional data will allow you to identify
computers that are unprotected or have not checked in.
Main Window
The following table itemizes the data available about Client Computers from the main window. Columns
that will be displayed but not populated by Removable Storage are identified as not applicable (N/A).
Table 2-1 Client Computer Data Available from Users and Computers and Basic Reports
Column Heading Data Displayed Explanation
Computer name computer name Computer name
Group name* group name Location of the computer within Symantec

Endpoint Encryption Users and Computers
Last Check-In date time The date and time of the last connection that
the Client Computer made with the
Management Server
Decrypted N/A N/A
Decrypting N/A N/A
Encrypted N/A N/A
Encrypting N/A N/A
Drive Encryption Service N/A N/A
RS Device Access Control* No access|Read|Read/write The access policy currently being enforced by
Removable Storage
RS Encryption Policy All files|New files|CD/DVD only|User The encryption policy currently being enforced
choice|DLP determined|Write by Removable Storage
unencrypted
RS Encryption Method† Password|Certificate|Password and/ The encryption method(s) currently allowed by

or certificate Removable Storage
RS On-Demand Encryption Encrypt|Decrypt| Encrypt/ The on demand encryption policy currently

Decrypt|Not enabled being enforced by Removable Storage
RS Device Exclusion** Not Enabled| If no devices are excluded from automatic

encryption, Not Enabled will be displayed.
Reporting 9
Overview
Table 2-1 Client Computer Data Available from Users and Computers and Basic Reports (Continued)
RS Access Utility* Do not copy|Copy Windows and Mac If no Removable Storage Access Utility will be
OS X|Copy Windows|Copy Mac OS X copied, Do not copy will be displayed. If the
Removable Storage Access Utility for Windows
and the Removable Storage Access Utility for
Mac OS X are being copied automatically to
removable media, Copy Windows and Mac OS X
will be displayed. If the Removable Storage
Access Utility for Windows is being copied,
Copy Windows will be displayed. If the
Removable Storage Access Utility for Mac OS X
is being copied, Copy Mac OS X will be
displayed.
RS Self-Extracting Archives* Allow|Do not allow Allow will be displayed if the user has the
option to save file(s)/folder(s) to a self-
extracting executable; Do not allow if the user
does not.
* Shown only in the Computer Status Report.

† Not shown in the Computer Status Report.
‡ Not shown in the Computers with Specified Users report.
** Not shown in the Computer Status Report or the Computers with Specified Users report.
Computer Info Tab

After double-clicking the record of interest or right-clicking it and selecting Show Selection, the data in the
following table will be available from the Computer Info tab.
Table 2-2 Client Computer Data Available from Computer Info Tab
Group group name Location of the computer within Symantec Endpoint

Encryption Users and Computers
OS operating system name The name of the installed operating system
OS Type 32-bit|64-bit The number of bits of memory supported by the

installed operating system
Serial Number serial number The System Management BIOS (SMBIOS) serial
number from WMI_SystemEnclosure class. If the
data does not exist on the client, the value will be
blank.
Asset Tag asset tag The System Management BIOS (SMBIOS) asset tag
from WMI_SystemEnclosure class. If the data does
not exist on the client, the value will be blank.
Part Number part number The System Management BIOS (SMBIOS) part
number from WMI_SystemEnclosure class. If the
data does not exist on the client, the value will be
blank.
10 Reporting
Overview
Framework Tab
After double-clicking on a record of interest or right-clicking it and selecting Show Selection, the data in
the following table will be available from the Framework tab.
Table 2-3 Client Computer Data Available from Framework Tab
FR Version n.n.n The three digit version number of Framework that is

currently installed
FR Installation Date date time The date and time on which Framework was installed
Last Check-In Time date time The date and time of the last connection that the
Client Computer made with the Management Server
SSL Certificate date time The date and time of the client-side TLS/SSL
Expiration Date certificate’s expiration
FR Build Number major build number.minor build The major build number, minor build number, and
number.patch number.1 patch number of Framework. The final digit will
always be 1.
Full Disk Tab

The Full Disk tab is not applicable to Removable Storage.
Removable Storage Tab

the following table will be available from the Removable Storage tab.
Table 2-4 Client Computer Data Available from Removable Storage Tab
RS Device Access Control No access|Read|Read/write The access policy currently being enforced by Removable
Storage
RS Encryption Policy No Encryption|New files|New and Existing The encryption policy currently being enforced by Removable
files|CD/DVD only|User choice|DLP Storage
determined
RS On-Demand Encryption Enabled|Encrypt|Decrypt|Encrypt/ The on demand encryption policy currently being enforced by
Decrypt|Not enabled Removable Storage
RS Encryption Method Password|Certificate|Password and/or The encryption method(s) currently allowed by Removable
certificate Storage
RS Exempted File Types Audio|Video|Image|Not enabled If one or more multimedia groups is exempted from
mandatory encryption, the name of the group will be
displayed. See the User Guide for an itemization of the file
types that belong to each group.
RS Device Exclusions Enabled|Not enabled If one or more devices are being excluded from encryption,
Enabled will be displayed. If not, Not Enabled will be
displayed.
RS Recovery Certificate serial number|Not Enabled If a Recovery Certificate is in effect on the Client Computer,
the serial number of the Recovery Certificate will be displayed.
Otherwise, Not Enabled will be displayed.
RS Workgroup Key Enabled|Not Enabled If a group key is in use, Enabled will be displayed. If not, Not
Enabled will be displayed.
Reporting 11
Overview
Table 2-4 Client Computer Data Available from Removable Storage Tab (Continued)
RS Passwords Default|Session default|Device|None If users are allowed to set a Default Password, Default will be
displayed. If users are allowed to set Session Default
Passwords, Session default will be displayed. If users are
allowed to set a Device Session Default Password, Device will
be displayed. If users are not allowed to set a Default
password, Session Default passwords, or a Device Session
Default Password, None will be displayed.
RS Default Password Aging Enabled|Not enabled If password aging is being applied to Default Passwords,
Enabled will be displayed. If not, Not Enabled will be
displayed.
RS Session Default Password Delete|Deactivate after win The session default password column can have these values:
Aging session|Enabled|Not Enabled
Delete. Session Default Passwords are deleted at the end of
each Windows session.
Deactivate after win session. Session Default Passwords are
deactivated at the end of every Windows session, but can
persist across every Windows session.
Enabled. Password aging is applied to Session Default
Passwords.
Not Enabled.Users are not allowed to set aging properties for
Session Default Passwords.
RS Access Utility Do not copy|Copy Windows and Mac OS If the Removable Storage Access Utility for Windows and the
X|Copy Windows|Copy Mac OS X Removable Storage Access Utility for Mac OS X are being
copied automatically to removable media, Copy Windows and
Mac OS X will be displayed. If the Removable Storage Access
Utility for Windows is being copied, Copy Windows will be
displayed. If the Removable Storage Access Utility for Mac OS
X will be copied, Copy Mac OS X will be displayed. If no
Removable Storage Access Utility will be copied, Do not copy
will be displayed.
RS Self-Extracting Archives Allow|Do not allow Allow will be displayed if the user has the option to save
file(s)/folder(s) to a self-extracting executable; Do not allow if
the user does not
RS Version n.n.n The three digit version number of that is currently installed
RS Build Number major build number.minor build The major build number, minor build number, and patch
number.patch number.1 number of Removable Storage. The final digit will always be 1.
RS Last Upgrade Date date time The date and time on which Removable Storage was last
installed or upgraded
RS Installation Version date time ; n.n.n The date and time on which Removable Storage was originally
installed, as well as the three digit version number of
Removable Storage that was originally installed
Associated Users Tab

the following table will be available from the Associated Users tab for Windows endpoints. The Associated
12 Reporting
Overview
Users tab will contain one row of data per registered user or Client Administrator on the Windows Client
Computer.
Table 2-5 Client Computer Data Available from Associated Users Tab
User Name user name The user name of the registered user or Client
Administrator account
User Type Reg User|Client Admin If the account is that of a registered user, Reg
User will be displayed. If the account is that of a
Client Administrator, Client Admin will be
displayed.
Authentication Method Password|Token| If the user or Client Administrator uses a

Password and Token|Unauthenticated password to authenticate, Password will be
displayed. If the user or Client Administrator
uses a token to authenticate, Token will be
displayed. If this is a user and the user has the
option to register both a password and a token,
Password and Token will be displayed. If the
Client Computer has been configured to use
automatic authentication, Unauthenticated
will be displayed.
User Domain name of domain or tree|computer name If the computer is joined to a domain or a part
of a Novell tree, the name of the domain or tree
will be displayed. If the computer does not
belong to either directory service, the name of
the computer will be displayed. For Client
Administrators, this cell will be blank.
Last Logon Time date time If a user, the date and time of the last User
Client Console logon. If a Client Administrator,
the date and time of the last Administrator
Client Console logon.
Registration Time date time The date and time on which this user registered.
If this is a Client Administrator account, the
date and time on which the account was created
either by MSI or policy update.
Note: If this is a Mac record, no data will be available from the Associated Users tab.
Fixed Drives Tab

The Fixed Drives tab is not applicable to Removable Storage.
Server Commands Tab

The Server Commands tab is not applicable to Removable Storage.
Directory Services Synchronization Data

Your current synchronization parameters are stored in the Symantec Endpoint Encryption database and
can be retrieved using the following Symantec Endpoint Encryption Reports:
■ “Active Directory Forests Synchronization Status” on page 16, and
■ “Novell eDirectory Synchronization Status” on page 18.
Reporting 13
Overview
One row of data per forest or tree will be listed. The following table identifies the data that will be available
from these reports.
Table 2-6 Directory Services Synchronization Data
Forest/Tree Name forest or tree name The name of the forest or tree that you are
synchronizing with will be identified in this
column.
Administrator Name user name The user name that is being used to
authenticate to the directory service server of
this forest or tree will be provided in this
column. This corresponds to the Active
Directory or Novell synchronization account.
Administrator Domain* domain The Active Directory domain of the Active

Directory synchronization account for this
forest will be identified.
Last Synchronization date time The date and time of the last successful
synchronization with this forest or tree will be
supplied.
Total Computers number The total number of computers in this forest or

tree as of the last synchronization will be noted
here. This includes all of the computers, not just
the Symantec Endpoint Encryption–protected
endpoints.
* This column is not shown in the Novell eDirectory Synchronization Status report.
Admin Log Data

Each time the Policy Administrator makes a change using the Manager Console, the action will be logged.
The Admin Log provides a detailed log of all Policy Administrator activities. Log entries can be filtered
according to inclusive date and time, user name, and computer name. The following table identifies the
data that will be available in the Admin Log report.
Table 2-7 Admin Log Data
Date-Time date time The date and time on which the activity
occurred
User domain\user name The Windows domain and user name of the
Policy Administrator that initiated the activity
Computer computer name The computer name of the Manager Computer

from which the activity was initiated
14 Reporting
Overview
Table 2-7 Admin Log Data (Continued)
Activity Description Changed Symantec Endpoint —

Encryption management password
Created native policy ‘policy name’ —
Renamed native policy ‘old policy —

name’ to ‘new policy name’
Deleted native policy ‘policy name’ —
Edited native policy ‘policy name’ —
Created new Symantec Endpoint —

Encryption Managed computer group
‘group name’
Renamed Symantec Endpoint —

‘old group name’ to ‘new group name’
Deleted Symantec Endpoint —

‘group name’
Assigned native policy ‘policy name’ to —

group ‘group name’
Unassigned native policy ‘policy name’ —

from group ‘group name’
Changed assigned native policy for —

group ‘group name’ from native policy
‘old policy name’ to native policy ‘new
policy name’
Deleted Symantec Endpoint —

Encryption Managed Computer
‘computer name’
Moved Symantec Endpoint Encryption —

Managed Computer ‘computer name’
from group ‘old group name’ to ‘new
group name’
Restored Symantec Endpoint —

Encryption Managed Computer
‘computer name’
Exported Recover DAT file for —

computer ‘computer name’
Initiated One-Time Password online —

method for user ‘user name’ on
computer ‘computer name’ Symantec
Endpoint Encryption GUID ‘Symantec
Endpoint Encryption GUID of
computer’
Initiated One-Time Password offline —

method for user ‘user name’
Created Framework client installation —

package ‘MSI package name’
Created Full Disk client installation —

package ‘MSI package name’
Reporting 15
Overview
Table 2-7 Admin Log Data (Continued)
* The command ID is an integer that identifies a command. When a command is created, the SQL server increments the
previous command ID by 1. Command ID numbering begins with 1; numbering is not restarted.
Client Events Data

A subset of the Windows system events from Windows Client Computers will be available from the Client
Events report. The following table identifies the data that will be available in the Client Events report for
Windows endpoints. No client events data for Mac clients will be available.
Table 2-8 Client Log Data
Date-Time date time The date and time on which the activity
occurred
User user name The Windows user name of the user that
initiated the activity
Computer Name computer name The computer name of the Windows

Client Computer on which the event was
logged
Event Description description text Framework events 4, 6, 8, 11,14, 15, 16, 18,
19, 21, 124, 183, 184, and 246. Removable
Storage event 2096. Refer to Appendix A,
“Basics” on page 45 for the text of each
event.
Device Exemptions Report Data

The following table details the data available from the Device Exemptions report.
Table 2-9 Device Exemptions Report
Computer Name computer name The name of the computer on which devices have been exempted
Last Check-In date time The date and time of the last connection that the Client Computer made with the
Symantec Endpoint Encryption Management Server
RS Exempted Product product ID The product ID (PID) of the exempted device

ID
RS Exempted Vendor vendor ID The vendor ID (VID) of the exempted device

ID
RS Device Memo text If a memo was added when the device was exempted, it will be available.
Server Commands Data
Command History, Decrypt Drive, and Encrypt Drive Snap-Ins

Command History, Decrypt Drive, and Encrypt Drive snap-in data is not applicable to Removable Storage.
16 Reporting
Symantec Endpoint Encryption Users and Computers
Note: Commands that are older than 30 days do not appear; they have expired and have been deleted from
the database.
Symantec Endpoint Encryption Users and Computers

The Symantec Endpoint Encryption Users and Computers snap-in allows you to obtain data about a specific
group.
This data can be printed or exported into a comma-delimited format (CSV). This can be useful for
generating reports on a per-group basis.
You might also want to consider your reporting needs when you create your groups (“Symantec Endpoint
Encryption Managed Computer Groups” on page 40).
Symantec Endpoint Encryption Reports

Basics
The Symantec Endpoint Encryption Reports snap-in contains a number of reports that will assist you in
managing your endpoints and your synchronization(s).
After obtaining the data, you can export it into comma-delimited format (CSV) for further manipulations in
the tool of your choice. Alternatively, you can print the report directly from the Manager Console.
Should you choose to print the report, you can choose which columns to include by right-clicking the report
in the console tree and selecting Configure Columns Displayed. Alternatively, select Configure Columns
Displayed from the Action menu.
Active Directory Forests Synchronization Status

The Active Directory Forest Synchronization Status report provides the latest details of your Active
Directory synchronization parameters and status (“Directory Services Synchronization Data” on page 12).
Client Events
The Client Events report provides you with a subset of the events logged on the endpoint (“Client Events
Data” on page 15). Client events can be filtered according to inclusive date and time, user name, and
computer name.
Computer Status Report

The Computer Status Report is used to retrieve the records of specific computers when you know their
computer name. Following deployment of client installation packages, you can use this report to ensure
that each client checks in. Type or paste the computer names in the Enter Computer Names field. Each
should be on a separate line. The % character can be used as a wildcard. Once you have entered the
computer names that you want to retrieve the records of, click Run. To refresh the data, click Run again.
Computers not Encrypting to Removable Storage

The Computers not Encrypting to Removable Storage report will retrieve the records of the following
computers on your network:
■ Did not have Removable Storage installed as of the time of last check-in.
■ Was not protected by a Removable Storage Encrypt all, Encrypt new, or Encrypt to CD/DVD policy as
of the time of last check in.
Reporting 17
■ Resides on a forest or tree that is synchronized with the Symantec Endpoint Encryption Management
Server and has not checked in. These clients may or may not be allowing users to write unencrypted
files to removable devices.
Computers with Decrypted Drives

The Computers with Decrypted Drives report will retrieve the records of the following computers on your
network:
■ Had one or more decrypted or decrypting drives and/or partitions as of the time of last check-in.
■ Resides on a forest or tree that is synchronized with the Management Server and has not checked in.
These clients may or may not have a decrypted or decrypting drive or partition.
Computers with Expired Certificates

The Computers with Expired Certificates report will retrieve the records of the clients with client-side TLS/
SSL certificates due to expire within the specified number of days from the current day. Enter the number
of days until expiration in the Days the Certificate Will Expire field and click Run. For example, to see all of
the clients with certificates due to expire within the next ninety days, type 90 in the Days the Certificate
Will Expire field and click Run.
Computers with Specified Users

The Computers with Specified Users report allows you to find out all of the computers that one or more
users have registered on. Type the user names in the Enter User Names field. If you enter more than one
user name, they should be separated by carriage returns. The % wildcard character is supported. Once the
desired report parameters have been entered, click Run.
The records of the computers on which one or more of the specified users has registered will be retrieved
and listed in the report results.
Computers without Full Disk Installed

The Computers without Full Disk Installed report will retrieve the records of the following computers on
your network:
■ Did not have Full Disk installed as of the time of last check-in.
These clients may or may not have Full Disk installed.
Computers without Removable Storage Installed

The Computers without Removable Storage Installed report will retrieve the records of the following
computers on your network:
■ Did not have Removable Storage installed as of the time of last check-in.
These clients may or may not have Removable Storage installed.
Device Exemptions Report

The Device Exemptions Report allows you to obtain a list of the devices exempted from encryption on a
given computer (“Device Exemptions Report Data” on page 15).
18 Reporting
Framework Deployment
The Framework Client Deployment report provides you with a pie chart comparison of the percentage of
computers installed with Framework versus the percentage that are not. You can filter the results based on
date. The numerical breakdown is provided beneath the chart.
Full Disk Client Deployment

The Full Disk Client Deployment report provides you with a pie chart comparison of the percentage of
computers installed with Full Disk versus the percentage that are not. You can filter the results based on
date. The numerical breakdown is provided beneath the chart. Mac clients will not be included in this
report.
Non-Reporting Computers
The Non-Reporting Computers report allows you to obtain a list of computers that have not checked in with
the Symantec Endpoint Encryption Management Server within a specified number of elapsed days. This
report will help you ensure that the data in the Symantec Endpoint Encryption database remains fresh.
Enter the number of elapsed days in the Days Since Last Check-In field and click Run. The records of the
computers on your network that have not checked in with the Symantec Endpoint Encryption Management
Server within the specified number of days will be retrieved and listed.
Novell eDirectory Synchronization Status

The Novell eDirectory Synchronization Status report provides the latest details of your Novell
synchronization parameters and status.
Opal Endpoints
The Opal Endpoints report will retrieve the records of the following computers on your network:
■ Had Full Disk installed as of the time of last check-in.
■ Uses an Opal-compliant drive as the primary, boot drive.
Percentage of Encrypted Endpoints

The Percentage of Encrypted Endpoints report provides you with a pie chart display of the percentage of
computers that are encrypted versus the percentage that are not. The numerical breakdown is provided
beneath the chart. Mac clients will not be included in this report.
Removable Storage Client Deployment Report

The Removable Storage Client Deployment report provides a pie chart comparison of the percentage of
computers installed with Removable Storage versus the percentage that are not. You can filter the results
based on date. The numerical breakdown is provided beneath the chart. Mac clients are not included in this
report.
Removable Storage Details Report

The Removable Storage Details report provides the latest details on the Removable Storage policy settings
for each reporting client.
Reporting 19
Server Commands
Removable Storage Password Aging Report

The Removable Storage Password Aging report provides the latest details on password aging settings for
the Removable Storage default passwords and session default passwords.
Custom Reports
The custom reports feature allows you to create your own reports that you can run or edit at a later time.
You can create subfolders to organize your custom reports. Right-click Custom Report and choose New
Report to open the Query Editor. Click Save when you are done and type in a name for the new report.
Specify the filter criteria for your custom report in the three tabs of the Query Editor. For a list of all
possible filter criteria, see “Client Computer Data Available from Users and Computers and Basic Reports”
on page 8.
While only Symantec Endpoint Encryption version numbers will be available in the Client Version area, the
selection of a Symantec Endpoint Encryption version number will result in the retrieval of not only the
records of Client Computers installed with the selected Symantec Endpoint Encryption version, but also the
Client Computers installed with the equivalent GuardianEdge Framework version. For example, if you
select the 7.0.3 check box, the records of 7.0.3 clients will be retrieved—as well as the records of
GuardianEdge Framework 9.3.0 and 9.3.1 clients. If you have GuardianEdge clients, consult the following
table for the full mapping.
Table 2-10 Symantec Endpoint Encryption Version Numbers and Equivalent GuardianEdge Version
Numbers
Symantec Endpoint Encryption Version Number Equivalent GuardianEdge Version Number(s)
7.0.0 9.2.0
7.0.1 9.2.1
7.0.2 9.2.2
7.0.3 9.3.0, 9.3.1
7.0.4 9.4.0, 9.4.1
7.0.5 9.5.0
7.0.6 9.5.1, 9.5.1 Patch 1
7.0.7 —
7.0.8 9.5.3
Server Commands
The Symantec Endpoint Encryption Server Commands snap-in does not apply to Removable Storage.
Resultant Set of Policy (RSoP)

The Group Policy Management snap-in features a reporting facility which allows you to verify that the
Active Directory policies you assigned to Client Computers or users were actually processed as intended.
This report is known as a Resultant Set of Policies (RSoP) or Group Policy Report.
20 Reporting
Windows System Events
Note: The initial Symantec Endpoint Encryption installation settings as deployed using the Framework
and Removable Storage client MSI packages (even if the MSI packages were deployed as GPOs) will not
appear in the RSoP report. Only the results of Active Directory policy updates will be shown in the RSoP
report.
To generate an RSoP report, perform the following steps:

1 Open the Symantec Endpoint Encryption Manager, and in the left pane, expand Group Policy
Management, then expand Group Policy Results.
2 With the Group Policy Results container selected, right-click and choose Group Policy Results Wizard.
3 The Group Policy Results Wizard launches. Click Next, then select the option Another Computer.
4 Browse to or type the name of the computer for which you wish to generate a Group Policy Report.
5 To view both user and computer policies, select the user that you want to see the user policies of. If you
are only interested in computer policies, select Do not display user policy settings in the results.
6 Click Next.
7 Click Next at the summary screen, then click Finish.
8 The Group Policy Results snap-in connects to the Client Computer, gathers the policy information into
a report, and displays the information in several tabs of the content pane on the right.
9 Click on the Settings tab of the Group Policy Results window in the pane on the right.
10 This windows shows a collapsed view representing all the settings for the user/computer pair you
selected. The view is divided into two sections: one section named Computer Configuration, and
another section beneath it named User Configuration.
11 Within the section named Computer Configuration, locate the subsection named Administrative
Templates.
Symantec Endpoint Encryption uses registry based policies, and any Symantec Endpoint Encryption
computer policies you create and apply will show up within the subsections Computer Configuration,
Administrative Templates, Symantec Endpoint Encryption/Framework, and Computer
Configuration, Administrative Templates, Symantec Endpoint Encryption/Removable Storage.
For user settings, this pattern is mirrored in the User Configuration section of the Group Policy Results
window.
Any level in the report hierarchy can be exported as an HTML file by right-clicking the name (for example,
Symantec Endpoint Encryption/Framework), choosing Save Report, and selecting a target location in
which to save the HTML report.
Some Symantec Endpoint Encryption Active Directory policies create other settings in the client registry
that are shown in the RSoP as Extra Registry Settings. These represent internal registry values used by the
particular Symantec Endpoint Encryption policy and can be ignored.

