Endpoint Encryption does not support true wake-on-LAN requests because it may open up the pre-boot to repeated force attacks. This enhancement request is being reviewed by product management and under consideration for a future release.
On the other hand, you can perform patch management on FDE protected machines by using Command Line Helper and DAAutoLogin.
Below are the recommended steps in performing patch management:
- Push your patches to the targeted machines.
- Follow up with a script using DAAutoLogin.
- Send a reboot command so the machine comes back up to the Windows GINA for confirmation of successful patching or to push another round of patches.
Command Line Helper
The Command Line Helper tool enables you to pass encrypted values via your script to the FDE pre-boot. This tool must be run on a machine where FDE is installed. Command Line Helper is available in the tools folder via your downloaded zip file.
- Copy CommandLineHelper.exe locally to your FDE installed machine.
- Open a command window.
- Enter C:\CommandLineHelper.exe EncryptedValue (where encrypted value is the UsierID or Password you want to use).
- If you want an encrypted User Name and Password, you must run CommandLineHelper.exe two times and give it each value separately.
For example, if your User Name is SMSUser, your command line helper string should read:
- Click Return to display an encrypted value of =d8nDpqdTnmFK0JVUWnleJwI= Perform the same test for your User Name.
The DAAutoLogin grants a one time bypass of the FDE pre-boot. DAAutoLogin can be used in various combinations to accomplish different needs. The most common use of this tool is to bypass the pre-boot after the initial installation and is completed during off-hours so the machine can begin encrypting in the background without disrupting the end-user.
The other recommended scenario in using this tool is for Patch Management. Patches can be pushed out, followed up with a script using DAAutoLogin, and sending a reboot command so the machine comes back up to the Windows GINA for confirmation of successful patching or to push another round of patches. DAAutoLogin is available in the tools folder via your downloaded zip file.
DAAugoLogin can accept the following switches:
DAAutoLogin <pre-boot Username> <pre-boot Password> [<Domain Name> <Domain Username> <Domain Password>]
Each required value can be passed and separated with a space. Adding in the domain switches allows you to log into Windows with the information provided.