All security-related system events are logged on the Symantec Endpoint Encryption Client Computer where
they may be viewed remotely by an administrator using the Windows System Event viewer.
To view Removable Storage–specific system events logged on a specific Windows computer, perform the
following steps:
1 Open a Run dialog from the Windows Start menu.
2 Type eventvwr.msc and click OK.
3 An Event Viewer console window opens showing the events on your local computer.
Reporting 21
4 In the navigation pane on the left, right-click the top-level folder named Event Viewer (Local), and
choose Connect to another computer.
5 In the Select Computer dialog, make sure that the Another computer option is selected, then click
Browse.
6 In the Select Computer dialog, type the name of a computer you wish to inspect the events of, and click
OK.
7 In the navigation pane on the left, right-click the item named Application, and choose Connect to
another computer.
8 Choose View and click Filter to open the Application Properties window.
9 From the Event Source drop-down list box, choose Removable Storage Service and click Apply.
10 This filters the event log for that computer to show Removable Storage events. Drag the Application
Properties window away from the Event Viewer window, but leave it open.
11 In the right pane of the Event Viewer window, double-click the top-most event entry to open the Event
Properties window for that event.
The Description field contains information about that particular Removable Storage event. To inspect
other events in the log, use the up and down arrow buttons in the upper right of the Event Properties
window.
Note: To filter out all events other than a desired event, click on the Application Properties window. In the
Event ID field, type the number of the event you are interested in, then click Apply. The Event Viewer
window will update and filter out all event IDs other than the one you specified. Full Disk System events
generated in Windows log the user account information associated with that event in the User field of the
Event Properties window, while Full Disk events generated in the pre-Windows environment log the user
account information in the Description field of the Event Properties window.
For a complete list of all Symantec Endpoint Encryption–specific system events, their event code numbers,
and descriptions of the events, refer to “System Event Logging” on page 45.
22 Reporting
Chapter 3
Policy Creation & Editing
■ Overview
■ Active Directory Policies
■ Native Policies
■ Policy Options
Overview
Each client will have installation settings in place. Installation settings are created at the time that the
client is installed and modified each time an upgrade package is applied. Policy settings will always take
precedence over any installation settings on the client.
Note: Symantec Endpoint Encryption provides two different types of policies. While each contains identical
options, Active Directory policies are created and edited in quite a different manner from native policies.
Mac clients will only receive and process native policies.
This chapter discusses the following:

■ How to create and/or edit Active Directory policies using Symantec Endpoint Encryption snap-in
extensions in the Group Policy Object Editor (GPOE) (“Active Directory Policies” on page 23);
■ How to create and/or edit native policies using the Symantec Endpoint Encryption Native Policy
Manager (“Native Policies” on page 24); and
■ The individual policy options themselves (“Policy Options” on page 24).
Active Directory Policies

To create or edit an Active Directory policy, expand the Group Policy Management snap-in, expand your
forest, expand Domains, expand the domain, and expand Group Policy Objects.
■ To edit an existing GPO, right-click the GPO and select Edit.
■ To create a new GPO, right-click Group Policy Objects and select New.
The Group Policy Object Editor (GPOE) will launch.
■ To edit or create a computer policy, expand Computer Configuration, expand Software Settings, and
expand Symantec Endpoint Encryption. Then expand Framework and/or Removable Storage,
according to your needs.
■ To edit or create a user policy, expand User Configuration, expand Software Settings, and expand
Symantec Endpoint Encryption. Then expand Framework and/or Removable Storage, according to
your needs.
24 Policy Creation & Editing
Native Policies
Each Active Directory policy panel features three option buttons at the top:
■ Do not change these settings—this option is the default option. It specifies that no changes to existing
policies or installation settings will be made.
■ Change these settings—click this option if you want to specify a policy update. When this option is
selected, the fields below it will become available. These fields will not be defaulted to the policies
currently in effect, they will just display generic defaults.
■ Restore the installation settings—click this option to apply a policy that instructs the client to
disregard any existing policies and return to the settings that were specified in its installation package.
When the Change these settings option is selected, your entries are validated when you click away from the
panel. Any incorrect entries will be highlighted in red, and the icon for the panel, as shown in the
navigation tree of the GPOE window, will change to a warning icon to remind you to return to that panel
and make the necessary corrections before closing the GPOE window.
For a detailed discussion of the options that will become available when the Change these settings option is
selected, refer to “Policy Options” on page 24.
Native Policies
To create a native policy, right-click the Symantec Endpoint Encryption Native Policy Manager and select
Create New Policy. When naming a policy, observe the following:
■ Each name must be unique and cannot have been assigned to any other native policy.
■ Names are case-insensitive.
■ Leading and trailing spaces will be deleted.
To edit a native policy, expand the Symantec Endpoint Encryption Native Policy Manager. Locate the policy
that you want to edit and highlight it.
For a detailed discussion of the options available for modification within the Symantec Endpoint
Encryption Native Policy Manager, continue to the next section.
Policy Options
Client Administrators
When creating a Client Administrator policy, it must contain all Client Administrator accounts that are
authorized to access the workstation. Any Client Administrator accounts not listed in this policy will not be
able to authenticate to the Client Computer.
Figure 3-1 Framework Computer Policy, Client Administrators Options

Policy Creation & Editing 25
Policy Options
Note: At least one default Client Administrator account must be specified. No more than 1024 Client
Administrators accounts can be added. Clients without Opal-compliant drives and less than 128, 256, 384,
512, 640, 768, or 896 Client Administrators must be rebooted before additional Client Administrators can
log on. For example, if 512 Client Administrators exist and a policy adds one more, the 513th Client
Administrator cannot log on until after the client completes a reboot.
You can import a list of Client Administrators from a previously created installation settings package. Click
Load client administrators from installation settings, select the previously created Framework client
installer package, then click Open. The panel will populate with the Client Administrator account
information specified when the installation settings package was created.
Click Add to add a Client Administrator. Highlight an existing Client Administrator and click Edit to edit
the account.
Figure 3-2 Add New Client Administrator Dialog
Only the names of the Add New Client Administrator and Edit Client Administrator dialogs differ.
Each Client Administrator account must have credentials and a specified level of privilege.
Leave the Default admin check box selected to designate this Client Administrator as the default Client
Administrator account, otherwise deselect the check box. If you deselect the Default admin check box, the
Level, Authentication, and Admin Privileges controls become available.
The Default admin check box will be deselected and unavailable if you already added a default Client
Administrator.
The Admin Privileges section is only available if the Default admin check box is deselected. Select the
Unregister users check box to allow the Client Administrator to unregister users. All other check boxes are
not relevant to Removable Storage. Deselect all the check boxes to only allow the Client Administrator to
authenticate to the Administrator Client Console.
The Level list box is only available if the Default admin check box is deselected. Click Level to set the
desired privilege level for the Client Administrator. Note that the privileges you set in the Level list box will
be ignored by Symantec Endpoint Encryption 8.0.0 or later clients.
Note: The Level settings are provided for compatibility with legacy clients, and are completely independent
of the Admin Privileges settings. Use the Admin Privileges settings if your policy will apply exclusively to
Symantec Endpoint Encryption 8.0.0 or later clients. Use both the Admin Privileges settings and the Level
settings if your policy will apply to both legacy and 8.0.0 or later clients.
The Authentication list box is only available if the Default admin check box is deselected. Click
Authentication to set the Client Administrator’s authentication method. If this is a native policy and you
selected None (password authentication only) when installing the Framework Manager, the list box will
display Password and be unavailable. If you selected one of the token types when installing the Framework
Manager, the list box will have both Password and Token options available.
Policy Options
If you select the Password option, type the desired password for this Client Administrator account in the
Password box. The password must be a minimum of two characters and no longer than 32. Type the
password a second time in the Confirm password box.
If you select the token option, you will be prompted to locate the P7B certificate file associated with that
Client Administrator account. The selected P7B file will be validated, and you will be prompted to choose
the desired certificate from the list of valid certificates found in the P7B file.
Registered Users
Basics
The Registered Users panel can be used to change the way that users authenticate to, register with, or get
unregistered from Symantec Endpoint Encryption.
Figure 3-3 Framework Computer Policy, Registered Users Options
Authentication Method
In Authentication Method, select the authentication method you want Symantec Endpoint Encryption to
effect.
■ Clicking on Require registered users to authenticate with ensures that users type their credentials
before gaining access to the User Client Console. Select a password to have users authenticate with a
password. Select a token to have users authenticate with a token. Select password or token to allow
users authenticate using either a password or a token.
■ Clicking on Do not require registered users to authenticate to SEE selects automatic authentication
and allows all registered users to access the User Client Console without providing any credentials. The
registration process itself will also be automatic and occur without user intervention—unless a
registration password is specified. Coupling automatic authentication with a registration password
could serve to limit the number of users able to use removable storage devices from the workstation, as
only registered users can use removable storage devices.
Policy Options
Note: Single-Sign On will be unavailable to users not using the same authentication method for both
Windows and Symantec Endpoint Encryption. For Single-Sign On to work, the authentication methods
used in both environments must be identical.
Once the policy has been processed and the Client Computer has rebooted, the user’s experience will vary.
Refer to Appendix B “Overview” on page 95 for details of the user’s experience.
Registration
To allow any Windows user the ability to register, click the option Any Windows user can register for a SEE
account. To allow only those users who know a special registration password to be able to register, click
Users must know this password to register, and type the password in the adjacent field and again to
confirm. Each user will be required to know the administrator-defined registration password before they
can register for a Symantec Endpoint Encryption account.
Specify the maximum number of Symantec Endpoint Encryption registered user accounts which can be
created on each computer. New users will not be permitted to register after the maximum number of
accounts has been reached.
Specify a custom message users will see when they are forced to register after grace restarts expire. The
custom message can be from 0–900 characters in length, or you can use the default message. Note that the
custom registration message field ignores any carriage returns you type or paste in.
Specify the number of grace restarts, i.e., the number of times, from 0–99, that the computer can restart
before the first user who logs on will be forced to register for a Symantec Endpoint Encryption account and
see the custom registration message. This setting can effectively allow users to defer registration. To force
the first user to register immediately, set this value to zero.
Unregistration
Unregistration selects whether to allow users to only be unregistered manually by Client Administrators,
or whether to also automatically unregister users who do not log on after a specified period, from 1–365
days. This setting is useful in a kiosk environment where many infrequent users can fill up the maximum
number of available Symantec Endpoint Encryption accounts on a given computer. Use caution with this
setting so that users do not have their accounts deleted unexpectedly.
Password Authentication
Basics
Use the Password Authentication panel to configure settings for the passwords used to authenticate to
Symantec Endpoint Encryption and to encrypt/decrypt Removable Storage files.
Policy Options
Figure 3-4 Framework Computer Policy, Password Authentication Options
Password Attempts
Use the Password Attempts area to configure a logon delay to protect against dictionary attack tools.
To perform this procedure

1 In the After box, type the number of incorrect password attempts and/or incorrect Authenti-Check
recovery attempts that will be allowed to occur before the delay is instituted.
2 Type the length of the delay in the pause for box.
3 Type the length of time that must elapse between incorrect logon attempts before the delay is lifted in
the Resume normal operation box. This number must be equal to or greater than the number in the
pause for box.
Note: To understand the interrelationship among the three settings, consider the following example. An
administrator sets the After box to 6, the pause for box to 30, and the Resume normal operation box to 35.
A user types an incorrect password six times, trying to log on to the User Client Console. The computer
institutes the logon delay, preventing anyone from logging on to the Client Console for 30 minutes. Four
minutes after the logon delay is lifted, the user enters another incorrect password. A logon delay of 30
minutes is instituted. Mac clients ignore these settings.
Removable Storage enforces a one-minute delay during file decryption attempts and ignores the number in
the pause for box.
Policy Options
Password Complexity
In the Password Complexity area:
1 In the Minimum password length box, type the number of characters users’ Symantec Endpoint
Encryption passwords must contain.
2 In the Non-alphanumeric characters box, enter the set of non-alphanumeric characters users must
have in their passwords.
3 For the Password must contain at least settings, select the number from each list box to define the
minimum number of non-alphanumeric characters, UPPERCASE letters (A-Z), lowercase letters (a-z),
and digits (0-9) that users must have in their passwords.
If Single Sign-On is enabled, the Password Complexity settings will only be enforced for Removable
Storage file encryption passwords.
Maximum Password Age

In the Maximum Password Age area, leave the default selection of Password never expires to not set an
expiration date on user passwords.
If you want to set an expiration date on user passwords:

1 In the Password expires every box, type the number of days after which users’ passwords will expire.
2 In the Warn users box, type the number of days in advance users will be prompted to change their
expiring passwords.
Note: If Single Sign-On is enabled, the Maximum Password Age settings will only be enforced for
Removable Storage file encryption passwords. Mac clients ignore these settings.
Password History
In the Password History area, leave the default selection of Any previous password can be used to allow
users to use any previously used Symantec Endpoint Encryption password.
To define a password history restriction:

1 In The last box, type the number of different passwords users must use before reverting to old
passwords.
Note: If Single Sign-On is enabled, the Password History settings will only be enforced for Removable
Storage file encryption passwords. Mac clients ignore these settings.
Minimum Password Age

In the Minimum Password Age area, leave the default selection of Users can change passwords multiple
times without waiting to allow users to change their Symantec Endpoint Encryption passwords as
frequently as they wish. Note that leaving this option at the default effectively will override the password
history feature, since a user could quickly cycle through the required number of new passwords in order to
keep an old, favorite password.
To define a minimum age:

1 In the Users can only change passwords every box, type the minimum number of days that must pass
before users can change their passwords.
Policy Options
Note: If Single Sign-On is enabled, the Minimum Password Age setting will only be enforced for Removable
Storage file encryption passwords. Mac clients ignore these settings.
Token Authentication
If token authentication is in effect and you want to allow expired certificates, check the Users can
authenticate to SEE with expired certificates check box.
Authentication Message
To change the message shown to users who are having trouble authenticating, edit the text within the
Instructions for users who are having trouble with authentication field. For example, the phone number
of your help desk may have been provided in the message and you may need to update it.
Communication
Use the Communication panel to modify the interval at which the recipient computers will attempt to make
contact with the Management Server.
Single Sign-On
Select or deselect the Enable Single Sign-On check box for the desired effect.
Note: If Single Sign-On is enabled, password changes must be initiated by the user on the local workstation.
Administrators cannot reset users’ passwords from the server. Third party password change tools such as
SSPRM are not supported.
Note: Consider what type of policy this is when modifying these settings. If this is an Active Directory
policy, it can be deployed to individual users. If this is a native policy, it will be applied to all users of the
recipient computer(s).
Authenti-Check
Authenti-Check allows users that have forgotten their password or do not have their token to gain access to
the User Client Console. The user can then change their Symantec Endpoint Encryption password, if Single
Sign-On is not enabled. If the user has been issued a new token, the user can use the User Client Console to
change their token.
Use the Authenti-Check panel to enable or disable Authenti-Check, and/or to change the question-answer
pair requirements.
Policy Options
Figure 3-5 Framework Computer/User Policy, Authenti-Check Options
Select or deselect the Enable Authenti-Check check box according to the policy that you wish to effect.
Type a value in the Minimum answer length box to set the minimum number of characters, from 1–99, that
users must include when answering Authenti-Check questions.
Type one, two, or three Predefined questions, 0–99 characters in length, that a user must correctly answer
before the user authenticates.
The number displayed in the Number of user-defined questions required drop-down list is dynamically
updated based on how many questions you have typed in the Predefined questions boxes. Number of
predefined questions shows the number of predefined questions currently specified, while Total shows the
combined total of the Number of predefined questions plus the Number of user-defined questions
required.
Note that at least one question must be defined either by you or by the user.
Note: Consider what type of policy this is when modifying these settings. If this is an Active Directory
policy, it can be deployed to individual users. If this is a native policy, it will be applied to all users of the
recipient computer(s).
One-Time Password
One-Time Password is a help-desk-assisted means for Full Disk users to regain access to Windows. It is not
relevant to Removable Storage.
Access and Encryption

Use the Access and Encryption panel to modify the access and/or encryption policies currently being
enforced by Removable Storage.
Policy Options
Figure 3-6 Removable Storage Computer Policy, Security Level Options
Access
Choose Do not allow access to files on removable media to deny read and write access to files and folders
stored on removable media, even if the user is registered to Symantec Endpoint Encryption.
Allow read-only access to files on removable media allows registered Symantec Endpoint Encryption users
to read files stored on removable media. If the files are encrypted, the user must provide the credentials
used to encrypt the file to read its contents. Users cannot write files to removable media, even if registered.
Allow read and write access to files on removable media allows registered Symantec Endpoint Encryption
users to read files on removable media and write files to removable media. If the files are encrypted, the
user must provide the credentials used to encrypt the file to read its contents. Selecting this option causes
the Automatic Encryption options and On Demand Encryption options to become available.
Automatic Encryption
Select the Do not encrypt option to not encrypt files on removable media.
Select the Encrypt files written to CD/DVD option to only encrypt new files written to CD/DVD media
using the Symantec Endpoint Encryption CD/DVD Burner application.
Select the Encrypt files as per Symantec DLP for Endpoint option to use the detection and response
capabilities of Symantec Data Loss Prevention to dictate the encryption of files. If this option is selected,
Removable Storage will encrypt files only at the direction of Symantec Data Loss Prevention. This option
requires not only Symantec Data Loss Prevention, but also the Symantec Endpoint Encryption
FlexResponse Plug-In for Data Loss Prevention. Contact your sales representative to obtain these. Refer to
the Symantec Data Loss Prevention Administration Guide and the Symantec Endpoint Encryption
FlexResponse Plug-In Implementation Guide for more information.
Note: Files written to CD/DVD using the Symantec Endpoint Encryption CD/DVD Burner application will
be encrypted automatically under this option, regardless of Symantec Data Loss Prevention.
Select the Encrypt new files option to automatically encrypt all files newly added to removable media.
Select the Encrypt all files option to automatically encrypt both new and pre-existing files on removable
media. Upon inserting a device, users will be warned about this policy and they will have an opportunity to
remove the device should there be unencrypted files that they do not want encrypted.
Select Allow users to choose to let the user modify the automatic encryption policy. If this option is
selected, the following options become available, allowing you to choose the default automatic encryption
Policy Options
policy. Select Default to encrypt new files to set the default behavior to encrypt new files written to
removable media. Select Default to do not encrypt to set the default behavior to not encrypt.
On Demand Encryption
The On Demand Encryption options allow users to manually initiate the encryption and decryption of files
using right-click menu options.
Select the Users may right-click to encrypt existing files on removable media—except CD/DVD option to
provide end users with the ability to encrypt files on removable media using a right-click menu. The right-
click menu option will not be available for files residing on CDs or DVDs.
Select the Users may right-click to decrypt existing files on removable media—except CD/DVD option to
provide end users with the ability to decrypt files on removable media using a right-click menu. The right-
click menu option will not be available for files residing on CDs or DVDs.
If multimedia files are exempted from encryption, the user can use the right-click option to override the
exclusion. However, the right-click option cannot be used to override a removable storage device exclusion.
Note: If you selected the Encrypt files as per Symantec DLP for Endpoint option, Symantec recommends
deselecting both Users may right-click to encrypt existing files on removable media—except CD/DVD and
Users may right-click to decrypt existing files on removable media—except CD/DVD.
Device and File Type Exclusions

Use the Device and File Type Exclusions panel to specify removable storage devices and/or multimedia file
types that should be excluded from automatic encryption on computers receiving this policy.
Figure 3-7 Removable Storage Computer Policy, Device and File Type Exclusions
Exemption for Multimedia Files

When you set an Encrypt all or Encrypt new policy, you can exempt certain types of multimedia files from
being encrypted. Select the Exclude multimedia files from automatic encryption check box, then leave
selected one or more of the following check boxes according to the type of multimedia file formats you want
to exclude from encryption:
■ Select Audio to exclude audio files.
Policy Options
■ Select Video to exclude video files.

■ Select Image to exclude image files.
The full list of file extensions that correspond to each check box are itemized in the User Guide.
The Exclude multimedia files from automatic encryption check box must be selected to effect any of the
exemptions you have specified using the Audio, Video, or Image check boxes.
Note: The user will be unable to circumvent the policy by manually changing the file extension.
Note: If you selected the Encrypt files as per Symantec DLP for Endpoint option, file type exclusions will be
ignored and no file types will be excluded.
Device Exclusions
You can exempt specific devices from both automatic and on-demand encryption by selecting the Exclude
these removable storage devices from encryption check box. Do either of the following to exempt
removable storage devices from encryption:
■ To exempt a specific device from a vendor, enter the vendor ID, product ID, and an optional description
in the fields provided.
■ To exempt all the devices from a vendor, enter the vendor ID in the Vendor ID field, the wildcard
character * in the Product ID field, and an optional description in the Description (Optional) field. 
For example, if the vendor ID is ‘xyz’ and the product ID is ‘*’, all the storage devices from the xyz
vendor are exempted from encryption.
You can specify up to a maximum of 50 entries.
A number of free tools can be used to obtain the Vendor ID and Product ID of your chosen device(s), such as
the Symantec Endpoint Encryption Device Control Auditor.
Note: Most tools are incapable of obtaining the Vendor ID and Product ID of flash memory cards that can
be inserted into card readers. Exempt the card reader and flash memory cards inserted into the exempted
card reader will also be exempted.
Note: Because eSATA hard drives do not contain a Vendor ID or Product ID, they cannot be exempted.
The Exclude these removable storage devices from encryption check box must be selected to effect any of
the exemptions you have specified.
Encryption Method
Use the Encryption Method panel to modify the encryption methods currently allowed by Removable
Storage. These methods will be available to users encrypting files and creating self-extracting executables
from a Removable Storage–protected computer, as well as users encrypting files with the Removable
Storage Access Utility from computers not protected by Removable Storage.
Figure 3-8 Removable Storage Computer Policy, Encryption Method Options
Select the appropriate option to restrict the encryption method to a password, restrict the encryption
method to one or more certificates that the user chooses, or let each user choose the encryption method.
Policy Options
Recovery Certificate
Use the Recovery Certificate panel to set, remove, or modify the Recovery Certificate used by Removable
Storage. Note that this feature only applies to computers on which write access and encryption are enabled
for removable storage devices.
Figure 3-9 Removable Storage Computer Policy, Recovery Certificate
Select the Do not encrypt files with a recovery certificate option if you do not want to use a Recovery
Certificate.
Select the Encrypt files with a recovery certificate option if you want to use a Recovery Certificate. You
will be prompted for the location of the PKCS#7 format certificate file (.p7b).
Note: Ensure that the Recovery Certificate does not contain the private key and possesses the mandatory
key usage detailed in the Installation Guide.
Once you have chosen a certificate file, the Select Certificate dialog will show information about the
certificate you have chosen.
Workgroup Key
Use the Workgroup Key panel to set, remove, or modify a workgroup key. The workgroup key is used by
Removable Storage and the Removable Storage Access Utility to encrypt files—in addition to the user-
provided passwords and/or certificate(s). The workgroup key facilitates the sharing of encrypted files
among users within a group: if the group key on the Removable Storage–protected computer matches the
group key that a file was encrypted under, the user will not be prompted to provide a password or
certificate to decrypt the file.
Figure 3-10 Removable Storage Computer Policy, Workgroup Key Options
Click Do not encrypt or decrypt files with a workgroup key if you do not want the computers receiving this
policy to use a workgroup key.
Click Encrypt and decrypt files with this workgroup key to deploy a single workgroup key to all the
computers receiving this policy. The workgroup key will be shared among all users of the target computers.
It should be a 64-digit random hexadecimal value.
Clicking Generate new key will fill the key box with a randomly generated number.
If you type or paste the key in, ensure that this value is random, 64 digits, hexadecimal format, and that
alphanumeric characters are lowercase.
Descriptive optional text you type in the Memo box will be displayed in RSoP reports.
Portability
Use the Portability panel to specify
■ Whether or not to copy the Removable Storage Access Utility to removable media automatically
Policy Options
■ Whether or not to allow users to create self-extracting executables
Figure 3-11 Removable Storage Computer Policy, Portability Options
Access Utility
To write the Removable Storage Access Utility that runs on Windows computers to removable media
automatically, select the Copy the Removable Storage Access Utility for Windows to removable media
check box.
To write the Removable Storage Access Utility that runs on Mac OS X computers to removable media
automatically, select the Copy the Removable Storage Access Utility for Mac OS X to removable media
check box.
Removable media includes removable storage devices as well as CDs and DVDs burned by the Symantec
Endpoint Encryption CD/DVD Burner application.
If a device is exempted from encryption, the Removable Storage Access Utility is not written to that device.
The Removable Storage Access Utility should be used only on computers not protected by Removable
Storage. Symantec does not support use of the Removable Storage Access Utility on Removable Storage
client computers.
Self-Extracting Executables
To permit users to create self-extracting archives, select the Allow users to save files as password and/or
certificate encrypted self-extracting executables check box.
Considered munitions by many countries, encryption software is often subject to regulations. The United
States, for example, prohibits the export of strong encryption products to the following countries:
■ Cuba
■ Iran
■ Libya
■ North Korea
■ Sudan
■ Syria
Legal repercussions could ensue should someone in your organization fail to comply with national and/or
international statutes. Visit http://www.bis.doc.gov for more information.
Default Passwords
Use the Default Passwords panel to specify whether users can set a Default Password, up to two Session
Default Passwords, and/or a Device Session Default Password.
Policy Options
Figure 3-12 Removable Storage Computer Policy, Default Passwords
Default Password
Select the Allow users to set a default password option to allow the user to specify a Default Password. The
Apply password aging to Removable Storage default passwords check box becomes available.
Select the Apply password aging to Removable Storage default passwords check box to ensure that the
Default Password set by the user will conform to the restrictions set in the Maximum Password Age,
Password History and Minimum Password Age sections of the Framework Password Authentication panel.
See “Password Authentication” on page 27. This setting can be used to ensure that users change their
Default Password at a designated interval. Such a policy should be accompanied by clear instructions to the
user to prevent file availability issues. Specifying a Recovery Certificate is also recommended. Leaving the
Apply password aging to Removable Storage default passwords check box deselected will allow any
previous Removable Storage Default Password to be reused.
Select the Do not allow users to set a default password option to prevent users from setting a Default
Password.
Session Default Passwords

Select Allow users to set session default passwords to allow the user to specify up to two Session Default
Passwords.
Select the Delete session default passwords at the end of every Windows session option to delete any
Session Default Passwords at the end of each Windows session. The user will need to set his or her Session
Default Password(s) anew at the beginning of each Windows session.
Select the Deactivate session default passwords at the end of every Windows session, but allow them to
persist across every Windows session option to leave the Session Default Passwords intact, but force the
user to activate them at the beginning of each Windows session.
Policy Options
Select the Apply password aging to session default passwords option to ensure that any Session Default
Passwords set by the user will conform to the restrictions set in the Maximum Password Age, Password
History and Minimum Password Age sections of the Framework Password Authentication panel.
Select the Do not delete, deactivate, or apply password aging to session default passwords option to allow
the Session Default Passwords to persist across sessions, and to remain active until the user changes them.
Select Do not allow users to set session default passwords to prevent users from setting any Session
Default Passwords.
Device Session Default Password

Select the Allow users to set a device session default password for each removable storage device option
to allow users to set a default password for each removable storage device while it is connected. Removable
Storage automatically deletes the password when the device is removed or when the user logs off of
Windows. Password aging does not apply, but any defined password management requirements do.
Select the Do not allow users to set a device session default password for each removable device option to
prevent users from setting a default password for each removable storage device while it is connected.
Chapter 4
Policy Deployment
■ Active Directory Policies
■ Native Policies
Active Directory Policies

Basics
Active Directory policies are deployed using the Group Policy Management Console (GPMC) snap-in of the
Manager Console.
Order of Precedence
When a single computer or user object has two or more policies assigned to it, the Local, Site, Domain, OU
(LSDOU) order of precedence and link order will be considered. Policies specific to a single computer or user
object are considered local and have the highest order of precedence in the LSDOU chain.
If the policies are at the same LSDOU level, they will then be applied according to their link order. Those
lowest in the link order will have the highest order of precedence.
Forcing a Policy Update
Basics
Active Directory policy changes take approximately 90 minutes and no more than 120 minutes to push out
to Client Computers. To accelerate this, you can force an immediate policy update.
Windows XP Clients
1 On the Client Computer, open a command prompt. Click Start, then Run. Type cmd and press Enter.
A command prompt will open.
2 Type the following command at the command prompt:
gpupdate /force
and press Enter.
3 A message will appear in the command prompt window after a few seconds indicating that the update
has taken place. The message will prompt you to confirm a restart. Type Y and press Enter to restart the
Client Computer.
40 Policy Deployment
Native Policies
Windows 2000 Clients

1 On the Client Computer, open a command prompt. Click Start, then Run. Type cmd and press Enter.
A command prompt will open.
2 Type the following command at the command prompt:
secedit /refreshpolicy machine_policy /enforce
and press Enter.
3 The secedit command will not prompt you to restart. If the policy you are updating includes any
computer policies, you will have to restart the computer manually to complete the update.
Native Policies
Basics
Native policies are applied at the computer level: they cannot be assigned on a per user basis.
Each policy will be comprehensive and contain all of the possible configurable settings.
Only one policy can be applied to a computer at a time. If no policy is assigned to a computer, it will revert
to the settings specified in its original installation package.
Native policies are applied at the time that the Client Computer checks in with the Management Server. An
immediate check-in can be performed by the user from the User Client Console on the endpoint computer.
If synchronization with Novell is enabled, the Novell computers will already be organized within the Novell
eDirectory Computers container, just as they are organized within the Novell eDirectory tree. Native
policies can be assigned to Novell computers, even if they have not checked in.
Clients in the Symantec Endpoint Encryption Managed Computers container cannot be assigned policies
until they have checked in with the Management Server.
The following section discusses the process of creating groups and placing Client Computers inside of
them.
Symantec Endpoint Encryption Managed Computer Groups
Basics
Before you can assign policies to your Symantec Endpoint Encryption–managed computers, they need to be
organized into groups. This can be done from any Manager Computer. The structure will be saved in the
Symantec Endpoint Encryption database and available to all other Manager Computers.
The Symantec Endpoint Encryption Managed Computers container will only have two groups in by default:
SEE Unassigned and Deleted Computers.
Clients located within the SEE Unassigned group do not have any policies assigned to them. Clients will be
placed in the SEE Unassigned group if:
■ Synchronization with its directory service is not enabled.
■ The computer does not reside within the Active Directory forest/domain or Novell tree that you are
synchronizing with.
In general, the Client Computer will appear in SEE Unassigned at the time that it checks in. However, if the
Client Computer is manually deleted from the Active Directory domain or Novell tree, it will not appear in
SEE Unassigned until the time of the next synchronization.
Client Computers within the SEE Unassigned group do not have any policies assigned to them. Such Client
Computers are enforcing the settings specified within their original installation package.
Policy Deployment 41
Native Policies
Group Creation
The first step in organizing your Symantec Endpoint Encryption–managed computers is to create the
groups that they will reside in.
To add a group
1 Right-click Symantec Endpoint Encryption Managed Computers.
Figure 4-1 Symantec Endpoint Encryption Managed Computers, Add New Group
2 Select Add New Group.

3 Enter the name of the new group. This name must be unique within its group. For example, the Finance
group can have two subgroups named Laptops and Desktops and the Human Resources group can also
have two subgroups named Laptops and Desktops. But there cannot be two top-level groups just below
Symantec Endpoint Encryption Managed Computers named Human Resources.
Each name must be at least one character. Leading and trailing spaces will be deleted. Enter the desired
name of the group and click OK.
4 Continue to add groups and subgroups until you have the desired structure.
Move Computers
Client Computers can be moved from any Symantec Endpoint Encryption Managed Computers group to
another Symantec Endpoint Encryption Managed Computers group. This section will discuss the process of
moving a Client Computer out of the SEE Unassigned group and into one of the manually created groups.
To move a computer from one group to another

1 Highlight SEE Unassigned. Locate the computer that you want to move and highlight it.
Native Policies
Figure 4-2 SEE Unassigned, Computer Highlighted
2 Click Move.
3 Navigate to the desired destination group of the Client Computer. Highlight it and click OK.
Each Client Computer can reside in only one group at a time.
Policy Assignment
Native policies can be assigned to individual computers, subgroups, or groups located within either the
Symantec Endpoint Encryption Managed Computers container or the Novell eDirectory Computers
container.
This section describes how to assign a policy to a group within the Symantec Endpoint Encryption Managed
Computers container, but the instructions are fully extensible to your individual circumstance.
To assign a policy to a group

1 Locate and highlight the recipient computer, subgroup, or group of the policy.
Figure 4-3 Symantec Endpoint Encryption Managed Computers Group Selected
2 Click Policy.
3 Locate the native policy to be assigned to this group within the dialog and highlight it.
4 Click OK.
5 NA confirmation message is displayed. Click OK.
Policy Deployment 43
Native Policies
Figure 4-4 Symantec Endpoint Encryption Managed Computers Policy Assigned
Following the successful assignment of the policy, the Manager Console will displays the name of the policy
now assigned to the group. The next time the Client Computers in this group check in with the Management
Server, they will download this policy and apply it.
Order of Precedence
Each computer can only have one policy assigned to it at any given time. Policies can be assigned to
individual computers, subgroups, or entire groups. The rules of precedence are as follows: (1) Computer, (2)
Subgroup, and (3) Group. Computer policies have the highest precedence.
For example, if a policy is applied to computer D9HCPD3, and another policy is applied to the Laptops
subgroup in which it resides, the policy applied to the computer will take precedence over the policy that
was applied to the Laptops subgroup.
Forcing a Policy Update

Registered users can force an immediate policy update by launching the User Client Console, opening the
Check-In panel, and clicking Check in Now.
Native Policies
Appendix A
System Event Logging
■ Basics
■ Framework System Events List
■ Removable Storage System Events List
Basics
This appendix itemizes the events logged by Symantec Endpoint Encryption on Windows Client
Computers. The events are available from the Windows System Event Viewer.
Framework System Events List

The following table lists the individual Framework–generated Windows system events logged on the Client
Computer. The column headings indicate the Event ID, the severity of the event (Error, Info, or Warning),
and a description of the event indicating the type, source, or policy that generated the event (Internal,
Program Action, Initial Setting, Settings Change, or Utility).
Table A-1 Framework System Events
Event Severity Description Explanation

ID
0 Error Internal: Cannot map event ID to string. The Framework event ID cannot be mapped to
Framework the string in the Framework.
1 Info Internal: Audit functions started. Framework The Framework audit functions have started.
2 Info Internal: Audit functions ended. Framework The Framework audit functions have ended.
3 Info Program Action: Successful client logon/ An attempt to log on during pre-boot
authentication attempted with password. authentication or to the Client Console with a
Framework user name password has succeeded.
4 Warning Program Action: Unsuccessful client logon/ An attempt to log on during pre-boot
authentication attempted with password. authentication or to the Client Console with a
Framework user name password has failed.
5 Info Program Action: Successful client logon/ An attempt to log on during pre-boot
authentication attempted with token. authentication or to the Client Console with a
Framework user name token has succeeded.
6 Warning Program Action: Unsuccessful client logon/ An attempt to log on during pre-boot
authentication attempted with token. authentication or to the Client Console with a
Framework token has failed.
46 System Event Logging
Table A-1 Framework System Events (Continued)

ID
7 Info Program Action: Successful logon/ The One-Time Password process has succeeded
authentication attempted with One-Time in authenticating the user.
Password. Framework
8 Warning Program Action: Unsuccessful logon/ The One-Time Password process has failed to
authentication attempted with One-Time authenticate the user.
Password. Framework
9 Info Program Action: Successful logon/ The Authenti-Check process has succeeded in
authentication attempted with Authenti-Check. authenticating the user.
Framework
10 Warning Program Action: Unsuccessful logon/ The Authenti-Check process has failed to
authentication attempted with Authenti-Check. authenticate the user.
Framework
11 Warning Program Action: Number of client logon The number of pre-Windows logon attempts
attempts exceeded the maximum allowed. allowed before a delay has been exceeded.
Framework
12 Info Program Action: User password changed The user has successfully changed their
successfully. Framework user name Symantec Endpoint Encryption password.
13 Info Program Action: User password changed The user attempted to change their Symantec
unsuccessfully. Framework Endpoint Encryption password, but failed. This
could be because it did not meet the password
requirements.
14 Warning Program Action: User program uninstallation An attempt to uninstall Framework has been
attempted. Framework made.
15 Info Program Action: User changed Authenti-Check The user has succeeded in changing their
questions and answers successfully. Framework Authenti-Check question(s) and/or answer(s).
16 Info Program Action: User user name has been The user has successfully been unregistered.
unregistered. Framework
17 Info Program Action: User password resynchronized The user’s Symantec Endpoint Encryption
with Windows password. Framework password has been resynchronized with their
Windows password to enable the Single Sign-On
feature.
18 Warning Program Action: Computer locked due to failure The Client Computer has failed to communicate
to communicate with SEE server. Framework with the Symantec Endpoint Encryption
Management Server within the mandatory
interval and, as a result, has been locked.
19 Warning Program Action: User password expired. The user’s Symantec Endpoint Encryption
Framework password has expired.
20 Info Program Action: User registration completed. The user has successfully completed the
Framework user name registration process.
21 Warning Program Action: Final grace logon reached. The number of grace restarts is now zero and the
Framework next user to log on to Windows will be forced to
register.
22 Info Program Action: User logged on after A hibernation or standby process was initiated
Hibernation or/and Stand by. Framework user and ended when the user logged on to Windows.
name
System Event Logging 47

ID
23 Info Program Action: Client program installation An attempt to install Framework was made.
attempted. Framework
24 Info Program Action: Client program upgrade An attempt to upgrade Framework was made.
attempted. Framework
25 Info Program Action: Grace logon attempted. An attempt to exercise a grace restart was made.
Framework
26 Info Program Action: Authenti-Check questions and The user has set their Authenti-Check questions
answers created. Framework and answers as a part of the registration process.
27 Info Program Action: User password created. The user has set their Symantec Endpoint
Framework user name Encryption password as a part of the registration
process.
28 Info Program Action: Token account created. A token user has created their Symantec
Framework user name Endpoint Encryption account during the
registration process.
29 Info Initial Setting: One-Time Password The One-Time Password recovery method has
online|offline method enabled; policy applied been enabled as an installation setting. The
successfully. Framework Installation Settings - default method will be online|offline, as indicated
Authentication Assistance. in the audit event.
30 Error Initial Setting: One-Time Password The installation package specified that the One-
online|offline method enabled; policy failed. Time Password recovery method should be
Framework Installation Settings - enabled, but this setting failed to be applied.
Authentication Assistance.
31 Info Initial Setting: One-Time Password not enabled; The One-Time Password recovery method is not
policy applied successfully. Framework enabled for this workstation, as per the
Installation Settings - Authentication installation setting.
Assistance.
32 Error Initial Setting: One-Time Password not enabled; The installation package specified that the One-
policy failed. Framework Installation Settings - Time Password recovery method should not be
Authentication Assistance. enabled, but this setting failed to be applied.
33 Info Initial Setting: Authenti-Check enabled; policy The Authenti-Check recovery method has been
applied successfully. Framework Installation enabled as an installation setting.
Settings - Authentication Assistance.
34 Error Initial Setting: Authenti-Check enabled; policy The installation package specified that the
failed. Framework Installation Settings - Authenti-Check recovery method should be
35 Info Initial Setting: Authenti-Check not enabled; The Authenti-Check recovery method is not
policy applied successfully. Framework enabled for this workstation, as per the
Installation Settings - Authentication installation setting.
Assistance.
36 Error Initial Setting: Authenti-Check not enabled; The installation package specified that the
policy failed. Framework Installation Settings - Authenti-Check recovery method should not be
37 Info Initial Setting: Authentication Assistance The authentication assistance message specified
message; policy applied successfully. in the installation package was set successfully.
Framework Installation Settings -
Authentication Assistance.

ID
38 Error Initial Setting: Authentication Assistance The authentication assistance message specified
message; policy failed. Framework Installation in the installation package failed to be set.
Settings - Authentication Assistance.
39 Info Initial Setting: Client Administrator account The Client Administrator account specified in the
name account created with low|medium|high installation package and described in the audit
privileges; policy applied successfully. log description was created successfully.
Framework Installation Settings - Client
Administrators.
40 Error Initial Setting: Client Administrator account The Client Administrator account specified in the
name account created with low|medium|high installation package and described in the audit
privileges; policy failed. Framework Installation log description failed to be created.
Settings - Client Administrators.
41 Info Initial Setting: the SEE Management Server The Symantec Endpoint Encryption
communication interval was set successfully. Management Server communication interval
Framework Installation Settings - specified in the installation package was set
Communication. successfully.
42 Error Initial Setting: the SEE Management Server The Symantec Endpoint Encryption
communication interval failed to be set. Management Server communication interval
Framework Installation Settings - specified in the installation package failed to be
Communication. set.
43 Info Initial Setting: the user name of the SEE The user name of the Symantec Endpoint
Management Server client account was set Encryption Management Server client IIS
successfully. Framework Installation Settings - account specified in the installation package was
Communication. set successfully.
44 Error Initial Setting: the user name of the SEE The user name of the Symantec Endpoint
Management Server client account failed to be Encryption Management Server client IIS
set. Framework Installation Settings - account specified in the installation package
Communication. failed to be set.
45 Info Initial Setting: the SEE Management Server The Symantec Endpoint Encryption
client account password was set successfully. Management Server client IIS account password
Framework Installation Settings - specified in the installation package was set
Communication. successfully.
46 Error Initial Setting: the SEE Management Server The Symantec Endpoint Encryption
client account password failed to be set. Management Server client IIS account password
Framework Installation Settings - specified in the installation package failed to be
Communication. set.
47 Info Initial Setting: Limit password attempts The limitation on the number of password
enabled; policy applied successfully. Framework authentication attempts specified in the
Installation Settings - Password installation package has been set successfully.
Authentication.
48 Error Initial Setting: Limit password attempts The limitation on the number of password
enabled; policy failed. Framework Installation authentication attempts specified in the
Settings - Password Authentication. installation package failed to be set.
49 Info Initial Setting: Limit password attempts not No limitation to the number of password
enabled; policy applied successfully. Framework authentication attempts, as specified in the
Installation Settings - Password installation package, has been set successfully.
Authentication.

ID
50 Error Initial Setting: Limit password attempts not No limitation to the number of password
enabled; policy failed. Framework Installation authentication attempts, as specified in the
Settings - Password Authentication. installation package, failed to be set.
55 Info Initial Setting: Maximum password age The user’s passwords will expire at the interval
enabled; policy applied successfully. Framework designated in the installation package; this was
Installation Settings - Password set successfully.
Authentication.
56 Error Initial Setting: Maximum password age The user’s passwords will not expire at the
enabled; policy failed. Framework Installation interval designated in the installation package;
Settings - Password Authentication. this failed to be set.
57 Info Initial Setting: Maximum password age not The user’s passwords will not expire. This was set
enabled; policy applied successfully. Framework successfully, as specified in the installation
Installation Settings - Password package.
Authentication.
58 Error Initial Setting: Maximum password age not Although the installation package specified that
enabled; policy failed. Framework Installation the user’s passwords would not expire, this failed
Settings - Password Authentication. to be set.
59 Info Initial Setting: Password history (any previous The user will be able to reuse previous
password can be reused) enabled; policy applied passwords, this installation setting was applied
successfully. Framework Installation Settings - successfully.
Password Authentication.
60 Error Initial Setting: Password history (any previous The installation package specified that the user
password can be reused) enabled; policy failed. should be able to reuse previous passwords, but
Framework Installation Settings - Password this setting failed to be applied.
Authentication.
61 Info Initial Setting: Password history (limit The user will not be able to use previous
password reuse and days between changes) passwords, the limitations specified in the
enabled; policy applied successfully. Framework installation package were applied successfully.
Installation Settings - Password
Authentication.
62 Error Initial Setting: Password history (limit Even though the installation package specified
password reuse and days between changes) certain limitations on the ability of users to use
enabled; policy failed. Framework Installation previous passwords, these settings failed to be
Settings - Password Authentication. applied.
63 Info Initial Setting: Password complexity The installation package specified that users
requirements for minimum password length must set their passwords to be of a minimum
met; policy applied successfully. Framework length. This was set successfully.
Authentication.
64 Error Initial Setting: Password complexity The installation package specified that users
requirements for minimum password length must set their passwords to be of a minimum
met; policy failed. Framework Installation length. This setting failed to be applied.
Settings - Password Authentication.
65 Info Initial Setting: Non-alphanumeric characters The installation package specified that users will
allowed in password setting; policy applied be able to use non-alphanumeric characters in
successfully. Framework Installation Settings - their passwords. This was set successfully.

ID
66 Error Initial Setting: Non-alphanumeric characters The installation package specified that users
allowed in password setting; policy failed. should be able to use non-alphanumeric
Framework Installation Settings - Password characters in their passwords. This setting failed
Authentication. to be applied.
67 Info Initial Setting: Password complexity The installation package specified that a
requirements for minimum number of non- minimum number of non-alphanumeric
alphanumeric characters met; policy applied characters must be present in the user’s
successfully. Framework Installation Settings - passwords. This was set successfully.
68 Error Initial Setting: Password complexity The installation package specified that a
alphanumeric characters not met; policy failed. characters must be present in the user’s
Framework Installation Settings - Password passwords. This setting failed to be applied.
Authentication.
requirements for minimum number of minimum number of uppercase characters must
uppercase characters met; policy applied be present in the user’s passwords. This was set
requirements for minimum number of minimum number of uppercase characters must
uppercase characters not met; policy failed. be present in the user’s passwords. This setting
Framework Installation Settings - Password failed to be applied.
Authentication.
requirements for minimum number of minimum number of lowercase characters must
lowercase characters met; policy applied be present in the user’s passwords. This was set
requirements for minimum number of minimum number of lowercase characters must
lowercase characters not met; policy failed. be present in the user’s passwords. This setting
Framework Installation Settings - Password failed to be applied.
Authentication.
requirements for minimum number of digits minimum number of digits must be present in
met; policy applied successfully. Framework the user’s passwords. This was set successfully.
Authentication.
requirements for minimum number of digits minimum number of digits must be present in
not met; policy failed. Framework Installation the user’s passwords. This setting failed to be
Settings - Password Authentication. applied.
75 Info Initial Setting: Require registration password The installation package specified that the user
enabled; policy applied successfully. Framework must provide the registration password to be able
Installation Settings - Registered Users. to register. This was set successfully.
76 Error Initial Setting: Require registration password The installation package specified that the user
enabled; policy failed. Framework Installation must provide the registration password to be able
Settings - Registered Users. to register. This setting failed to be applied.

ID
77 Info Initial Setting: Require registration password The installation package specified that no
not enabled; policy applied successfully. registration password is required to allow a user
Framework Installation Settings - Registered to register. This was set successfully.
Users.
78 Error Initial Setting: Require registration password The installation package specified that no
not enabled; policy failed. Framework registration password is required to allow a user
Installation Settings - Registered Users. to register. This setting failed to be applied.
79 Info Initial Setting: Number of allowed user The installation package specified the maximum
accounts setting; policy applied successfully. number of user accounts allowed on the Client
Framework Installation Settings - Registered Computer. This was set successfully.
Users.
80 Error Initial Setting: Number of allowed user The installation package specified the maximum
accounts setting; policy failed. Framework number of user accounts allowed on the Client
Installation Settings - Registered Users. Computer. This setting failed to be applied.
81 Info Initial Setting: User authentication with The installation package specified that users will
password only setting enabled; policy applied authenticate only using passwords. This was set
Registered Users.
82 Error Initial Setting: User authentication with The installation package specified that users will
password only setting enabled; policy failed. authenticate only using passwords. This setting
Framework Installation Settings - Registered failed to be applied.
Users.
83 Info Initial Setting: User authentication with token The installation package specified that users will
only setting enabled; policy applied authenticate only using tokens. This was set
Registered Users.
84 Error Initial Setting: User authentication with token The installation package specified that users will
only setting enabled; policy failed. Framework authenticate only using tokens. This setting
Installation Settings - Registered Users. failed to be applied.
85 Info Initial Setting: User can select authentication The installation package specified that users will
method setting enabled; policy applied authenticate using the method of their choice.
successfully. Framework Installation Settings - This was set successfully.
Registered Users.
86 Error Initial Setting: User can select authentication The installation package specified that users will
method setting enabled; policy failed. authenticate using the method of their choice.
Framework Installation Settings - Registered This setting failed to be applied.
Users.
87 Info Initial Setting: Registration Wizard custom The installation package specified that users will
message; policy applied successfully. see a custom message during registration. This
Framework Installation Settings - Registered was set successfully.
Users.
88 Error Initial Setting: Registration Wizard custom The installation package specified that users will
message; policy failed. Framework Installation see a custom message during registration. This
Settings - Registered Users. setting failed to be applied.
89 Info Initial Setting: Grace restarts before The installation package specified the number of
registration setting; policy applied successfully. grace restarts that users will have before being
Framework Installation Settings - Registered forced to register. This was set successfully.
Users.

ID
90 Error Initial Setting: Grace restarts before The installation package specified the number of
registration setting; policy failed. Framework grace restarts that users will have before being
Installation Settings - Registered Users. forced to register. This setting failed to be
applied.
91 Info Initial Setting: User can authenticate with The installation package specified that users
expired certificates setting enabled; policy with expired certificates will be allowed to
applied successfully. Framework Installation authenticate. This was set successfully.
Settings - Token Authentication.
92 Error Initial Setting: User can authenticate with The installation package specified that users
expired certificates setting enabled; policy with expired certificates will be allowed to
failed. Framework Installation Settings - Token authenticate. This setting failed to be applied.
Authentication.
93 Info Initial Setting: User can authenticate with The installation package specified that users
expired certificates setting not enabled; policy with expired certificates will not be allowed to
applied successfully. Framework Installation authenticate. This was set successfully.
Settings - Token Authentication.
94 Error Initial Setting: User can authenticate with The installation package specified that users
expired certificates setting not enabled; policy with expired certificates will not be allowed to
failed. Framework Installation Settings - Token authenticate. This setting failed to be applied.
Authentication.
95 Info Initial Setting: Single Sign-On enabled; policy The installation package specified that users will
applied successfully. Framework Installation authenticate using Single Sign-On. This was set
Settings - Single Sign-On. successfully.
96 Error Initial Setting: Single Sign-On enabled; policy The installation package specified that users will
failed. Framework Installation Settings - Single authenticate using Single Sign-On. This setting
Sign-On. failed to be applied.
97 Info Initial Setting: Single Sign-On not enabled; The installation package specified that users will
policy applied successfully. Framework not authenticate using Single Sign-On. This was
Installation Settings - Single Sign-On. set successfully.
98 Error Initial Setting: Single Sign-On not enabled; The installation package specified that users will
policy failed. Framework Installation Settings - not authenticate using Single Sign-On. This
Single Sign-On. setting failed to be applied.
99 Info Initial Setting: Encryption strength setting; The installation package specified the encryption
policy applied successfully. Framework strength. This was set successfully.
Installation Settings - Encryption.
100 Error Initial Setting: Encryption strength setting; The installation package specified the encryption
policy failed. Framework Installation Settings - strength. This setting failed to be applied.
Encryption.
101 Info Initial Setting: Default log file location enabled; The installation package specified that the client
policy applied successfully. Framework database files will be stored in the default
Installation Settings - Installer Customization. location. This was set successfully.
102 Error Initial Setting: Default log file location enabled; The installation package specified that the client
policy failed. Framework Installation Settings - database files will be stored in the default
Installer Customization. location. This setting failed to be applied.
103 Info Initial Setting: Custom log file location enabled; The installation package specified that the client
policy applied successfully. Framework database files will be stored in a custom location.
Installation Settings - Installer Customization. This was set successfully.

ID
104 Error Initial Setting: Custom log file location enabled; The installation package specified that the client
policy failed. Framework Installation Settings - database files will be stored in a custom location.
Installer Customization. This setting failed to be applied.
105 Info Settings Change: Authentication Assistance A policy specified that users will see a modified
message modified; policy applied successfully. message when requesting authentication
Framework Computer Policy - Authentication assistance. This was set successfully.
Assistance.
106 Error Settings Change: Authentication Assistance A policy specified that users will see a modified
message modified; policy failed. Framework message when requesting authentication
Computer Policy - Authentication Assistance. assistance. This setting failed to be applied.
107 Info Settings Change: One-Time Password A policy specified the One-Time Password
online|offline method enabled; policy applied method that users see when requesting
successfully. Framework User Policy - authentication assistance: either online or
Authentication Assistance. offline. This was set successfully.
108 Error Settings Change: One-Time Password A policy specified the One-Time Password
online|offline method enabled; policy failed. method that users see when requesting
Framework User Policy - Authentication authentication assistance: either online or
Assistance. offline. This setting failed to be applied.
109 Info Settings Change: One-Time Password not A policy specified that the One-Time Password
enabled; policy applied successfully. Framework method will not be available to users requesting
User Policy - Authentication Assistance. authentication assistance. This was set
successfully.
110 Error Settings Change: One-Time Password not A policy specified that the One-Time Password
enabled; policy failed. Framework User Policy - method will not be available to users requesting
Authentication Assistance. authentication assistance. This setting failed to
be applied.
111 Info Settings Change: Authenti-Check enabled; A policy specified that Authenti-Check will be
policy applied successfully. Framework User available to users requesting authentication
Policy - Authentication Assistance. assistance. This was set successfully.
112 Error Settings Change: Authenti-Check enabled; A policy specified that Authenti-Check will be
policy failed. Framework User Policy - available to users requesting authentication
Authentication Assistance. assistance. This setting failed to be applied.
113 Info Settings Change: Authenti-Check not enabled; A policy specified that Authenti-Check will not
policy applied successfully. Framework User be available to users requesting authentication
Policy - Authentication Assistance. assistance. This was set successfully.
114 Error Settings Change: Authenti-Check not enabled; A policy specified that Authenti-Check will not
policy failed. Framework User Policy - be available to users requesting authentication
Authentication Assistance. assistance. This setting failed to be applied.
115 Info Settings Change: Authenti-Check settings A policy specified that the Authenti-Check
modified; policy applied successfully. settings were modified. This was set successfully.
Framework User Policy - Authentication
Assistance.
116 Error Settings Change: Authenti-Check settings A policy specified that the Authenti-Check
modified; policy failed. Framework User Policy - settings were modified. This setting failed to be
Authentication Assistance. applied.

ID
117 Info Settings Change: Client Administrator account A policy specified that the privileges of Client
name account modified, privileges changed Administrator account account name were
from low|medium|high to low|medium|high; changed from low|medium|high to
policy applied successfully. Framework low|medium|high. This was set successfully.
Computer Policy - Client Administrators.
118 Error Settings Change: Client Administrator account A policy specified that the privileges of Client
name account modified, privileges changed Administrator account account name were
from low|medium|high to low|medium|high; changed from low|medium|high to
policy failed. Framework Computer Policy - low|medium|high. This setting failed to be
Client Administrators. applied.
119 Info Settings Change: the SEE Management Server A policy specified a change in how often the
communication interval was modified Client Computer reports its status to the
successfully. Framework Computer Policy - Symantec Endpoint Encryption Management
Communication. Server. This was set successfully.
120 Error Settings Change: a policy modifying the SEE A policy specified a change in how often the
Management Server communication interval Client Computer reports its status to the
failed to be applied. Framework Computer Symantec Endpoint Encryption Management
Policy - Communication. Server. This setting failed to be applied.
121 Info Settings Change: the SEE Management Server A policy specified a change to the credentials of
client account was modified successfully. the Symantec Endpoint Encryption Management
Framework Computer Policy - Communication. Server Client account that the Client Computer
uses when reporting status to the Symantec
Endpoint Encryption Management Server. This
was set successfully.
122 Error Settings Change: a policy modifying the SEE A policy specified a change to the credentials of
Management Server client account failed to be the Symantec Endpoint Encryption Management
applied. Framework Computer Policy - Server Client account that the Client Computer
Communication. uses when reporting status to the Symantec
setting failed to be applied.
123 Info Settings Change: the SEE Management Server A policy specified a change to the password of
client account password was modified the Symantec Endpoint Encryption Management
successfully. Framework Computer Policy - Server Client account that the Client Computer
Communication. uses when reporting status to the Symantec
124 Error Settings Change: a policy modifying the SEE A policy specified a change to the password of
Management Server client account password the Symantec Endpoint Encryption Management
failed to be applied. Framework Computer Server Client account that the Client Computer
Policy - Communication. uses when reporting status to the Symantec
125 Info Settings Change: Limit password attempts A policy was specified that limits the number of
enabled; policy applied successfully. Framework times a user can attempt to authenticate with an
Computer Policy - Password Authentication. incorrect password. This was set successfully.
126 Error Settings Change: Limit password attempts A policy was specified that limits the number of
enabled; policy failed. Framework Computer times a user can attempt to authenticate with an
Policy - Password Authentication. incorrect password. This setting failed to be
applied.

ID
127 Info Settings Change: Limit password attempts not A policy was specified that does not limit the
enabled; policy applied successfully. Framework number of times a user can attempt to
Computer Policy - Password Authentication. authenticate with an incorrect password. This
128 Error Settings Change: Limit password attempts not A policy was specified that does not limit the
enabled; policy failed. Framework Computer number of times a user can attempt to
Policy - Password Authentication. authenticate with an incorrect password. This
129 Info Settings Change: Limit password attempts A policy was specified that modified the settings
settings modified; policy applied successfully. controlling how often a user can attempt to
Framework Computer Policy - Password authenticate with an incorrect password. This
Authentication. was set successfully.
130 Error Settings Change: Limit password attempts A policy was specified that modified the settings
settings modified; policy failed. Framework controlling how often a user can attempt to
Computer Policy - Password Authentication. authenticate with an incorrect password. This
135 Info Settings Change: Maximum password age A policy was specified that forces the user’s
enabled; policy applied successfully. Framework passwords to expire at the designated interval.
Computer Policy - Password Authentication. This was set successfully.
136 Error Settings Change: Maximum password age A policy was specified that forces the user’s
enabled; policy failed. Framework Computer passwords to expire at the designated interval.
Policy - Password Authentication. This setting failed to be applied.
137 Info Settings Change: Maximum password age not A policy was specified that does not force the
enabled; policy applied successfully. Framework user’s passwords to expire. This was set
Computer Policy - Password Authentication. successfully.
138 Error Settings Change: Maximum password age not A policy was specified that does not force the
enabled; policy failed. Framework Computer user’s passwords to expire. This setting failed to
Policy - Password Authentication. be applied.
139 Info Settings Change: Maximum password age A policy was specified that modified the settings
settings modified; policy applied successfully. controlling how often a user’s passwords will
Framework Computer Policy - Password expire. This was set successfully.
Authentication.
140 Error Settings Change: Maximum password age A policy was specified that modified the settings
settings modified; policy failed. Framework controlling how often a user’s passwords will
Computer Policy - Password Authentication. expire. This setting failed to be applied.
141 Info Settings Change: Password history (any A policy was specified that allows the user to
previous password can be reused) enabled; reuse previous passwords. This was set
policy applied successfully. Framework successfully.
Computer Policy - Password Authentication.
142 Error Settings Change: Password history (any A policy was specified that allows the user to
previous password can be reused) enabled; reuse previous passwords. This setting failed to
policy failed. Framework Computer Policy - be applied.
143 Info Settings Change: Password history (limit A policy was specified that prevents the user
password reuse and days between changes) from using previous passwords. This was set
enabled; policy applied successfully. Framework successfully.
Computer Policy - Password Authentication.

ID
144 Error Settings Change: Password history (limit A policy was specified that prevents the user
password reuse and days between changes) from using previous passwords. This setting
enabled; policy failed. Framework Computer failed to be applied.
Policy - Password Authentication.
145 Info Settings Change: Password history (limit A policy was specified that modified the settings
password reuse and days between changes) controlling how often the user is prevented from
settings modified; policy applied successfully. using previous passwords. This was set
Framework Computer Policy - Password successfully.
Authentication.
146 Error Settings Change: Password history (limit A policy was specified that modified the settings
password reuse and days between changes) controlling how often the user is prevented from
settings modified; policy failed. Framework using previous passwords. This setting failed to
Computer Policy - Password Authentication. be applied.
147 Info Settings Change: Minimum password length A policy was specified that modified the
setting modified; policy applied successfully. minimum length for user passwords. This was
Framework Computer Policy - Password set successfully.
Authentication.
148 Error Settings Change: Minimum password length A policy was specified that modified the
setting modified; policy failed. Framework minimum length necessary for user passwords.
Computer Policy - Password Authentication. This setting failed to be applied.
149 Info Settings Change: Non-alphanumeric characters A policy was specified that modified the number
allowed in password setting modified; policy of non-alphanumeric characters allowed in user
applied successfully. Framework Computer passwords. This was set successfully.
Policy - Password Authentication.
150 Error Settings Change: Non-alphanumeric characters A policy was specified that modified the number
allowed in password setting modified; policy of non-alphanumeric characters allowed in user
failed. Framework Computer Policy - Password passwords. This setting failed to be applied.
Authentication.
151 Info Settings Change: Change password complexity A policy was specified that changed the
alphanumeric characters; policy applied characters that must be present in the user’s
successfully. Framework Computer Policy - passwords. This was set successfully.
152 Error Settings Change: Change password complexity A policy was specified that changed the
alphanumeric characters; policy failed. characters that must be present in the user’s
Framework Computer Policy - Password passwords. This setting failed to be applied.
Authentication.
requirements for minimum number of minimum number of uppercase characters that
uppercase characters; policy applied must be present in the user’s passwords. This
successfully. Framework Computer Policy - was set successfully.
requirements for minimum number of minimum number of uppercase characters that
uppercase characters; policy failed. Framework must be present in the user’s passwords. This
Computer Policy - Password Authentication. setting failed to be applied.

ID
requirements for minimum number of minimum number of lowercase characters that
lowercase characters; policy applied must be present in the user’s passwords. This
successfully. Framework Computer Policy - was set successfully.
requirements for minimum number of minimum number of lowercase characters that
lowercase characters; policy failed. Framework must be present in the user’s passwords. This
Computer Policy - Password Authentication. setting failed to be applied.
requirements for minimum number of digits; minimum number of digits that must be present
policy applied successfully. Framework in the user’s passwords. This was set
Computer Policy - Password Authentication. successfully.
requirements for minimum number of digits; minimum number of digits that must be present
policy failed. Framework Computer Policy - in the user’s passwords. This setting failed to be
Password Authentication. applied.
159 Info Settings Change: Require registration password A policy was specified that the user must provide
enabled; policy applied successfully. Framework the registration password to be able to register.
Computer Policy - Registered Users. This was set successfully.
160 Error Settings Change: Require registration password A policy was specified that the user must provide
enabled; policy failed. Framework Computer the registration password to be able to register.
Policy - Registered Users. This setting failed to be applied.
161 Info Settings Change: Require registration password A policy was specified that no registration
not enabled; policy applied successfully. password is required to allow a user to register.
Framework Computer Policy - Registered Users. This was set successfully.
162 Error Settings Change: Require registration password A policy was specified that no registration
not enabled; policy failed. Framework password is required to allow a user to register.
Computer Policy - Registered Users. This setting failed to be applied.
163 Info Settings Change: Registration password A policy was specified that modified the
modified; policy applied successfully. registration password users must know to be able
Framework Computer Policy - Registered Users. to register. This was set successfully.
164 Error Settings Change: Registration password A policy was specified that modified the
modified; policy failed. Framework Computer registration password users must know to be able
Policy - Registered Users. to register. This setting failed to be applied.
165 Info Settings Change: Number of allowed user A policy was specified that modified the
accounts setting modified; policy applied maximum number of user accounts allowed on
successfully. Framework Computer Policy - the Client Computer. This was set successfully.
Registered Users.
166 Error Settings Change: Number of allowed user A policy was specified that modified the
accounts setting modified; policy failed. maximum number of user accounts allowed on
Framework Computer Policy - Registered Users. the Client Computer. This setting failed to be
applied.
167 Info Settings Change: User authentication with A policy was specified that users will
password only setting enabled; policy applied authenticate only using passwords. This was set
successfully. Framework Computer Policy - successfully.
Registered Users.

ID
168 Error Settings Change: User authentication with A policy was specified that users will
password only setting enabled; policy failed. authenticate only using passwords. This setting
Framework Computer Policy - Registered Users. failed to be applied.
169 Info Settings Change: User authentication with A policy was specified that users will
token only setting enabled; policy applied authenticate only using tokens. This was set
successfully. Framework Computer Policy - successfully.
Registered Users.
170 Error Settings Change: User authentication with A policy was specified that users will
token only setting enabled; policy failed. authenticate only using tokens. This setting
Framework Computer Policy - Registered Users. failed to be applied.
173 Info Settings Change: Registration Wizard custom A policy was specified that modified the custom
message modified; policy applied successfully. message users will see during registration. This
Framework Computer Policy - Registered Users. was set successfully.
174 Error Settings Change: Registration Wizard custom A policy was specified that modified the custom
message modified; policy failed. Framework message users will see during registration. This
Computer Policy - Registered Users. setting failed to be applied.
175 Info Settings Change: User can authenticate with A policy was specified that users with expired
expired certificates setting enabled; policy certificates will be allowed to authenticate. This
applied successfully. Framework User Policy - was set successfully.
Token Authentication.
176 Error Settings Change: User can authenticate with A policy was specified that users with expired
expired certificates setting enabled; policy certificates will be allowed to authenticate. This
failed. Framework User Policy - Token setting failed to be applied.
Authentication.
177 Info Settings Change: User can authenticate with A policy was specified that users with expired
expired certificates setting not enabled; policy certificates will not be allowed to authenticate.
applied successfully. Framework User Policy - This was set successfully.
Token Authentication.
178 Error Settings Change: User can authenticate with A policy was specified that users with expired
expired certificates setting not enabled; policy certificates will not be allowed to authenticate.
failed. Framework User Policy - Token This setting failed to be applied.
Authentication.
179 Info Settings Change: Single Sign-On enabled; A policy was specified that users will
policy applied successfully. Framework User authenticate using Single Sign-On. This was set
Policy - Single Sign-On. successfully.
180 Error Settings Change: Single Sign-On enabled; A policy was specified that users will
policy failed. Framework User Policy - Single authenticate using Single Sign-On. This setting
181 Info Settings Change: Single Sign-On not enabled; A policy was specified that users will not
policy applied successfully. Framework User authenticate using Single Sign-On. This was set
Policy - Single Sign-On. successfully.
182 Error Settings Change: Single Sign-On not enabled; A policy was specified that users will not
policy failed. Framework User Policy - Single authenticate using Single Sign-On. This setting

ID
183 Info Program Action: The user was provided access After a user successfully completes the password
to Windows using cached credentials and was recovery process in pre-Windows, they will be
not required to change their Windows password forced to select a new password when they log on
following successful completion of the to Windows. If the Client Computer was offline
password recovery process because there was and cached credentials were used, this password
no connectivity to a domain controller. synchronization is deferred until after the Client
Computer regains network connectivity.
184 Info Program Action: Client Administrator account The Client Administrator account name has
name unregistered user user name. Framework unregistered the user user name on the Client
Computer.
185 Info Settings Change: Client Administrator account A policy was specified that added account name
name created with low|medium|high privileges; as a Client Administrator having
policy applied successfully. Framework low|medium|high privileges. This was set
Installation Settings - Client Administrators. successfully.
186 Info Initial Setting: Minimum password age enabled; The installation package specified that users
policy applied successfully. Framework must wait the designated interval before
Computer Policy - Password Authentication. changing their passwords. This was set
successfully.
187 Error Initial Setting: Minimum password age enabled; The installation package specified that users
policy failed. Framework Computer Policy - must wait the designated interval before
Password Authentication. changing their passwords. This setting failed to
be applied.
188 Info Initial Setting: Minimum password age not The installation package specified that users will
enabled; policy applied successfully. Framework not be forced to wait before changing their
Computer Policy - Password Authentication. passwords. This was set successfully.
189 Error Initial Setting: Minimum password age not The installation package specified that users will
enabled; policy failed. Framework Computer not be forced to wait before changing their
Policy - Password Authentication. passwords. This setting failed to be applied.
190 Info Settings Change: Minimum password age A policy was specified that forces users to wait
enabled; policy applied successfully. Framework the designated interval before allowing them to
Computer Policy - Password Authentication. change their passwords. This was set
successfully.
191 Error Settings Change: Minimum password age A policy was specified that forces users to wait
enabled; policy failed. Framework Computer the designated interval before allowing them to
Policy - Password Authentication. change their passwords. This setting failed to be
applied.
192 Info Settings Change: Minimum password age not A policy was specified that users will not be
enabled; policy applied successfully. Framework forced to wait before changing their passwords.
Computer Policy - Password Authentication. This was set successfully.
193 Error Settings Change: Minimum password age not A policy was specified that users will not be
enabled; policy failed. Framework Computer forced to wait before changing their passwords.
Policy - Password Authentication. This setting failed to be applied.
194 Info Settings Change: Minimum password age A policy was specified that modified whether
settings modified; policy applied successfully. users must wait the designated interval before
Framework Computer Policy - Password being allowed to change their passwords. This
Authentication. was set successfully.

ID
195 Error Settings Change: Minimum password age A policy was specified that modified whether
settings modified; policy failed. Framework users must wait the designated interval before
Computer Policy - Password Authentication. being allowed to change their passwords. This
196 Info Settings Change: Do not require registered A policy was specified that automatically
users to authenticate to SEE; policy applied authenticates Symantec Endpoint Encryption
successfully. Framework Computer Policy - users. If Full Disk has been installed, the pre-
Registered Users. Windows authentication will be bypassed. This
197 Error Settings Change: Do not require registered A policy was specified that automatically
users to authenticate to SEE; policy failed. authenticates Symantec Endpoint Encryption
Framework Computer Policy - Registered Users. users. If Full Disk has been installed, the pre-
Windows authentication will be bypassed. This
198 Info Settings Change: Require registered users to A policy was specified that Symantec Endpoint
authenticate to SEE; policy applied successfully. Encryption users will authenticate normally. If
Framework Computer Policy - Registered Users. Full Disk has been installed, the pre-Windows
authentication will not be bypassed. This was set
successfully.
199 Error Settings Change: Require registered users to A policy was specified that Symantec Endpoint
authenticate to SEE; policy failed. Framework Encryption users will authenticate normally. If
Computer Policy - Registered Users. Full Disk has been installed, the pre-Windows
authentication will not be bypassed. This setting
failed to be applied.
200 Info Settings Change: Users can only be A policy was specified that users will not be
unregistered manually by client automatically unregistered, but can only be
administrators; policy applied successfully. unregistered manually by a suitable level Client
Framework Computer Policy - Registered Users. Administrator who logs on at the Client
Computer. This was set successfully.
201 Error Settings Change: Users can only be A policy was specified that users will not be
unregistered manually by client automatically unregistered, but can only be
administrators; policy failed. Framework unregistered manually by a suitable level Client
Computer Policy - Registered Users. Administrator who logs on at the Client
Computer. This setting failed to be applied.
202 Info Settings Change: Users who do not log on for A policy was specified that inactive user accounts
number days will be automatically will be automatically unregistered after number
unregistered; policy applied successfully. days. This was set successfully.
Framework Computer Policy - Registered Users.
203 Error Settings Change: Users who do not log on for A policy was specified that inactive user accounts
number days will be automatically will be automatically unregistered after number
unregistered; policy failed. Framework days. This setting failed to be applied.
Computer Policy - Registered Users.
204 Info Initial Setting: Do not require registered users The installation package specified that Symantec
to authenticate to SEE; policy applied Endpoint Encryption users will be automatically
successfully. Framework Computer Policy - authenticated. If Full Disk has been installed, the
Registered Users. pre-Windows authentication will be bypassed.
This was set successfully.

ID
205 Error Initial Setting: Do not require registered users The installation package specified that Symantec
to authenticate to SEE; policy failed. Endpoint Encryption users will be automatically
Framework Computer Policy - Registered Users. authenticated. If Full Disk has been installed, the
pre-Windows authentication will be bypassed.
This setting failed to be applied.
206 Info Initial Setting: Require registered users to The installation package specified that Symantec
authenticate to SEE; policy applied successfully. Endpoint Encryption users will authenticate
Framework Computer Policy - Registered Users. normally. If Full Disk has been installed, the pre-
Windows authentication will not be bypassed.
This was set successfully.
207 Error Initial Setting: Require registered users to The installation package specified that Symantec
authenticate to SEE; policy failed. Framework Endpoint Encryption users will authenticate
Computer Policy - Registered Users. normally. If Full Disk has been installed, the pre-
Windows authentication will not be bypassed.
This setting failed to be applied.
208 Info Initial Setting: Users can only be unregistered The installation package specified that users will
manually by client administrators; policy not be automatically unregistered, but can only
applied successfully. Framework Computer be unregistered manually by a suitable level
Policy - Registered Users. Client Administrator who logs on at the Client
Computer. This was set successfully.
209 Error Initial Setting: Users can only be unregistered The installation package specified that users will
manually by client administrators; policy not be automatically unregistered, but can only
failed. Framework Computer Policy - Registered be unregistered manually by a suitable level
Users. Client Administrator who logs on at the Client
Computer. This setting failed to be applied.
210 Info Initial Setting: Users who do not log on for The installation package specified that inactive
number days will be automatically user accounts will be automatically unregistered
unregistered; policy applied successfully. after number days. This was set successfully.
Framework Computer Policy - Registered Users.
211 Error Initial Setting: Users who do not log on for The installation package specified that inactive
number days will be automatically user accounts will be automatically unregistered
unregistered; policy failed. Framework after number days. This setting failed to be
Computer Policy - Registered Users. applied.
212 Info Initial Setting: the client will not communicate The installation package specified that the Client
with the SEE Management Server and is a silent Computer will not communicate with the
client; installation setting applied successfully. Symantec Endpoint Encryption Management
Framework Installation Settings. Server. This was set successfully.
213 Error Initial Setting: the installation setting dictated The installation package specified that the Client
that the client would not attempt to Computer will not communicate with the
communicate with the SEE Management Server Symantec Endpoint Encryption Management
and was a silent client, but this failed to be Server. This setting failed to be applied.
applied. Framework Installation Settings.
214 Info Settings Change: this client will no longer A policy was specified that a Client Computer
attempt to communicate with the SEE previously able to contact an Symantec Endpoint
Management Server and is now a silent client; Encryption Management Server will now have all
policy applied successfully. Framework Symantec Endpoint Encryption Management
Computer Policy. Server communications suppressed. This was set
successfully.

ID
215 Error Settings Change: a policy dictating that this A policy was specified that a Client Computer
client would no longer communicate with the previously able to contact an Symantec Endpoint
SEE Management Server and would become a Encryption Management Server will now have all
silent client failed to be applied. Framework Symantec Endpoint Encryption Management
Computer Policy. Server communications suppressed. This setting
216 Info Program Action: User user name successfully A user has successfully modified their One-Time
modified their One-Time Password personal Password personal identifier. This was set
identifier. Framework user name successfully.
217 Error Program Action: User user name failed to A user has successfully modified their One-Time
modify their One-Time Password personal Password personal identifier. This setting failed
identifier. Framework user name to be applied.
218 Info Settings Change: Client Administrator account A policy was specified that modified the
name password modified; policy applied Symantec Endpoint Encryption password of one
successfully. Framework Computer Policy - or more Client Administrator accounts. This was
Client Administrators. set successfully.
219 Error Settings Change: Client Administrator account A policy was specified that modified the
name password modified; policy failed. Symantec Endpoint Encryption password of one
Framework Computer Policy - Client or more Client Administrator accounts. This
Administrators. setting failed to be applied.
220 Info Settings Change: Client Administrator account A policy was specified that modified the
name certificate modified; policy applied certificate associated with the token used to
successfully. Framework Computer Policy - authenticate to one or more Client Administrator
Client Administrators. accounts. This was set successfully.
221 Error Settings Change: Client Administrator account A policy was specified that modified the
name certificate modified; policy failed. certificate associated with the token used to
Framework Computer Policy - Client authenticate to one or more Client Administrator
Administrators. accounts. This setting failed to be applied.
222 Info Settings Change: Client Administrator account A policy or installation setting was specified that
name has unregistered. Framework Computer unregistered the Client Administrator account
Policy. name on the Client Computer.
223 Info Initial Setting: the address of the SEE The address of the Symantec Endpoint
Management Server was set successfully. Encryption Management Server was successfully
Framework Installation Settings - set during installation.
Communication.
224 Error Initial Setting: the address of the SEE The address of the Symantec Endpoint
Management Server failed to be set. Framework Encryption Management Server was not set
Installation Settings - Communication. during installation.
225 Info Initial Setting: the domain of the SEE The domain of the Symantec Endpoint
Management Server client account was set Encryption Management Server client account
successfully. Framework Installation Settings - was successfully set during installation.
Communication.
226 Error Initial Setting: the domain of the SEE The domain of the Symantec Endpoint
Management Server client account failed to be Encryption Management Server client account
set. Framework Installation Settings - was not set during installation.
Communication.

ID
227 Info Initial Setting: the certificate to be used for The certificate for HTTPS communication with
HTTPS communications with the SEE the Symantec Endpoint Encryption Management
Management Server was set successfully. Server was successfully set.
Framework Installation Settings -
Communication.
228 Error Initial Setting: the certificate to be used for The certificate for HTTPS communication with
HTTPS communications with the SEE the Symantec Endpoint Encryption Management
Management Server failed to be set. Framework Server was not set during installation.
Installation Settings - Communication.
229 Info Program Action: User token changed A user has successfully changed their token
successfully. Framework using the User Client Console.
230 Info Program Action: User token changed A user was unable to change their token using
unsuccessfully. Framework the User Client Console.
231 Info Program Action: User token registered A user registered a token using the Registration
successfully. Framework wizard.
232 Info Program Action: User token registered A user was unable to register a token using the
unsuccessfully. Framework Registration wizard.
233 Info Program Action: User password registered A user registered a password using the
successfully. Framework Registration wizard.
234 Info Program Action: User password registered A user was unable to register a password using
unsuccessfully. Framework the Registration wizard.
235 Info Settings Change: Client Administrator account A policy was applied that resulted in a change to
name authentication method modified; policy the authentication method used by the specified
applied successfully. Framework Computer Client Administrator.
Policy - Client Administrators.
236 Error Settings Change: Client Administrator account A policy that would have resulted in a change to
name authentication method modified; policy the authentication method used by the specified
failed. Framework Computer Policy - Client Client Administrator failed to be applied.
Administrators.
237 Info Settings Change: One-Time Password A policy specified that one or more users will
communication unlock enabled; policy applied have access to the One-Time Password Program
successfully. Framework Computer Policy - as a means for regaining access to the computer
Authentication Assistance. after it has been locked for a failure to
communicate. This was set successfully.
238 Error Settings Change: One-Time Password A policy specified that one or more users will
communication unlock enabled; policy failed. have access to the One-Time Password Program
Framework Computer Policy - Authentication as a means for regaining access to the computer
Assistance. after it has been locked for a failure to
communicate. This policy failed to be applied.
239 Info Settings Change: One-Time Password A policy specified that one or more users will not
communication unlock not enabled; policy have access to the One-Time Password Program
applied successfully. Framework Computer as a means for regaining access to the computer
Policy - Authentication Assistance. after it has been locked for a failure to

ID
240 Error Settings Change: One-Time Password A policy specified that one or more users will not
failed. Framework Computer Policy - as a means for regaining access to the computer
241 Info Settings Change: User authentication with A policy specifying that users on this computer
password or token setting enabled; policy should be able to authenticate with either a
applied successfully. Framework Computer password or a token has been set successfully.
Policy - Registered Users.
242 Error Settings Change: User authentication with A policy specifying that users on this computer
password or token setting enabled; policy should be able to authenticate with either a
failed. Framework Computer Policy - Registered password or a token failed to be applied.
Users.
243 Info Program Action: User account name has been Automatic authentication is no longer in place on
unregistered due to applying new this computer, as the result of either an upgrade
authentication method policy. Framework or a policy update. The account that was
automatically created for the specified user has
been deleted.
244 Info Program Action: User account name has been The account of the specified user has been
unregistered due to account expiration. deleted because the user failed to log on within
Framework the number of days specified in the
Unregistration area of the Registered Users
panel.
245 Info Program Action: Successful Client Console The specified user successfully authenticated
logon/authentication attempted with Authenti- using Authenti-Check.
Check. Framework account name
246 Warning Program Action: Unsuccessful Client Console The specified user failed to successfully
logon/authentication attempted with Authenti- authenticate using Authenti-Check.
Check. Framework account name
247 Info Initial Setting: One-Time Password A policy specified that one or more users will
communication unlock enabled; policy applied have access to the One-Time Password Program
successfully. Framework Installation Settings - as a means for regaining access to the computer
Authentication Assistance after it has been locked for a failure to
248 Error Initial Setting: One-Time Password A policy specified that one or more users will
communication unlock enabled; policy failed. have access to the One-Time Password Program
Framework Installation Settings - as a means for regaining access to the computer
249 Info Initial Setting: One-Time Password A policy specified that one or more users will not
applied successfully. Framework Installation as a means for regaining access to the computer
Settings - Authentication Assistance. after it has been locked for a failure to
250 Error Initial Setting: One-Time Password A policy specified that one or more users will not
failed. Framework Installation Settings - as a means for regaining access to the computer
Removable Storage System Events List

ID
251 Warning Settings Change: Applying Client A policy was applied to a computer without any
Administrators accounts is temporary Opal-compliant drives that increases the total
suspended. Framework Settings - Client number of Client Administrators beyond 128,
Administrators. 256, 384, 512, 640, 768, or 896. A reboot must
occur before the Client Administrator(s) in excess
of 128, 256, 384, 512, 640, 768, or 896 can log on.
For example, 128 Client Administrators currently
exist. The policy keeps all 128 Client
Administrator accounts and adds one more. The
additional Client Administrator won’t be able to
log on until after a reboot is performed.

The following table lists the individual Removable Storage–generated Windows system events logged on
the client. These events are logged in the Application section of the Windows Event Log.
Table A-2 Removable Storage System Events

ID
100 Info The Removable Storage service was installed. Removable Storage was installed.
101 Info The Removable Storage service was removed. Removable Storage was uninstalled.
102 Error The Removable Storage service could not be An uninstallation of Removable Storage was
removed. attempted, but due to some problem with the MSI,
the Removable Storage Service was not removed
during the uninstallation.
103 Error The control handler could not be installed. The Removable Storage Service could not be
started.
104 Error The initialization process failed. Removable Storage experienced problems with an
important component of its operations, such as
the Registry, device detection, named pipes, or the
filter driver. This could be remedied by
unplugging all devices and rebooting.
105 Info The service was started. This routine event should be logged each time the
computer boots up.
106 Error The service received an unsupported request. A request was made to the Removable Storage
service that is not supported.
108 Info The service was stopped. This routine event should be logged each time the
computer is shut down.
109 Info Detected logon by user domain name or local This routine event should be recorded each time a
machine name/user name. user logs on to Windows.
110 Info Detected logoff by user domain name or local This routine event should be recorded each time a
machine name/user name. user logs off of Windows.
111 Info Could not impersonate user domain name or This event indicates a serious problem and should
local machine name/user name. not occur.
Table A-2 Removable Storage System Events (Continued)

ID
112 Error Notification Package could not connect to This event indicates an issue with the Removable
service to load or unload user domain name or Storage Service. It should follow either Removable
local machine name/user name. Storage event 109 or 110. If this message occurs,
the machine should be rebooted.
113 Error Could not start the RS GUI process for user This event indicates a serious problem with the
domain name or local machine name/user GUI or named pipes communications.
name.
114 Info Successfully started the RS GUI process for This routine event should always follow
user domain name or local machine name/user Removable Storage event 109.
name.
115 Info Could not connect to the RS GUI process for The Removable Storage Service attempted to
user domain name or local machine name/user display a GUI element to the user, but failed.
name.
116 Info The RS GUI process for user domain name or This routine event should always follow
local machine name/user name has shut down. Removable Storage event 110.
117 Info The service was unable to retrieve settings for Removable Storage was unable to read the
user domain name or local machine name/user Registry and cannot determine user policy
name. settings for the specified user. This could cause
unexpected behavior.
118 Info The service was unable to retrieve settings for Removable Storage was unable to read the
the local machine. Registry and cannot determine policy settings
and/or the workgroup key. This could cause
unexpected behavior.
119 Info A removable device type was detected under This routine event should be logged each time a
user domain name or local machine name/user user inserts a device of interest.
name and successfully activated.
120 Info A removable device type was detected under This event indicates a user inserted a device of
user domain name or local machine name/user interest, but it failed to be activated by Removable
name and failed to activate. It is the correct Storage. The Removable Storage Service could not
behavior for media readers without inserted establish communication with the device. The
media (such as a floppy drive with no floppy user may have pulled the device out. If not, there
inserted) to not activate. may be a more serious problem.
121 Info User domain name or local machine name/ This routine event should be logged each time an
user name successfully created an XML header encrypted file is placed on a device of interest.
for file name.
122 Info User domain name or local machine name/ This event indicates a failed attempt to create a
user name failed to create an XML header for header for an encrypted file. This could occur for
file name. a variety of reasons, such as the failure of a
cryptographic library or the XML library to
initialize, or if the Recovery Certificate could not
be found.
123 Warning The service was started manually. A user is This event indicates a user manually started the
already logged in. Removable Storage Service and it will not
function properly. A reboot of the machine should
solve this problem.

ID
124 Warning User domain name or local machine name/ A user is attempting to access a removable storage
user name is not registered with the device, but has not registered with the
Framework and is being denied access to a Framework.
removable volume.
125 Error User domain name or local machine name/ This event indicates a failed attempt to parse the
user name failed to parse the XML header for header for an encrypted file.
file name.
126 Warning A failure occurred generating the password This event indicates a failed attempt to create the
node of the XML header. password node of a header for an encrypted file.
127 Warning A failure occurred generating the group key This event indicates a failed attempt to create the
node of the XML header. group key node of a header for an encrypted file.
128 Warning A failure occurred generating the certificate This event indicates a specific failure while
node of the XML header for Serial Number creating the certificate key node of a header for an
serial number. encrypted file.
129 Warning A failure occurred generating the certificate This event indicates a general failure while
node of the XML header. creating the certificate key node of a header for an
encrypted file.
130 Info The Removable Storage Access Utility for This event indicates that the Removable Storage
Windows has been copied to drive letter. Access Utility for Windows has been copied to the
specified device.
135 Info The self-extracting file file name was The specified self extracting file was created.
successfully created.
136 Error The file file name could not be decrypted The Removable Storage service did not receive
because the current user's logon information login information about the user and cannot
was not received. proceed.
139 Error The Removable Storage Access Utility for This event indicates a failed attempt to distribute
Windows could not be copied to drive letter. the Removable Storage Access Utility for
error Windows to a device.
144 Info The newly created file file name has been A new file of the name indicated was added to a
exempted from encryption because of removable storage device by the specified user.
encryption exemption policy setting The file would normally have been encrypted
(multimedia file description) for the user user because an encrypt all or an encrypt new policy is
name. in place. The file was not encrypted because it
belongs to an exempted multimedia file group.
See the User Guide for more information about
the exempted files.
145 Info The existing file file name has been exempted A file of the name indicated existed on a
from encryption because of encryption removable storage device that was inserted into
exemption policy setting (multimedia file the Removable Storage–protected workstation by
description) for the user user name. the specified user. The file would normally have
been encrypted because an encrypt all policy is in
place. The file was not encrypted because it
belongs to an exempted multimedia file group.
See the User Guide for more information about
the exempted files.
534 Info GPO and SEE Framework policy Policy synchronization has been completed.
synchronization completed.

ID
535 Error A failure occurred during the device mount This event indicates a failed attempt to mount a
process for device drive letter. Applying a No removable storage device. The user will not be
Access policy to the device. Please disconnect able to access the device.
and reconnect device to remount the device
properly.
565 Info Encryption of a file file name completed The user attempted to encrypt a file and the
successfully. operation completed successfully.
566 Info Encryption of a file file name did not complete The user attempted to encrypt a file and the
successfully. operation failed.
567 Info Decryption of a file file name completed The user attempted to decrypt a file and the
successfully. operation completed successfully.
568 Info Decryption of a file file name did not complete The user attempted to decrypt a file and the
successfully. operation failed.
569 Info Threshold reached for failed authentication The user reached the maximum number of
attempts to encrypt or decrypt a file. incorrect passwords allowed while attempting to
encrypt or decrypt a file.
570 Info Delay instituted because threshold for failed The user exceeded the number of incorrect
authentication attempts to encrypt or decrypt passwords allowed while attempting to encrypt or
a file was reached. success. decrypt a file and must wait for one minute before
further attempts.
571 Info Delay instituted because threshold for failed The one minute delay caused when a user
authentication attempts to encrypt or decrypt exceeded the number of incorrect passwords
a file was reached. failure. allowed while attempting to encrypt or decrypt a
file could not be instituted.
572 Info Expiration of the delay instituted because of The one minute delay caused when a user
failed authentication attempts. success. exceeded the number of incorrect passwords
allowed while attempting to encrypt or decrypt a
file has expired.
573 Info Expiration of the delay instituted because of The one minute delay caused when a user
failed authentication attempts. failure. exceeded the number of incorrect passwords
allowed while attempting to encrypt or decrypt a
file could not be expired.
579 Info The Default Password for user user name has Password aging is enabled. The user must use the
reached maximum age. User Client Console to change their Default
Password. The expired Default Password can still
be used for decryption.
585 Info The user user name has enabled automatic The user has changed the automatic encryption
encryption through client console. setting through the User Choice panel of the
Client Console to specify Encrypt new files
written to removable media as the default.
586 Info The user user name has disabled automatic The user has changed the automatic encryption
encryption through client console. setting through the User Choice panel of the
Client Console to specify Do not encrypt new files
written to removable media as the default.

ID
587 Info The inserted device is exempted from A removable storage device that matches an
encryption and the files written to the device exempted device type has been inserted.
will not be encrypted. Therefore, files written to the device will not be
encrypted.
588 Info The Removable Storage Access Utility for Mac The Removable Storage Access Utility for Mac OS
OS X has been copied to drive letter. X has been copied to the specified device.
589 Error The Removable Storage Access Utility for Mac The Removable Storage Access Utility for Mac OS
OS X could not be copied to drive letter. error X failed to be copied to the specified device.
590 Info The Removable Storage Access Utilities for The Removable Storage Access Utility for
Windows and Mac OS X have been copied to Windows and the Removable Storage Access
drive letter. Utility for Mac OS X were copied to the specified
device.
591 Error The Removable Storage Access Utilities for The Removable Storage Access Utility for
Windows and Mac OS X could not be copied to Windows and the Removable Storage Access
drive letter. error Utility for Mac OS X failed to be copied to the
specified device.
592 Info An external eSata drive Removable Storage has detected that an eSATA
Removable Storage device has been inserted.
593 Info Successfully cleared all device session default Removable Storage successfully deleted all Device
passwords. Session Default Passwords. The user either logged
off of Windows or removed the device(s). Another
possibility is that the Client Computer received a
change in policy from Allow users to set a device
session default password for each removable
storage device to Do not allow users to set a
device session default password for each
removable device.
594 Error Failed to clear all device session default Removable Storage was unable to delete all Device
passwords. Session Default Passwords when the user logged
off of Windows. This condition is unlikely, but as a
protective measure, Removable Storage also
clears any password associated with a device
when that device is reinserted.
595 Info Successfully cleared device session default Removable Storage has successfully deleted the
password for Volume volume number. Device Session Default Password for the specified
device when the user removed the device or
logged off of Windows.
596 Error Failed to clear device session default password Removable Storage was unable to delete the
for Volume volume number. error Device Session Default Password for the specified
device. This error condition is highly unlikely, but
as a protective measure, Removable Storage also
clears any password associated with the device
when that device is reinserted.
597 Info Successfully set the device session default A user successfully set a Device Session Default
password for Volume volume number. Password for the specified volume.

ID
598 Info The user user name has set the default The specified user set a Default Password by
password. selecting the Set a default password check box
and entering a password on the Default Passwords
panel in the User Client Console.
599 Info The user user name has set session default The specified user set a Session Default Password
password. by selecting the Set a session default password
check box and entering a password in on the
Default Passwords panel in the User Client
Console.
600 Info The user user name has deactivated default The specified user deactivated the Default
password. Password by deselecting the Set a default
password check box on the Default Passwords
panel in the User Client Console.
601 Info The user user name has deactivated session The specified user deseleted the Set a session
default password. default password check box on the Default
Passwords panel in the User Client Console.
602 Info The user user name has reactivated default The specified user reactivated the Default
password. Password by checking again the Set a default
password check box for a password already
entered on the Default Passwords panel in the
User Client Console.
603 Info The user user name has reactivated session The specified user re-activated the Session
default password. Default Password by checking again the Set a
session default password check box for a
password already entered on the Default
Passwords panel in the User Client Console.
604 Info The user user name has changed default The specified user changed an existing Default
password. Password by entering a new password with the
Set a default password check box selected on the
Default Passwords panel in the User Client
Console.
605 Info The user user name has changed session The specified user changed an existing Session
default password. Default Password by entering a new password
with the Set a session default password check box
selected on the Default Passwords panel in the
User Client Console.
606 Info The user user name has deleted session Removable Storage deleted the Session Default
default password. Password because the user logged off of Windows
and the active policy is Delete session default
passwords at the end of every Windows session
or Deactivate session default passwords at the
end of every Windows session, but allow them to
persist across every Windows session.
Alternatively, Removable Storage deleted the
Session Default Password because the policy
changed from Allow users to set session default
passwords to Do not allow users to set session
default passwords.

ID
607 Info The user user name has added a certificate. The specified user added a certificate by using the
Certificates panel in the User Client Console and
following the prompts after clicking Add New
Certificate.
608 Info The user user name has removed a certificate. The specified user removed a certificate by using
the Certificates panel in the User Client Console,
selecting the check box next to a certificate, then
clicking Remove Selected Certificates.
2000 Info Initial Setting: Do not allow access to files on An access policy of Do not allow access to files on
removable storage devices; policy applied removable media has been applied successfully
successfully. Removable Storage Installation as an installation setting.
Settings - Security Level.
2001 Error Initial Setting: Do not allow access to files on An access policy of Do not allow access to files on
removable storage devices; policy failed. removable media has failed to be applied as an
Removable Storage Installation Settings - installation setting.
Security Level.
2002 Info Initial Setting: Allow read-only access to files An access policy of Allow read-only access to
on removable storage devices; policy applied files on removable media has been applied
successfully. Removable Storage Installation successfully as an installation setting.
2003 Error Initial Setting: Allow read-only access to files An access policy of Allow read-only access to
on removable storage devices; policy failed. files on removable media has failed to be applied
Removable Storage Installation Settings - as an installation setting.
Security Level.
2004 Info Initial Setting: Allow read and write access to An access policy of Allow read and write access to
files on removable storage devices; policy files on removable media has been applied
applied successfully. Removable Storage successfully as an installation setting.
Installation Settings - Security Level.
2005 Error Initial Setting: Allow read and write access to An access policy of Allow read and write access to
files on removable storage devices; policy files on removable media has failed to be applied
failed. Removable Storage Installation Settings as an installation setting.
- Security Level.
2006 Info Initial Setting: Encrypt all files read from or An automatic encryption policy of Encrypt all
written to removable storage devices; policy files has been applied successfully as an
applied successfully. Removable Storage installation setting.
Installation Settings - Security Level.
2007 Error Initial Setting: Encrypt all files read from or An automatic encryption policy of Encrypt all
written to removable storage devices; policy files has failed to be applied as an installation
failed. Removable Storage Installation Settings setting.
- Security Level.
2008 Info Initial Setting: Encrypt all files written to An automatic encryption policy of Encrypt new
removable storage devices; policy applied files has been applied successfully as an
successfully. Removable Storage Installation installation setting.
2009 Error Initial Setting: Encrypt all files written to An automatic encryption policy of Encrypt new
removable storage devices; policy failed. files has failed to be applied as an installation
Removable Storage Installation Settings - setting.
Security Level.

ID
2010 Info Initial Setting: Do not encrypt files written to An automatic encryption policy of Do not encrypt
removable storage devices; policy applied has been applied successfully as an installation
successfully. Removable Storage Installation setting.
2011 Error Initial Setting: Do not encrypt files written to An automatic encryption policy of Do not encrypt
removable storage devices; policy failed. has failed to be applied as an installation setting.
Removable Storage Installation Settings -
Security Level.
2012 Info Initial Setting: Copy the Access Utility for A portability policy of Copy the Removable
Windows to removable media enabled; policy Storage Access Utility for Windows to removable
applied successfully. Removable Storage media has been applied successfully as an
Installation Settings - Security Level. installation setting.
2013 Error Initial Setting: Copy the Access Utility for A portability policy of Copy the Removable
Windows to removable media enabled; policy Storage Access Utility for Windows to removable
failed. Removable Storage Installation Settings media has failed to be applied as an installation
- Security Level. setting.
2014 Info Initial Setting: Copy the Access Utility for The portability policy of not copying the
Windows to removable media not enabled; Removable Storage Access Utility for Windows to
policy applied successfully. Removable Storage removable media has been applied successfully as
Installation Settings - Security Level. an installation setting.
2015 Error Initial Setting: Copy the Access Utility for The portability policy of not copying the
Windows to removable media not enabled; Removable Storage Access Utility for Windows to
policy failed. Removable Storage Installation removable media has failed to be applied as an
Settings - Security Level. installation setting.
2016 Info Initial Setting: Encrypt files on removable Users will only be able to use a password to
storage devices with password; policy applied encrypt files written to removable storage devices;
successfully. Removable Storage Installation this installation setting was applied successfully.
Settings - Encryption Method.
2017 Error Initial Setting: Encrypt files on removable An installation setting of only allowing users to
storage devices with password; policy failed. use a password to encrypt files written to
Removable Storage Installation Settings - removable storage devices was specified but failed
Encryption Method. to be applied.
2018 Info Initial Setting: Encrypt files on removable Users will only be able to use from one to ten
storage devices with one or more certificates; certificates to encrypt files written to removable
policy applied successfully. Removable Storage storage devices; this installation setting was
Installation Settings - Encryption Method. applied successfully.
2019 Error Initial Setting: Encrypt files on removable An installation setting of only allowing users to
storage devices with one or more certificates; use one or more certificates to encrypt files
policy failed. Removable Storage Installation written to removable storage devices was specified
Settings - Encryption Method. but failed to be applied.
2020 Info Initial Setting: Encrypt files on removable Users can select a password, certificate(s), or both
storage devices with password and/or one or to encrypt files written to removable storage
more certificates; policy applied successfully. devices; this installation setting was applied
Removable Storage Installation Settings - successfully.
Encryption Method.

ID
2021 Error Initial Setting: Encrypt files on removable An installation setting of allowing users to use a
storage devices with password and/or one or password, certificate(s), or both to encrypt files
more certificates; policy failed. Removable written to removable storage devices was specified
Storage Installation Settings - Encryption but failed to be applied.
Method.
2022 Info Initial Setting: Do not encrypt files with a A policy of Do not encrypt files with a recovery
recovery certificate; policy applied certificate has been applied successfully as an
successfully. Removable Storage Installation installation setting.
Settings - Recovery Certificate.
2023 Error Initial Setting: Do not encrypt files with a A policy of Do not encrypt files with a recovery
recovery certificate; policy failed. Removable certificate has failed to be applied as an
Storage Installation Settings - Recovery installation setting.
Certificate.
2024 Info Initial Setting: Encrypt files with a recovery A policy of Encrypt files with a recovery
certificate; policy applied successfully. certificate has been applied successfully as an
Removable Storage Installation Settings - installation setting.
Recovery Certificate.
2025 Error Initial Setting: Encrypt files with a recovery A policy of Encrypt files with a recovery
certificate; policy failed. Removable Storage certificate has failed to be applied as an
Installation Settings - Recovery Certificate. installation setting.
2026 Info Initial Setting: Do not encrypt or decrypt files A policy of Do not encrypt or decrypt files with a
with group key; policy applied successfully. workgroup key has been applied successfully as
Removable Storage Installation Settings - an installation setting.
Group Key.
2027 Error Initial Setting: Do not encrypt or decrypt files A policy of Do not encrypt or decrypt files with a
with group key; policy failed. Removable workgroup key has failed to be applied as an
Storage Installation Settings - Group Key. installation setting.
2028 Info Initial Setting: Encrypt or decrypt files with a A policy of Encrypt and decrypt files with a
group key unique to each workstation; policy workgroup key unique to each workstation has
applied successfully. Removable Storage been applied successfully as an installation
Installation Settings - Group Key. setting.
2029 Error Initial Setting: Encrypt or decrypt files with a A policy of Encrypt and decrypt files with a
group key unique to each workstation; policy workgroup key unique to each workstation has
failed. Removable Storage Installation Settings failed to be applied as an installation setting.
- Group Key.
2030 Info Initial Setting: Encrypt or decrypt files with A policy of Encrypt and decrypt files with this
specified group key; policy applied workgroup key has been applied successfully as
successfully. Removable Storage Installation an installation setting.
Settings - Group Key.
2031 Error Initial Setting: Encrypt or decrypt files with A policy of Encrypt and decrypt files with this
specified group key; policy failed. Removable workgroup key has failed to be applied as an
Storage Installation Settings - Group Key. installation setting.
2032 Info Initial Setting: Set group key memo; policy An optional memo was added to identify the
applied successfully. Removable Storage workgroup key used to encrypt and decrypt files;
Installation Settings - Group Key. this installation setting was applied successfully.

ID
2033 Error Initial Setting: Set group key memo; policy The optional memo that was specified to identify
failed. Removable Storage Installation Settings the workgroup key used to encrypt and decrypt
- Group Key. files did not get added; this installation setting
2034 Info Initial Setting: Allow users to save files as A policy of Allow users to save files as password-
password-encrypted self-extracting encrypted self-extracting executables has been
executables enabled; policy applied applied successfully as an installation setting.
successfully. Removable Storage Installation
Settings - Executables.
2035 Error Initial Setting: Allow users to save files as A policy of Allow users to save files as password-
password-encrypted self-extracting encrypted self-extracting executables failed to
executables enabled; policy failed. Removable be applied as an installation setting.
Storage Installation Settings - Executables.
2036 Info Initial Setting: Allow users to save files as A policy of do not Allow users to save files as
password-encrypted self-extracting password-encrypted self-extracting executables
executables not enabled; policy applied has been applied successfully as an installation
successfully. Removable Storage Installation setting.
Settings - Executables.
2037 Error Initial Setting: Allow users to save files as A policy of do not Allow users to save files as
executables not enabled; policy failed. failed to be applied as an installation setting.
Removable Storage Installation Settings -
Executables.
2038 Info Initial Setting: 128-bit encryption strength; An AES encryption strength of 128-bit has been
policy applied successfully. Removable Storage applied successfully as an installation setting.
2039 Error Initial Setting: 128-bit encryption strength; An AES encryption strength of 128-bit failed to be
policy failed. Removable Storage Installation applied as an installation setting.
Settings - Encryption.
2040 Info Initial Setting: 256-bit encryption strength; An AES encryption strength of 256-bit has been
policy applied successfully. Removable Storage applied successfully as an installation setting.
2041 Error Initial Setting: 256-bit encryption strength; An AES encryption strength of 256-bit failed to be
policy failed. Removable Storage Installation applied as an installation setting.
Settings - Encryption.
2042 Info Settings Changed: Do not allow access to files An access policy of Do not allow access to files on
on removable storage devices; policy applied removable media has been applied successfully
successfully. Removable Storage Computer as a policy update.
Policy - Security Level.
2043 Error Settings Changed: Do not allow access to files An access policy of Do not allow access to files on
on removable storage devices; policy failed. removable media has failed to be applied as a
Removable Storage Computer Policy - Security policy update.
Level.
2044 Info Settings Change: Allow read-only access to An access policy of Allow read-only access to
files on removable storage devices; policy files on removable medias has been applied
applied successfully. Removable Storage successfully as a policy update.
Computer Policy - Security Level.

ID
2045 Error Settings Change: Allow read-only access to An access policy of Allow read-only access to
files on removable storage devices; policy files on removable media has failed to be applied
failed. Removable Storage Computer Policy - as a policy update.
Security Level.
2046 Info Settings Change: Allow read and write access An access policy of Allow read and write access to
to files on removable storage devices; policy files on removable media has been applied
applied successfully. Removable Storage successfully as a policy update.
2047 Error Settings Change: Allow read and write access An access policy of Allow read and write access to
to files on removable storage devices; policy files on removable media has failed to be applied
failed. Removable Storage Computer Policy - as a policy update.
Security Level.
2048 Info Settings Change: Encrypt all files accessed on An automatic encryption policy of Encrypt all
removable storage devices; policy applied files s has been applied successfully as a policy
successfully. Removable Storage Computer update.
2049 Error Settings Change: Encrypt all files accessed to An automatic encryption policy of Encrypt all
removable storage devices; policy failed. files has failed to be applied as a policy update.
Removable Storage Computer Policy - Security
Level.
2050 Info Settings Change: Encrypt new files written to An automatic encryption policy of Encrypt new
removable storage devices; policy applied files has been applied successfully as a policy
2051 Error Settings Change: Encrypt new files written to An automatic encryption policy of Encrypt new
removable storage devices; policy failed. files has failed to be applied as a policy update.
Level.
2052 Info Settings Change: Do not encrypt files written An automatic encryption policy of Do not encrypt
to removable storage devices; policy applied files has been applied successfully as a policy
2053 Error Settings Change: Do not encrypt files written An automatic encryption policy of Do not encrypt
to removable storage devices; policy failed. files has failed to be applied as a policy update.
Level.
2054 Info Settings Change: Copy the Removable Storage A portability policy of Copy the Removable
Access Utility for Windows to removable Storage Access Utility for Windows to removable
media enabled; policy applied successfully. media has been applied successfully as a policy
Removable Storage Computer Policy - Security update.
Level.
2055 Error Settings Change: Copy the Removable Storage A portability policy of Copy the Removable
Access Utility for Windows to removable Storage Access Utility for Windows to removable
media enabled; policy failed. Removable media has failed to be applied as a policy update.
Storage Computer Policy - Security Level.

ID
2056 Info Settings Change: The Removable Storage The portability policy of not copying the
Access Utility for Windows will no longer be Removable Storage Access Utility for Windows to
copied to removable media; policy applied removable media has been applied successfully as
successfully. Removable Storage Computer a policy update.
2057 Error Settings Change: The Removable Storage The portability policy of not copying the
Access Utility for Windows will no longer be Removable Storage Access Utility for Windows to
copied to removable media; policy failed. removable media has failed to be applied as a
Level.
2058 Info Settings Change: Users encrypt files on Users will only be able to use a password to
removable storage devices with password; encrypt files written to removable storage devices;
policy applied successfully. Removable Storage this policy update was applied successfully.
Computer Policy - Encryption Method.
2059 Error Settings Change: Users encrypt files on A policy update of only allowing users to use a
removable storage devices with password; password to encrypt files written to removable
policy failed. Removable Storage Computer storage devices was specified but failed to be
Policy - Encryption Method. applied.
2060 Info Settings Change: Users encrypt files on Users will only be able to use one or more
removable storage devices with one or more certificates to encrypt files written to removable
certificates; policy applied successfully. storage devices; this policy update was applied
Removable Storage Computer Policy - successfully.
Encryption Method.
2061 Error Settings Change: Users encrypt files on A policy update of only allowing users to use one
removable storage devices with one or more or more certificates to encrypt files written to
certificates; policy failed. Removable Storage removable storage devices was specified but failed
Computer Policy - Encryption Method. to be applied.
2062 Info Settings Change: Users encrypt files on Users can select a password, certificate(s), or both
removable storage devices with password and/ to encrypt files written to removable storage
or one or more certificates; policy applied devices; this policy update was applied
successfully. Removable Storage Computer successfully.
Policy - Encryption Method.
2063 Error Settings Change: Users encrypt files on A policy update of allowing users to use a
removable storage devices with password and/ password, certificate(s), or both to encrypt files
or one or more certificates; policy failed. written to removable storage devices was specified
Removable Storage Computer Policy - but failed to be applied.
Encryption Method
2064 Info Settings Change: Do not encrypt files with a A policy of Do not encrypt files with a recovery
recovery certificate; policy applied certificate has been applied successfully as a
successfully. Removable Storage Computer policy update.
Policy - Recovery Certificate.
2065 Error Settings Change: Do not encrypt files with a A policy of Do not encrypt files with a recovery
recovery certificate; policy failed. Removable certificate has failed to be applied as a policy
Storage Computer Policy - Recovery update.
Certificate.
2066 Info Settings Change: Encrypt files with a recovery A policy of Encrypt files with a recovery
certificate; policy applied successfully. certificate has been applied successfully as a
Removable Storage Computer Policy - policy update.

ID
2067 Error Settings Change: Encrypt files with a recovery A policy of Encrypt files with a recovery
certificate; policy failed. Removable Storage certificate has failed to be applied as a policy
Computer Policy - Recovery Certificate. update.
2068 Info Settings Change: Encrypt files with a recovery The recovery certificate has been changed
certificate issuer changed; policy applied successfully by policy update. The name of the
successfully. Removable Storage Computer issuer of the new recovery certificate is provided.
2069 Error Settings Change: Encrypt files with a recovery An attempt to apply a policy update and change
certificate issuer changed; policy failed. the recovery certificate failed. The name of the
Removable Storage Computer Policy - issuer of the new recovery certificate is provided.
2070 Info Settings Change: Encrypt files with a recovery The recovery certificate has been changed
certificate serial number changed; policy successfully by policy update. The serial number
applied successfully. Removable Storage of the new recovery certificate is provided in the
Computer Policy - Recovery Certificate. log.
2071 Error Settings Change: Encrypt files with a recovery An attempt to apply a policy update and change
certificate serial number changed; policy the recovery certificate failed.
failed. Removable Storage Computer Policy -
2072 Info Settings Change: Encrypt files with a recovery A policy of Encrypt files with a recovery
certificate enable; policy applied successfully. certificate has been applied successfully as a
Removable Storage Computer Policy - policy update.
2073 Error Settings Change: Encrypt files with a recovery A policy of Encrypt files with a recovery
certificate enable; policy failed. Removable certificate has failed to be applied as a policy
Certificate.
2074 Info Settings Change: Encrypt files with a recovery A policy of Do not encrypt files with a recovery
certificate not enable; policy applied certificate has been applied successfully as a
2075 Error Settings Change: Encrypt files with a recovery A policy of Do not encrypt files with a recovery
certificate not enable; policy failed. Removable certificate has failed to be applied as a policy
Certificate.
2076 Info Settings Change: Do not encrypt or decrypt A policy of Do not encrypt or decrypt files with a
files with group key; policy applied workgroup key has been applied successfully as a
Policy - Group Key.
2077 Error Settings Change: Do not encrypt or decrypt A policy of Do not encrypt or decrypt files with a
files with group key; policy failed. Removable workgroup key has failed to be applied as a policy
Storage Computer Policy - Group Key. update.
2078 Info Settings Change: Encrypt or decrypt files with A policy of Encrypt and decrypt files with this
group key; policy applied successfully. workgroup key has been applied successfully as a
Removable Storage Computer Policy - Group policy update.
Key.

ID
2079 Error Settings Change: Encrypt or decrypt files with A policy of Encrypt and decrypt files with this
group key; policy failed. Removable Storage workgroup key has failed to be applied as a policy
Computer Policy - Group Key. update.
2080 Info Settings Change: Encrypt or decrypt files with A policy of Encrypt and decrypt files with this
group key and Memo; policy applied workgroup key identified by a certain memo has
successfully. Removable Storage Computer been applied successfully as a policy update.
Policy - Group Key.
2081 Error Settings Change: Encrypt or decrypt files with A policy of Encrypt and decrypt files with this
group key and Memo; policy failed. Removable workgroup key identified by a certain memo has
Storage Computer Policy - Group Key. failed to be applied as a policy update.
2082 Info Settings Change: Memo for Group Key An existing memo was changed; this installation
changed; policy applied successfully. setting was applied successfully.
Removable Storage Computer Policy - Group
Key.
2083 Error Settings Change: Memo for Group Key An existing memo was changed; this installation
changed. Removable Storage Computer Policy setting was applied successfully.
- Group Key.
2084 Info Settings Change: Memo for Group Key not A policy update to change an existing memo failed
changed; policy applied successfully. to be applied; the memo was not changed.
Removable Storage Computer Policy - Group
Key.
2085 Error Settings Change: Memo for Group Key not A policy update to change an existing memo failed
changed. Removable Storage Computer Policy to be applied; the memo was not changed.
- Group Key.
2086 Info Settings Change: Allow users to save files as A policy of Allow users to save files as password-
password-encrypted self-extracting encrypted self-extracting executables has been
executables enable. Removable Storage applied successfully as a policy update.
Computer Policy - Executables.
2087 Error Settings Change: Allow users to save files as A policy of Allow users to save files as password-
password-encrypted self-extracting encrypted self-extracting executables failed to
executables enable; policy failed. Removable be applied as a policy update.
Storage Computer Policy - Executables.
2088 Info Settings Change: Allow users to save files as A policy of do not Allow users to save files as
executables not enable. Removable Storage has been applied successfully as a policy update.
Computer Policy - Executables.
2089 Error Settings Change: Allow users to save files as A policy of do not Allow users to save files as
executables not enable; policy failed. failed to be applied as a policy update.
Removable Storage Computer Policy -
Executables.
2090 Info Program Action: Client program installation An attempt was made to execute a Removable
attempted. Removable Storage Storage client MSI package.
2091 Info Program Action: Client program installation The Removable Storage client software was
success. Removable Storage successfully installed.
2092 Error Program Action: Client program installation The Removable Storage client software failed to
failed. Removable Storage be installed.

ID
2093 Info Program Action: Client program upgrade An attempt was made to upgrade an existing
attempted. Removable Storage installation of the Removable Storage client
software.
2094 Info Program Action: Client program upgrade The Removable Storage client software was
success. Removable Storage successfully upgraded.
2095 Error Program Action: Client program upgrade The Removable Storage client software failed to
failed. Removable Storage be upgraded.
2096 Warning Program Action: User program uninstallation An attempt was made to uninstall a Removable
attempted. Removable Storage Storage client installation.
2097 Warning Program Action: User program uninstallation The Removable Storage client software was
success. Removable Storage successfully uninstalled.
2098 Warning Program Action: User program uninstallation The Removable Storage client software failed to
failed. Removable Storage be uninstalled.
2099 Info Settings Change: Allow Encryption exemption A policy of excluding the identified multimedia
for group(s) of file(s) for removable storage file groups from encryption has been applied
devices; policy applied successfully. successfully as a policy update.
Level. Following group(s) would be exempted
from encryption:group name(s)
2100 Info Settings Change: Turn off Encryption A policy of excluding multimedia file groups from
exemption for group(s) of file(s) for removable encryption has been lifted successfully:
storage devices policy; policy applied multimedia files will no longer be excluded from
successfully. Removable Storage Computer mandatory encryption.
2101 Error Settings Change: Allow Encryption exemption A policy of excluding the identified multimedia
for group(s) of file(s) for removable storage file groups from encryption was sent, but failed to
devices; policy failed. Removable Storage be applied.
Computer Policy - Security Level. The Policy
failed for following group(s): group name(s)
2102 Error Settings Change: Turn off Encryption A policy lifting the exclusion of multimedia file
exemption for group(s) of file(s) for removable groups from encryption failed to be applied;
storage devices; policy failed. Removable multimedia files will continue to be excluded.
2103 Info Initial Setting: Allow Encryption exemption Multimedia files belonging to the groups specified
for group(s) of files for removable storage will be excluded from mandatory encryption; this
devices; policy applied successfully. installation setting was applied successfully.
Level. Following group(s) would be exempted
from encryption: group name(s)
2104 Info Initial Setting: Turn off Encryption exemption Multimedia files belonging to the groups specified
for group(s) of file(s) for removable storage will not be excluded from mandatory encryption;
devices policy; policy applied successfully. this installation setting was applied successfully.
Level. group name(s)

ID
2105 Error Initial Setting: Allow Encryption exemption Multimedia files belonging to the groups specified
for group(s) of file(s) for removable storage will be excluded from mandatory encryption; this
devices; policy failed. Removable Storage installation setting failed to be applied.
Computer Policy - Security Level. The Policy
failed for following group(s): group name(s)]
2106 Error Initial Setting: Turn off Encryption exemption An installation setting specifying that multimedia
for group(s) of file for removable storage file groups should not be excluded from
devices; policy failed. Removable Storage encryption failed to be applied.
2107 Info Initial Setting: Encrypt to CDs/DVDs only; An encryption policy of Encrypt files written to
policy applied successfully. Removable Storage CD/DVD has been applied successfully as an
Installation Settings installation setting.
2108 Error Initial Setting: Encrypt to CDs/DVDs only; An encryption policy of Encrypt files written to
policy failed. Removable Storage Installation CD/DVD failed to be applied as an installation
Settings setting.
2109 Info Settings Change: Encrypt to CDs/DVDs only; An encryption policy of Encrypt files written to
policy applied successfully. Removable Storage CD/DVD has been applied successfully as a policy
Computer Policy update or as part of an upgrade package.
2110 Error Settings Change: Encrypt to CDs/DVDs only; An encryption policy of Encrypt files written to
policy failed. Removable Storage Computer CD/DVD was specified as a policy update or as
Policy part of an upgrade package but failed to be
applied.
2111 Error Settings Change: Default Password not A policy that does not allow users to set a Default
allowed; policy failed. Removable Storage Password failed to be applied as a policy update.
Computer Policy
2112 Info Settings Change: Default Password not A policy that does not allow users to set a Default
allowed; policy applied successfully. Password has been successfully applied as a policy
Removable Storage Computer Policy update.
2113 Info Settings Change: Default Password allowed; A policy that allows users to set a Default
policy applied successfully. Removable Storage Password has been successfully applied as a policy
Computer Policy update.
2114 Error Settings Change: Default Password allowed; A policy that allows users to set a Default
policy failed. Removable Storage Computer Password has failed to be applied as a policy
Policy update.
2115 Info Settings Change: Session default passwords A policy that does not allow users to set Session
not allowed; policy applied successfully. Default Passwords has been successfully applied
Removable Storage Computer Policy as a policy update.
2116 Error Settings Change: Session default passwords A policy that does not allow users to set Session
not allowed; policy failed. Removable Storage Default Passwords has failed to be applied as a
Computer Policy policy update.
2117 Error Settings Change: Session default passwords A policy that allows users to set Session Default
allowed; policy failed. Removable Storage Passwords has failed to be applied as a policy
Computer Policy update.
2118 Info Settings Change: Session default passwords A policy that allows users to set Session Default
allowed; policy applied successfully. Passwords has been successfully applied as a
Removable Storage Computer Policy policy update.

ID
2119 Info Settings Change: Delete Session default A policy that specifies that Session Default
passwords at Windows session; policy applied Passwords be deleted at the end of the user’s
successfully. Removable Storage Computer Windows session has been successfully applied as
Policy a policy update.
2120 Error Settings Change: Delete Session default A policy that specifies that Session Default
passwords at Windows session; policy failed. Passwords be deleted at the end of the user’s
Removable Storage Computer Policy Windows session has failed to be applied as a
policy update.
2121 Error Settings Change: Inactivate Session default A policy that specifies that Session Default
passwords at Windows session; policy failed. Passwords be inactivated at the end of a Windows
Removable Storage Computer Policy session has failed to be applied as a policy update.
2122 Info Settings Change: Inactivate Session default A policy that specifies that Session Default
passwords at Windows session; policy applied Passwords be inactivated at the end of the user’s
successfully. Removable Storage Computer Windows session has been successfully applied as
Policy a policy update.
2123 Info Settings Change: Apply password aging to A policy that specifies that password aging be
Session default passwords; policy applied applied to Session Default Passwords has been
successfully. Removable Storage Computer successfully applied as a policy update.
Policy
2124 Error Settings Change: Apply password aging to A policy that specifies that password aging be
Session default passwords; policy failed. applied to Session Default Passwords has failed to
Removable Storage Computer Policy be applied as a policy update.
2125 Error Settings Change: Do not delete, inactivate or A policy that specifies that Session Default
apply password aging to Session default Passwords not be inactivated, deleted, or be
Password; policy failed. Removable Storage subjected to password aging has failed to be
Computer Policy applied as a policy update.
2126 Info Settings Change: Do not delete, inactivate or A policy that specifies that Session Default
apply password aging to Session default Passwords not be inactivated, deleted, or be
Password; policy applied successfully. subjected to password aging has been successfully
Removable Storage Computer Policy applied as a policy update.
2127 Info Initial Setting: User choice encryption, default An encryption setting of Allow users to choose
to encrypt; policy applied successfully. with a default setting of Default to encrypt new
Removable Storage Installation Settings files has been successfully applied as an
installation setting.
2128 Error Initial Setting: User choice encryption, default An encryption setting of Allow users to choose
to encrypt; policy failed. Removable Storage with a default setting of Default to encrypt new
Installation Settings files has failed to be applied as an installation
setting.
2129 Info Initial Setting: User choice encryption, default An encryption setting of Allow users to choose
setting not to encrypt; policy applied with a default setting of Default to do not encrypt
successfully. Removable Storage Installation has been successfully applied as an installation
Settings setting.
2130 Error Initial Setting: User choice encryption, default An encryption setting of Allow users to choose
setting not to encrypt; policy failed. with a default setting of Default to do not encrypt
Removable Storage Installation Settings has failed to be applied as an installation setting.

ID
2131 Info Initial Setting: User can Right click to Encrypt An On Demand Encryption setting of Users may
files/folders; policy applied successfully. right-click to encrypt existing files on removable
Removable Storage Installation Settings media has been successfully applied as an
2132 Error Initial Setting: User can Right click to Encrypt An On Demand Encryption setting of Users may
files/folders; policy failed. Removable Storage right-click to encrypt existing files on removable
Installation Settings media has failed to be applied as an installation
setting.
2133 Info Initial Setting: User cannot Right click to An On Demand Encryption setting that does not
Encrypt files/folders; policy applied allow users to right-click to encrypt existing files
successfully. Removable Storage Installation on removable media has been successfully applied
Settings as an installation setting.
2134 Error Initial Setting: User cannot Right click to An On Demand Encryption setting that does not
Encrypt files/folders; policy failed. Removable allow users to right-click to encrypt existing files
Storage Installation Settings on removable media has failed to be applied as an
installation setting
2135 Info Initial Setting: User can Right click to Decrypt An On Demand Encryption setting of Users may
files/folders; policy applied successfully. right-click to decrypt existing files on removable
Removable Storage Installation Settings media has been successfully applied as an
2136 Error Initial Setting: User can Right click to Decrypt An On Demand Encryption setting of Users may
files/folders; policy failed. Removable Storage right-click to decrypt existing files on removable
Installation Settings media has failed to be applied as an installation
setting.
2137 Info Initial Setting: User cannot Right click to An On Demand Encryption setting that does not
Decrypt files/folders; policy applied allow users to right-click to decrypt existing files
successfully. Removable Storage Installation on removable media has been successfully applied
2138 Error Initial Setting: User cannot Right click to An On Demand Encryption setting that does not
Decrypt files/folders; policy failed. Removable allow users to right-click to decrypt existing files
Storage Installation Settings on removable media has failed to be applied as an
2139 Error Settings Change: Encryption policy change to A policy change to allow an encryption setting of
User Choice; policy failed. Removable Storage Allow users to choose has failed to be applied as a
Computer Policy policy update.
2140 Info Settings Change: Encryption policy change to A policy change to allow an encryption setting of
User Choice; policy applied successfully. Allow users to choose has been successfully
Removable Storage Computer Policy applied as a policy update.
2141 Error Settings Change: Encryption policy User An encryption setting of Allow users to choose
Choice- Default to Encrypt; policy failed. with a default setting of Default to encrypt new
Removable Storage Computer Policy files has failed to be applied as a policy update.
2142 Info Settings Change: Encryption policy User An encryption setting of Allow users to choose
Choice- Default to Encrypt; policy applied with a default setting of Default to encrypt new
successfully. Removable Storage Computer files has been successfully applied as a policy
Policy update.
2143 Error Settings Change: Encryption policy User An encryption setting of Allow users to choose
Choice- Default setting Not to Encrypt; policy with a default setting of Default to do not encrypt
failed. Removable Storage Computer Policy has been successfully applied as a policy update.

ID
2144 Info Settings Change: Encryption policy User An encryption setting of Allow users to choose
Choice- Default setting Not to Encrypt; policy with a default setting of Default to do not encrypt
applied successfully. Removable Storage has failed to be applied as a policy update.
Computer Policy
2145 Error Settings Change: Encryption policy User can An On Demand Encryption setting of Users may
right click and Encrypt; policy failed. right-click to encrypt existing files on removable
Removable Storage Computer Policy media has failed to be applied as a policy update.
2146 Info Settings Change: Encryption policy User can An On Demand Encryption setting of Users may
right click and Encrypt; policy applied right-click to encrypt existing files on removable
successfully. Removable Storage Computer media has been applied successfully as a policy
Policy update.
2147 Error Settings Change: Encryption policy User An On Demand Encryption setting that does not
cannot right click and Encrypt; policy failed. allow users to right-click to encrypt existing files
Removable Storage Computer Policy on removable media has failed to be applied as a
policy update.
2148 Info Settings Change: Encryption policy User An On Demand Encryption setting that does not
cannot right click and Encrypt; policy applied allow users to right-click to encrypt existing files
successfully. Removable Storage Computer on removable media has been applied successfully
Policy as a policy update.
2149 Error Settings Change: Encryption policy User can An On Demand Encryption setting of Users may
right click and Decrypt; policy failed. right-click to decrypt existing files on removable
Removable Storage Computer Policy media has failed to be applied as a policy update.
2150 Info Settings Change: Encryption policy User can An On Demand Encryption setting of Users may
right click and Decrypt; policy applied right-click to decrypt existing files on removable
successfully. Removable Storage Computer media has been successfully applied as a policy
Policy update.
2151 Error Settings Change: Encryption policy User An On Demand Encryption setting that does not
cannot right click and Decrypt; policy failed. allow users to right-click to decrypt existing files
Removable Storage Computer Policy on removable media has failed to be applied as a
policy update.
cannot right click and Decrypt; policy applied allow users to right-click to decrypt existing files
2153 Info Initial Setting: Some of the devices are A policy that exempts one or more removable
exempted; policy applied successfully. storage devices from encryption has been applied
Removable Storage Installation Settings successfully as an installation setting.
2154 Error Initial Setting: Some of the devices are A policy that exempts one or more removable
exempted; policy failed. Removable Storage storage devices from encryption has failed to be
Installation Settings applied as an installation setting.
2155 Info Initial Setting: Device exemption disabled; A policy that does not allow devices to be
policy applied successfully. Removable Storage exempted from encryption has been applied
Installation Settings successfully as an installation setting.
2156 Error Initial Setting: Device exemption disabled; A policy that does not allow devices to be
policy failed. Removable Storage Installation exempted from encryption has failed to be applied

ID
2157 Error Settings Change: Some of the devices are A policy that exempts one or more removable
exempted; policy failed. Removable Storage storage devices from encryption has failed to be
Computer Policy applied as a policy update.
2158 Info Settings Change: Some of the devices are A policy that exempts one or more removable
exempted; policy applied successfully. storage devices from encryption has been applied
Removable Storage Computer Policy successfully as a policy update.
2159 Error Settings Change: Device exemption disabled; A policy that does not allow devices to be
policy failed. Removable Storage Computer exempted from encryption has failed to be applied
2160 Info Settings Change: Device exemption disabled; A policy that does not allow devices to be
policy applied successfully. Removable Storage exempted from encryption has been applied
Computer Policy successfully as a policy update.
cannot right click and Decrypt; policy applied allow users to right-click to decrypt existing files
2162 Info Program Action: An exempted device was A removable storage device exempted from
inserted. Security Level. encryption has been inserted.
2163 Error Settings Change: Encryption policy change to An automatic encryption policy of Encrypt files
Use DLP; policy failed. Removable Storage as per Symantec DLP for Endpoint has failed to
Computer Policy be applied as a policy update.
2164 Info Settings Change: Encryption policy change to An automatic encryption policy of Encrypt files
Use DLP; policy applied successfully. as per Symantec DLP for Endpoint has been
Removable Storage Computer Policy applied successfully as a policy update.
2165 Error Initial Setting: Encrypt according to User A policy change to allow an encryption setting of
Choice; policy failed. Removable Storage Allow users to choose has failed to be applied as
Installation Settings an installation setting.
2166 Info Settings Change: Encrypt according to User A policy change to allow an encryption setting of
Choice; policy applied successfully. Removable Allow users to choose has been successfully
Storage Computer Policy applied as a policy update.
2167 Error Initial Setting: Encrypt according to DLP; An automatic encryption policy of Encrypt files
policy failed. Removable Storage Installation as per Symantec DLP for Endpoint has failed to
Settings be applied as an installation setting.
2168 Info Settings Change: Encrypt according to DLP; An automatic encryption policy of Encrypt files
policy applied successfully. Removable Storage as per Symantec DLP for Endpoint has been
Computer Policy applied successfully as a policy update.
2169 Info Initial Setting: Copy the Access Utility for Mac A portability policy of Copy the Removable
OS X to removable media enabled; policy Storage Access Utility for Mac OS X to removable
applied successfully. Removable Storage media has been applied successfully as an
Installation Settings - Security Level. installation setting.
2176 Error Initial Setting: Copy the Access Utility for Mac A portability policy of Copy the Removable
OS X to removable media enabled; policy Storage Access Utility for Mac OS X to removable
failed. Removable Storage Installation Settings media has failed to be applied as an installation
- Security Level. setting.

ID
2186 Info Initial Setting: Copy the Access Utility for Mac The portability policy of not copying the
OS X to removable media not enabled; policy Removable Storage Access Utility for Mac OS X to
applied successfully. Removable Storage removable media has been applied successfully as
Installation Settings - Security Level. an installation setting.
2187 Error Initial Setting: Copy the Access Utility for Mac The portability policy of not copying the
OS X to removable media not enabled; policy Removable Storage Access Utility for Mac OS X to
failed. Removable Storage Installation Settings removable media has failed to be applied as an
- Security Level. installation setting.
2188 Error Settings Change: Device Session Default A policy that does not allow users to set Device
Password not allowed; policy failed. Removable Session Default Passwords has failed to be applied
Storage Computer Policy as a policy update.
2189 Info Settings Change: Device Session Default A policy that does not allow users to set Device
Password not allowed; policy applied Session Default Passwords has been applied
successfully. Removable Storage Computer successfully as a policy update.
Policy
2190 Info Settings Change: Device Session Default A policy that allows users to set Device Session
Password allowed; policy applied successfully. Default Passwords has been applied successfully
Removable Storage Computer Policy as a policy update.
2191 Error Settings Change: Device Session Default A policy that allows users to set Device Session
Password allowed; policy failed. Removable Default Passwords has failed to be applied as a
Storage Computer Policy policy update.
2192 Error Initial Setting: Device Session Default A default passwords policy of not allowing users
Password not allowed; policy failed. Removable to set a Device Session Default Password for each
Storage Installation Settings removable storage device has failed to be applied
as an installation setting.
2193 Info Initial Setting: Device Session Default A default passwords policy of not allowing users
Password not allowed; policy applied to set a Device Session Default Password for each
successfully. Removable Storage Installation removable storage device has been applied
Settings successfully as an installation setting.
2194 Info Initial Setting: Device Session Default A default passwords policy of Allow users to set a
Password allowed; policy applied successfully. Device Session Default Password for each
Removable Storage Installation Settings removable storage device has been applied
successfully as an installation setting.
2195 Error Initial Setting: Device Session Default A default passwords policy of Allow users to set a
Password allowed; policy failed. Removable Device Session Default Password for each
Storage Installation Settings removable storage device has failed to be applied
as an installation setting.
2196 Info Settings Change: Copy the Removable Storage A portability policy of Copy the Removable
Access Utility for Mac OS X to removable Storage Access Utility for Mac OS X to removable
media enabled; policy applied successfully. media has been applied successfully as a policy
Removable Storage Computer Policy - Security update.
Level.
2197 Error Settings Change: Copy the Removable Storage A portability policy of Copy the Removable
Access Utility for Mac OS X to removable Storage Access Utility for Mac OS X to removable
media enabled; policy failed. Removable media has failed to be applied as a policy update.

ID
2198 Info Settings Change: The Removable Storage A portability policy not allowing users to copy the
Access Utility for Mac OS X will no longer be Removable Storage Access Utility for Mac OS X to
copied to removable media; policy applied removable media has been applied successfully as
successfully. Removable Storage Computer a policy update.
2199 Error Settings Change: The Removable Storage A portability policy not allowing users to copy the
Access Utility for Mac OS X will no longer be Removable Storage Access Utility for Mac OS X to
copied to removable media; policy failed. removable media has failed to be applied as a
Level.
Appendix B
CD/DVD Command Line
■ Overview
■ Temporary Data Directory
■ Command Syntax
■ CD/DVD Errors
Overview
Basics
The Removable Storage CD/DVD Burner application offers the ability to burn selected files and folders
from the command line. This allows you to integrate Removable Storage with your custom applications,
such as backup programs or scripts.
Prerequisites
Requirements for running the CD/DVD Burner application from the command line include:
■ Removable Storage is installed on the Client Computer.
■ The user logged on to Windows has registered with Symantec Endpoint Encryption.
■ Sufficient temporary data storage space is available on a local hard disk volume. The required space can
be estimated according to the following formula:
(1.1 x Total size of all files and folders to be burned) + (2 x (1.1 x Size of the largest individual file to be
burned))
■ The Client Computer is equipped with a CD/DVD recorder.
■ The currently enforced installation and policy settings allow for read/write access.
■ A blank write-once or rewritable CD or DVD disc is inserted into the disc recorder.
Note that multi-session recording is not supported, and that previously recorded rewritable media will be
erased before use. Any EFS-encrypted files will be decrypted, then re-encrypted by Removable Storage
prior to burning. These requirements are the same as running the CD/DVD Burner application from the
GUI. To achieve a seamless experience, it is recommended that the user set a Default Password and/or
Default Certificate(s).
Depending on the particular application or script, a user may be required to be physically present to
perform tasks requiring manual intervention. These include:
■ Selecting individual files or folders for burning;
■ Inserting media;
88 CD/DVD Command Line
Temporary Data Directory
■ Initiating the burn operation;

■ Providing a password and/or a certificate(s) should a Default Password and/or Default Certificate(s) not
be set; and
■ Responding to error conditions.
Operational Steps
Once the list of source files and folders have been specified and the burn operation has been initiated, the
CD/DVD Burner application performs the following steps:
■ Verifies that sufficient temporary data storage space exists to allow encryption and burning.
■ Copies all files and folders selected for burning to the temporary data directory.
■ Encrypts the data according to the currently enforced encryption policy.
■ Burns the encrypted files and folders to disc.
■ Deletes the temporary data directory.
Temporary Data Directory

The CD/DVD Burner application requires a place to store temporary data. When run from the command
line, it creates a temporary data directory named RSECTemp~1.
The CD/DVD Burner application will first try to store its temporary data directory on the drive of the
operating system. The TMP, then the TEMP, and then the USERPROFILE environment variables will be
checked. The first environment variable found will be used. If none of these environment variables has
been set, the CD/DVD Burner application will use the Windows directory.
Table B-1 Temporary Data Folder Paths
Sequence Environment Windows XP Default Windows Vista Default

Attempted Variable
1 TMP system drive letter:\Documents and system drive letter:\Users\user

Settings\user name\Local name\AppData\Local\Temp
Settings\Temp
2 TEMP system drive letter:\Documents and system drive letter:\Users\user

Settings\user name\Local name\AppData\Local\Temp
Settings\Temp
3 USERPROFILE system drive letter:\Documents and system drive letter:\Users\user

Settings\user name
4 — system drive letter:\Windows system drive letter:\Windows
If the user currently logged on to Windows lacks permission to write to the path or the drive lacks space to
store the temporary data directory, the CD/DVD Burner application will try the next fixed drive, in
alphabetical order. Should it succeed in locating a different fixed drive with space and write permissions, it
will write the temporary data directory at the root of that drive, e.g., D:\RSECTemp~1.
The CD/DVD Burner application will delete any previous temporary data directory it finds:
■ When it launches;
■ When it closes;
■ When it begins the burn operation; and
■ When it completes the burn operation.
CD/DVD Command Line 89
Command Syntax
If the encryption/burn operation gets interrupted—for example, because the user pressed CTRL+C, the user
closed the command line window, or because the CD/DVD Burner application has crashed—then the normal
cleanup process that deletes the temporary data directory will not occur, resulting in the user’s decrypted
data remaining in the temporary data directory. If one of these conditions occurs, launching the
application again will delete the temporary data directory.
Command Syntax
To run the CD/DVD Burner application from the command line, use a single string according to the
following syntax:
RSCDDVD.exe /P {Source [Source…] | Directory} /D RecorderDrvRoot [/L VolumeLabel]
Table B-2 CD/DVD Command Line Parameters
Parameter Variable(s) Explanation Sample
/P Source Directory Specifies the file(s) and/or folder(s) to /P “C:\Confidential Files”

be burned to disc, where Source is the /P c:\files\spreadsheet.xls
fully qualified path to one or more files,
and Directory is the fully qualified path
to one or more folders. File or folder
names containing spaces must be
enclosed in quotes. When using quotes,
you cannot end the path in a backslash.
/D RecorderDrvRoot Specifies the disc recorder, where /D F:

RecorderDrvRoot is the root of the disc
recorder.
/L VolumeLabel Specifies the volume label of the disc, /L Encrypted_Backups_1

where VolumeLabel is the volume label
name. The volume label name can be up
to 32 characters in length, and must
contain only alphanumeric, hyphen,
underscore or space characters. If you
omit the /L parameter, the default
volume label will be RS-Encrypted Disc
YYYY-MM-DD, where YYYY-MM-DD is
the year, month, and date the disc was
burned. If the encryption policy is off,
the default volume label will be YYYY-
MM-DD.
Example Command Lines

RSCDDVD /P “C:\Confidential File Folder” “C:\Business Plan\HIF Business Plan.ppt” /D E:
RSCDDVD /P c:\files\spreadsheet.xls c:\files\presentation.doc /D E: /L Encrypted_Files_1
CD/DVD Errors
The following table lists the individual Removable Storage errors generated when executing the CD/DVD
Burner application from the command line. The column headings indicate the error code (if any), the error
message displayed in the UI, and an explanation of the error, along with possible ways to remediate the
error.
CD/DVD Errors
Table B-3 CD/DVD Messages and Error Codes
Error Code Error Message Displayed in Explanation

UI
0 Burned the disc successfully. The CD/DVD Burner application has completed the burn process
successfully.
1 Disc volume label was not The /L parameter (volume label) was used without specifying a volume
specified label.
2 Disc recordable drive was not The /D parameter (recordable drive) was used without specifying the
specified. letter of the recordable drive, i.e., you must specify the parameters /D
F: if your recordable drive is F.
3 The syntax of the command is Incorrect command syntax was specified.

incorrect.
101 There is no hard disk drive on The CD/DVD Burner application requires a hard disk or partition for
your system, so this application storing temporary files as part of the encryption and burn process.
can not be used for burning disc. Verify that a hard disk or partition is accessible and try the operation
again.
102 You must register to Symantec The user currently logged on to Windows has not registered with
Endpoint Encryption, before you Symantec Endpoint Encryption.
can use this application for
burning data to disc.
104 Disc burning engine could not The CD/DVD Burner application was unable to initialize the disc
be initialized successfully. burning engine.
105 Invalid disc recordable drive was The selected drive is not a recordable drive. Select a different drive
specified. capable of recording, then try the operation again.
106 There is no disc in the drive. The CD/DVD Burner application didn’t find a disc in the recorder.
Insert a rewritable or write-once disc into the drive.
107 No disc recordable drive was The CD/DVD Burner application didn’t find any disc recorders
found on your system. present. Verify that a disc recorder is attached and functioning, then
try the operation again.
108 Disc could not be ejected The CD/DVD Burner application was unable to eject the disc
successfully. successfully.
109 No data was specified to be No files or folders were selected for burning.
burned.
110 Your access policy does not Removable Storage is currently enforcing a read-only access policy.
allow write access to removable The policy must be changed to allow read and write access to
media, so you cannot use this removable media before the CD/DVD Burner application can be used.
application for burning data to
disc.
111 Disc burner could not be found. The CD/DVD Burner application could not find the disc recorder.
112 The disc volume label can have The volume label specified contains disallowed characters or is in
only alphanumeric and excess of the 32 character maximum. Specify a new volume name of
underscore characters. The disk 32 characters or less containing only letters, numbers, hyphens,
volume label’s length can not be underscores, or spaces.
more than 32 characters. Please
type a valid disc volume label.
113 Disc could not be erased. An attempt to erase a rewritable disc was unsuccessful. Insert a
different rewritable or write-once disc and try the operation again.
CD/DVD Errors

UI
114 The disc that you have inserted The inserted disc cannot be written to. Insert a rewritable or write-
is not writable. Please insert a once disc and try the operation again. Remove the disc from the drive
blank or rewritable disc of type and insert a disc that is writable.
CD-R, CD-RW, DVD-R, DVD-RW,
DVD+R, or DVD+R DL into
drive.
115 Application could not locate a The CD/DVD Burner application requires a hard disk or partition with
fixed hard disk drive with enough free space for storage of temporary data. Free up some space
enough free space for storage of and try the operation again.
temporary data, so application
won't burn the disc.
116 Selected file or folder [path/]file There was a problem copying the selected file or folder to the
or folder name could not be temporary data directory. Verify that the temporary data directory is
copied at your temporary data accessible and sufficient space is available, then try the operation
location. Please check the file or again.
folder again.
117 An error occurred during the The CD/DVD Burner application encountered an error during the
encryption of the data. encryption of the data.
118 Selected file [path/]file or folder The CD/DVD Burner application found that the selected file could not
name could not be encrypted. be encrypted due to lack of space on the hard disk or partition. Delete
Please free up some space on some files on the hard disk or partition where the temporary folder is
your temporary data drive and located (usually this is the system volume) and try the operation
try again. again.
119 Selected file [path/]file or folder Verify that the account under which the CD/DVD Burner application is
name to be burned could not be running has sufficient access rights to perform the operation.
encrypted due to security
reason.
120 SEE-RS does not have a The user has not specified a Default Password and/or Default
Password and/or certificate to Certificate(s). When prompted to provide a password and/or
encrypt this file. You must certificate, the user clicked Cancel.
specify a Password and/or
certificate or a Default Password
and/or certificate before the
data can be encrypted and
burned to disc.
121 SEE-RS does not have a The user has not specified one or more Default Certificate(s) and failed
certificate to encrypt this file. to provide a certificate when prompted.
You must specify a certificate or
a Default certificate before the
data can be encrypted and
burned to disc.
122 SEE-RS does not have a The user has not set a Default Password and failed to provide a
password to encrypt this file. password when prompted.
You must specify a Default
Password before the data can be
encrypted and burned to disc.
123 Temporary file could not be The CD/DVD Burner application was unable to delete a temporary file.
deleted. Verify that another application or process is not using this file. You
should also manually delete any temporary files still remaining in the
temporary data directory.
CD/DVD Errors

UI
124 Disc recordable drive could not Another application or process has prevented the CD/DVD Burner
be locked. application from gaining exclusive access to the disc recorder. Quit the
other application or process and try the operation again.
126 The SEE-RS Access Utility could The CD/DVD Burner application was unable to copy the Removable
not be copied to disc. Storage Access Utility to the disc, even though the policy in place
dictates this. If the problem persists, you may need to reinstall
Removable Storage.
128 You have selected one or more The operation failed because there were one or more files with names
files with very long file name. that exceeded 102–106 characters and the application could not
Application could not shorten rename these files in the temporary location. Locate the files with
file(s) name in temporary data long names, shorten them manually, and try again. If Removable
location. If file encryption policy Storage is automatically encrypting files written to removable media,
is set then file’s name length can the file names must be no greater than 102 characters. If not, the file
exceed 102 characters, names should be no greater than 106 characters.
otherwise it cannot exceed 106
characters. Please rename the
file(s) with long name and try
again.
129 Selected file or folder [path/ The CD/DVD Burner application failed to copy the specified file or
]file/folder name could not be folder because its full path exceeds the 259 character limit imposed by
copied at your temporary data the Windows operating system. Relocate the file closer to the root or
location because path length is rename the file to shorten the total number of characters.
exceeding the limit (259
characters) imposed by Windows
system. Please shorten the name
of selected file/folder or sub
folder(s) and try again.
130 Selected file or folder [path/ The user has specified a file or folder to be burned to disc that could
]file/folder name could not be not be found by the CD/DVD Burner application.
found. Please check the file or
folder and try again.
131 Selected file or folder file/folder The CD/DVD Burner application has calculated that the path to the
name can not be copied at your file or folder that you specified to be burned exceeds the 259 character
temporary data location because limit imposed by the Windows operating system. Relocate the file
path length is exceeding the closer to the root or rename the file to shorten the total number of
limit (259 characters) imposed characters.
by Windows system. Please
shorten the name of selected
file/folder or sub folder(s) and
try again.
132 Application found a fixed hard The CD/DVD Burner application failed to complete the burning
disk drive with enough free process because the user does not have write privileges to the
space for storage of temporary temporary data directory. Log in as a different user or increase the
data, but you do not have write user’s privileges.
access on temporary folder
temporary folder path, so
application won't burn the disc.
Please get the write access on
this folder and try again.
CD/DVD Errors

UI
133 Path specified using the /P The CD/DVD Burner application failed to complete the burning
parameter can not have back process because the path enclosed in double quotes included a
slash character at the end of the backslash at the end. Remove the backslash character and try again.
path when quotes are used to
enclose the path.
134 Temporary folder temporary Another application or process may be preventing the CD/DVD Burner
folder path could not be created application from writing its temporary data to the temporary data
at your temporary data location. directory. Ensure that all applications and processes that may be
Please make sure that no file or competing for access are shut down and try again.
folder is being used/locked by
any application in this
temporary folder location and
try again.
501 Disc could not be used for Either a media error, media incompatibility, or other problem has
burning data. Please try again resulted in the application being unable to write data to the disc. Try
with another disc. the operation again using another disc and/or brand of media.
502 File The user has specified that the Symantec Endpoint Encryption Access
“SEERemovableStorageAccessU Utility executable be burned at the root of the disc. However,
tility.exe” cannot be specified Removable Storage is already burning the Removable Storage Access
using the /P parameter. It is Utility automatically, according to policy. The Removable Storage
SEE-RS Access Utility Access Utility specified in the input file list will be ignored, and the
application, which will be Removable Storage Access Utility will be copied to the root of the disc
burned automatically on the as per policy.
root of the burnt disc.
504 Disc could not be burned due to There was an unknown error with the disc recorder.
an error.
505 The disc drive could not be used There was an error with the disc recorder. Try the operation again
to burn the disc. using a different disc recorder.
506 Disc could not be burned with The CD/DVD Burner application cannot use an EFS-encrypted
selected data because your temporary data directory. The user can either turn off EFS protection
temporary data location is EFS for the temporary data directory’s parent folder, or the user can
enabled. manually relocate the temporary data directory by editing the TMP or
TEMP environment variables.
508 File “Autorun.inf” cannot be The user has specified that the Autorun.inf file be burned at the root
specified using the  of the disc. However, Removable Storage is currently burning the
/P parameter. File “Autorun.inf” Removable Storage Access Utility to disc automatically, as per policy
will be burned automatically on and this file is one of the files that comprises the Removable Storage
the root of the burnt disc to run Access Utility. The Autorun.inf specified in the input file list will be
SEE-RS Access Utility ignored, and the Removable Storage Access Utility’s Autorun.inf will
application. be copied to the root of the disc according to policy.
509 File “Platform.ico” cannot be The user has specified that the Platform.ico file be burned at the root
specified using the  of the disc. However, Removable Storage is currently burning the
/P parameter. File “Platform.ico” Removable Storage Access Utility to disc automatically, as per policy
will be burned automatically on and this file is one of the files that comprises the Removable Storage
the root of the burnt disc to run Access Utility. The Platform.ico specified in the input file list will be
SEE-RS Access Utility ignored, and the Removable Storage Access Utility’s Platform.ico will
application. be copied to the root of the disc according to policy.
None Processing the burn request The application has started processing the disc burning request.
CD/DVD Errors

UI
None EFS-encrypted file(s) will be EFS-encrypted files have been selected for burning. The CD/DVD
decrypted by EFS before being Burner application will attempt to decrypt them prior to burning. If an
burned. encryption policy is in effect, the CD/DVD Burner application will
encrypt the files prior to burning.
None The disc is not blank, disc data The CD/DVD Burner application has detected a rewritable disc that
will be erased during disc contains existing data. The CD/DVD Burner application will attempt
burning process. to erase the disc prior to burning the new data.
None The estimated size of data which The estimated size of the data to be burned exceeds the capacity of the
will be burned on disc exceeds target disc, but the CD/DVD Burner application will attempt to burn
disc capacity. If this estimation the selected data anyway.
is correct, the data will not be
burned to disc successfully.
None Preparing data for burning to The CD/DVD Burner application is copying the data to be burned to
disc. Percentage: percent of data the temporary data directory prior to burning the disc.
prepared%
None Encrypting data to be burned to The CD/DVD Burner application is encrypting the data to be burned in
disc. Percentage: percent of data the temporary data directory prior to burning the disc.
encrypted%
None Erasing disc... The CD/DVD Burner application is erasing rewritable media
containing previously recorded data prior to burning.
None Preparing to write data to the The CD/DVD Burner application is preparing to burn the disc.
disc...
None Writing sector current sector of The CD/DVD Burner application is currently writing data to disc.
total sectors. Percentage: percent
of data written%
None Finalizing the disc. Percentage: The CD/DVD Burner application is nearing the end of the burn
percent of finalized data% process and is writing the table of contents to disc.
None You have selected one or more One or more of the files specified to be burned had a file name of more
files with names that exceed 102 than 102 characters, or else the full path to the temporary data
characters or path length in directory, including this file, exceeded 259 characters. When this file
temporary data location is or these files are written to the temporary location, their names will
exceeding the 259 characters be shortened so that the maximum character restrictions are not
limit imposed by Windows exceeded.
system. Files’ names will be
shortened in temporary data
location.
Appendix C
Authentication Method Changes
■ Overview
■ User Experience
Overview
Each client will effect a single method of authentication for all of its users. This method of authentication is
established in three different Manager Console locations:
■ The selection made in the Token Authentication page of the Manager Console InstallShield wizard,
■ The selection made in the Authentication Method area of the Registered Users panel (Symantec
Endpoint Encryption Software Setup, Symantec Endpoint Encryption Native Policy Manager, or Active
Directory policy).
Either an upgrade of the client or a policy update can be used to cause a change to the user’s method of
authentication. Since policy settings will always take precedence, the use of a policy is more certain to
achieve your desired ends.
User Experience
The following table details the effects of a change to the user’s authentication method mandated using the
Authentication Method area of the Registered Users panel.
Table C-1 Effect of a Change in Authentication Method on Existing User Accounts
Previous New Authentication User Must Details

Authentication Authentication Method(s) User Re-
Method Method Has Registered register?
a password a token Password Yes
a password password or token Password No The user will have the option to add a
token in the User Client Console.
a password | a token | Automatic Password, Token, No

password or token Password and
Token
a token a password Token Yes
a token password or token Token No The user will have the option to add a
password in the User Client Console.
Automatic a password | a token Automatic Yes

| password or token
96 Authentication Method Changes
User Experience
Table C-1 Effect of a Change in Authentication Method on Existing User Accounts
Previous New Authentication User Must Details

Authentication Authentication Method(s) User Re-
Method Method Has Registered register?
password or token a password Password and No The token is deleted.

Token
password or token a password Token Yes
password or token a token Password and No The password is deleted.

Token
password or token a token Password Yes

Glossary
Active Directory Policies One of two types of policies that can be created and deployed from the Symantec Endpoint
Encryption Manager. They feature seamless integration with well-known Active Directory toolsets
and include user as well as computer policies.
Authentication Method Specifies how registered users and Client Administrators authenticate to Symantec Endpoint
Encryption. Methods include password, token, password and token, or automatic. If Single Sign-On
is enabled, the authentication method used for Symantec Endpoint Encryption and Windows must
be the same method. If the Policy Administrator changes the authentication method, registered
users may be forced to re-register.
Authenti-Check Allows users on Windows endpoints to recover from forgotten credentials without help desk
assistance. The user authenticates with a set of up to three question-answer pairs. Authenti-Check is
not available to Client Administrators.
Automatic Authentication If a Client Computer is set for automatic authentication, Full Disk will not require a user to provide
Symantec Endpoint Encryption credentials before allowing Windows to load. This option relies on
Windows to authenticate users.
In addition, users will be registered automatically unless a registration password is required.
Requiring a registration password serves to avoid reaching the maximum registered user limit and
to limit the number of users that can gain access to the User Client Console.
The automatic authentication feature is not available for Mac endpoints.
Client Administrator Provides local support to Symantec Endpoint Encryption users. Client Administrators are always
able to log on to the Administrator Client Console, but may or may not be able to unregister users.
The ability to unregister users is a privilege that Client Administrators may or may not have.
The Client Administrator is also responsible for recovering Removable Storage–encrypted files. This
responsibility is not controlled by privilege level.
Client Administrators cannot change their own passwords or use any password-recovery methods.
Client Administrators must register as a user to make use of removable storage devices at the
Removable Storage–protected workstation.
Default Password/ Registered users and Client Administrators have the option of setting a Default Password and/or
Certificate Default Certificate(s) in the User Client Console. Removable Storage will use Default Passwords and/
or Default Certificates for encrypting files. In addition, if the Default Password and/or Default
Certificate(s) set in the User Client Console match the password or certificate(s) that a file was
encrypted under, Removable Storage will decrypt the file without a prompt.
Device Session Default A password used to encrypt and decrypt files on a removable device, as long as the device is
Password connected and the user is logged on to Windows. This password is intended for kiosk environments,
where users share a Windows account yet require the convenience of a Default Password. Password
aging does not apply. This password does not apply to CDs or DVDs.
Management Password The Management Password is not relevant to Removable Storage.
Management Password The Management Password snap-in allows you to change the Management Password.
Snap-in
Native Policies One of two types of policies that can be created and deployed from the Symantec Endpoint
Encryption Manager. Native policies do not rely on any existing directory service and apply to
computers only.
One-Time Password (OTP) The One-Time Password (OTP) Program allows users on Windows endpoints to recover from a
Program forgotten password, PIN, or token with help desk assistance. Users can also use the OTP program to
regain access to their Windows computer after it has been locked for a failure to communicate with
the Symantec Endpoint Encryption Management Server. To complete the OTP process the user must
contact the help desk.
98 Glossary
OTP Key A critical value used to ensure the identity of Client Computers during communication with the
Symantec Endpoint Encryption Management Server and for the One-Time Password password
recovery feature. When the Symantec Endpoint Encryption Manager is installed for the first time, it
populates the Symantec Endpoint Encryption database with the OTP key.
Policy Administrator Performs centralized administration of Symantec Endpoint Encryption. Using the Manager Console
and the Manager Computer, the Policy Administrator:
Updates and sets client policies.
Runs reports.
Changes the Management Password.
Domain or higher-level administrators can restrict access to Symantec Endpoint Encryption snap-
ins when assigning specific Policy Administrator duties.
Re-Registration Symantec Endpoint Encryption users may be required to re-register if a Policy Administrator issues
a computer policy or installs an upgrade package that requires them to change their authentication
method.
Recovery Certificate Used to decrypt encrypted files when the user-provided credentials are not available, allowing
organizations to recover from forgotten passwords and lost certificates.
You will need two copies of the same Recovery Certificate, one with the private key and one without.
Without Private Key—the Recovery Certificate without the private key is deployed to clients using an
installation package or a policy. Upon receipt, clients will encrypt files using the Recovery
Certificate in addition to the credentials provided by the user.
With Private Key—the Recovery Certificate with the private key is exported using the P7B format. It
should be stored in a safe, physically secure location. Symantec recommends exporting it to a token
or smart card and then securing the token or smart card in a fire-proof vault.
Self-Extracting Executables Allows registered users to create encrypted self-extracting files for secure transport. Self-extracting
files can be decrypted from any computer, without any need for Removable Storage or the
Removable Storage Access Utility.
Silent Client A silent client is a Client Computer installed from a Framework Client package created from a
Symantec Endpoint Encryption Manager Console whose installation mode does not require
connection to Symantec Endpoint Encryption Management Server. Silent clients do not
communicate with the Symantec Endpoint Encryption Management Server. If the computer has
never checked in, the online method of the One-Time Password recovery method and the Recover /B,
/O, or /S hard disk recovery options—which require computer-specific data stored in the database
during check-in—are not available.
Single Sign-On (SSO) If SSO is enabled, the user logs on once in pre-Windows and is then authenticated to Windows.
Symantec Endpoint Provides Symantec Endpoint Encryption–wide features, such as authentication methods and
Encryption Framework settings, as well as registered user and Client Administrator accounts and information.
Symantec Endpoint Allows Symantec Endpoint Encryption client software to be customized before deployment.
Encryption Software Setup
Snap-in
Temporary Data Directory The CD/DVD Burner application will first attempt to store its temporary data directory on the drive
of the operating system. It checks the TMP, the TEMP, and then the USERPROFILE environment
variables in succession. It will use the first environment variable it finds. If none of these
environment variables has been set, the CD/DVD Burner Application will use the Windows directory.
User At least one user must register with Symantec Endpoint Encryption on each Windows Client
Computer. A wizard guides the user through the registration process, which involves a maximum of
five screens. The registration process can also be configured to occur without user intervention.
Users cannot access their removable storage devices until they have registered.
Workgroup Key Facilitates sharing encrypted files among users within a group: if the workgroup key on the
Removable Storage–protected computer matches the workgroup key that a file was encrypted under,
the user will not be prompted to provide credentials to decrypt the file.
Index
A M
access policy Management Password
no access 1 snap-in 3
read and write 1 use of 97
read only 1 Manager Console
Active Directory policies 3, 19, 20, 23, 39 endpoint containers 4
Authenti-Check 30 location of 2
automatic authentication 97 SQL prompt 4
Master Certificates. See Recovery Certificates
multimedia file type exclusion 33
C
CD/DVD Burner application
EFS encryption and 87, 93, 94 N
temporary data directory 88, 91, 92, 93, 94, 98 native policies 3, 24, 40, 42
Client Administrator names of 24
authentication method (password or token) 25 Native Policy Manager 3, 23, 24
policy 24
privilege levels 25
single-source passwords 6
O
Client Computers on demand encryption 82, 83
communication with 30 One-Time Password
offline method 53
online method 53
D
Default Certificates 97
Default Passwords 36
P
Device Session Default Passwords 38 P7B files 26
Session Default Passwords 37 Password Aging
device exemptions from encryption 83 Default Passwords 37
Password aging 29
Default Passwords 38
E Device Session Default Passwords 38
encryption policy Password Authentication
CD/DVD only 1 installation settings 27
encrypt all 1 Password complexity 29
encrypt as per Symantec DLP 1 Password history 29
encrypt new 1 policy update
encrypt on user demand 1 forcing an immediate update 3, 39, 40
F R
Framework installation settings Recover Program
Password Authentication 27 /B, /O, and /S options 98
Recovery Certificates 35, 37, 73, 76, 77
removable storage access policy 31, 32
G Removable Storage Access Utility 9, 11, 34, 35, 67, 72, 76, 98
gpupdate /force 39 removable storage encryption methods 34
grace restarts 27, 46, 51, 52 removable storage encryption policy 31, 32
group key. See workgroup key CD/DVD only 32
Group Policy Object Editor (GPOE) 3, 23, 24 do not encrypt 32
encrypt new 32
L encrypt per Symantec DLP 32
Local, Site, Domain, OU (LSDOU) 3, 39 multimedia exclusion 33
on demand encryption 33
user choice 32
Removable Storage installation settings
100 Index
Encryption Method 36 T
removable storage portability policy 35
Temporary Passwords. See Session Default Passwords
Resultant Set of Policy (RSoP) 19
U
S
user choice encryption 81, 82
self-extracting executables 36, 74, 78, 98
users
Session Default Passwords 81
automatic unregistration of 27
Symantec Endpoint Encryption administrator roles 5
registration password and 27
Symantec Endpoint Encryption Framework
about 1
Symantec Endpoint Encryption Managed Computers 5, 40 W
synchronization Windows system events 45
about 2, 3, 7, 40 workgroup key 35, 66, 67, 73, 77, 78
timing of 2
with both Active Directory and Novell 5

SEE-RS 8.2.1 Policy Administrator Guide

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

SEE-RS 8.2.1 Policy Administrator Guide

Загружено:

Авторское право:

Доступные форматы

Symantec Endpoint Encryption

Policy Administrator Guide

Device Exemptions Report ............................................................................................................................... 17

Chapter 3 Policy Creation & Editing

Device Session Default Password ............................................................................................................38

Chapter 4 Policy Deployment

Appendix A System Event Logging

Appendix B CD/DVD Command Line

Appendix C Authentication Method Changes

■ Directory Service Synchronization

■ Active Directory and Native Policies

■ Symantec Endpoint Encryption Roles

Figure 1-1 Sample Network Configuration

SOAP over HTTP

Client your-org.com your_tree

Directory Service Synchronization

Active Directory and Native Policies

Table 1-1 Active Directory and Native Policies Compared

Active Directory Policies Native Policies

Figure 1-2 SQL Server Logon Prompt

Active Directory/Novell eDirectory Computers

Symantec Endpoint Encryption Managed Computers

Symantec Endpoint Encryption Roles

■ Change the Management Password.

■ Symantec Endpoint Encryption Users and Computers

■ Symantec Endpoint Encryption Reports

■ Resultant Set of Policy (RSoP)

■ Windows System Events

Column Heading Data Displayed Explanation

Computer name computer name Computer name

Group name* group name Location of the computer within Symantec

Decrypted N/A N/A

Decrypting N/A N/A

Encrypted N/A N/A

Encrypting N/A N/A

Drive Encryption Service N/A N/A

RS Encryption Method† Password|Certificate|Password and/ The encryption method(s) currently allowed by

RS On-Demand Encryption Encrypt|Decrypt| Encrypt/ The on demand encryption policy currently

RS Device Exclusion** Not Enabled| If no devices are excluded from automatic

Column Heading Data Displayed Explanation

* Shown only in the Computer Status Report.

Computer Info Tab

Column Heading Data Displayed Explanation

Group group name Location of the computer within Symantec Endpoint

OS operating system name The name of the installed operating system

OS Type 32-bit|64-bit The number of bits of memory supported by the

Table 2-3 Client Computer Data Available from Framework Tab

Column Heading Data Displayed Explanation

FR Version n.n.n The three digit version number of Framework that is

Full Disk Tab

Removable Storage Tab

Column Heading Data Displayed Explanation

Column Heading Data Displayed Explanation

Associated Users Tab

Column Heading Data Displayed Explanation

Authentication Method Password|Token| If the user or Client Administrator uses a

Fixed Drives Tab

Server Commands Tab

Directory Services Synchronization Data

Table 2-6 Directory Services Synchronization Data

Column Heading Data Displayed Explanation

Administrator Domain* domain The Active Directory domain of the Active

Total Computers number The total number of computers in this forest or

Admin Log Data