Upload
aj203355
View
233
Download
0
Embed Size (px)
Citation preview
8/8/2019 Guardian Edge Client Administrator Guide
1/49
Hard Disk Encryption
Client Administrator Guide
Version 8.5
8/8/2019 Guardian Edge Client Administrator Guide
2/49
Information in this document is subject to change without notice. No part of this document may be reproduced or
transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written
permission of GuardianEdge Technologies Inc.
2006 GuardianEdge Technologies Inc. All rights reserved.
475 Brannan St., Suite 400
San Francisco, CA 94107
415.683.2200
GuardianEdge, Encryption Anywhere, and Authenti-Check are either trademarks or registered trademarks of
GuardianEdge Technologies Inc. Microsoft, Active Directory, Windows, and Windows XP are either registered
trademarks or trademarks of Microsoft Corporation. Any other trademarks used herein are the property of theirrespective owners and are hereby acknowledged. Other product and company names mentioned herein may be the
trademarks of their respective owners.
Printed in the United States of America.
8/8/2019 Guardian Edge Client Administrator Guide
3/49
Client Administrator Guide Contents
GuardianEdge Hard Disk Encryption iii
Contents1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
GuardianEdge Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Policy Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Client Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Registered User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Client Administrator/Registered User Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Partition Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Boot-Time Defragmenters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
System Restore Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Trusted Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Restricted Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Computer Shutdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Password Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Frequent Information Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32. Pre-Windows Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Password/Token Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Automatic Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
The Startup Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Password Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Keyboard Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Credential Entry and Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Token Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Keyboard Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Token Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
First Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Subsequent Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
PIN Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Computer Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
About Lockouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Lockout Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Lockout Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3. The Client Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Password Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Token Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Navigation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
User Interface Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Mouse Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Keyboard Navigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
8/8/2019 Guardian Edge Client Administrator Guide
4/49
Client Administrator Guide Contents
GuardianEdge Hard Disk Encryption iv
Hard Disk Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Check-In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Account Settings Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Authenti-Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
About . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4. Hard Disk Access & Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Utilities and the Recover Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
The Recover Floppy or CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Recovery Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Recover /A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Access Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Hard Disk Consistency Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Recover /D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Recover /B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Appendix A. Keyboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Keyboard List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Keyboard Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Active Keyboard Layout Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Keyboard Toggling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Advantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Keyboard Layouts: Default View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Keyboard Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Initial Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Windows XP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Appendix B. Token Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Pre-Windows Logon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Client Console Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
8/8/2019 Guardian Edge Client Administrator Guide
5/49
Client Administrator Guide Figures
GuardianEdge Hard Disk Encryption v
FiguresFigure 2.1Pre-Windows Startup, Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Figure 2.2Pre-Windows Password Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Figure 2.3Pre-Windows Logon, One-Minute Delay for Incorrect Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Figure 2.4Pre-Windows Token Logon, Initial Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Figure 2.5Pre-Windows Token Logon, Subsequent Logons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Figure 2.6Pre-Windows Logon, Lockout Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Figure 2.7Computer Lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Figure 2.8Pre-Windows Logon, Client Administrator Logon to Unlock Computer . . . . . . . . . . . . . . . . . . . . . . . . 9
Figure 3.1Client Console Logon, Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Figure 3.2Client Console Logon, Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Figure 3.3Select Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Figure 3.4Client Console Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Figure 3.5Client Console User Interface Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Figure 3.6Client Console User Interface, Focus on Password Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 3.7Client Console Encryption Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Figure 3.8Client Console Decryption Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Figure 3.9Client Console Check-In Panel, Check-In With No Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Figure 3.10Client Console Users Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Figure 3.11Client Console Password Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 3.12Client Console Authenti-Check Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 3.13Client Console About Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Figure A.1Canadian French Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure A.2French Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure A.3German Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure A.4Spanish Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure A.5United Kingdom Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure A.6US English Keyboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure A.7Regional and Language Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Figure A.8Languages Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Figure A.9Text Services and Input Languages, Before New Keyboard Added . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Figure A.10Add Input Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Figure A.11Text Services and Input Languages, After Keyboard Added . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Figure A.12Regional and Language Options Advanced Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Figure A.13Change Default User Settings Warning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
8/8/2019 Guardian Edge Client Administrator Guide
6/49
GuardianEdge Hard Disk Encryption 1
Client Administrator Guide Introduction
1. Introduction
Overview
GuardianEdge Hard Disk Encryption ensures that only authorized users can access data stored on hard disks. Thissafeguards enterprises from the accidental loss or theft of a laptop or PC and eliminates the legal need for public
disclosure. As a key component of the GuardianEdge Data Protection Platform, GuardianEdge Hard Disk offers
seamless deployment and operation across increasingly diverse IT infrastructures and environments.
This Guide explains how to authenticate to GuardianEdge Hard Disk; use the Client console to support users and
computers; provide support to users who have forgotten their password or PIN; and recover a hard disks data, if
necessary.
This chapter defines the GuardianEdge roles and discusses best practices. The sections are as follows:
GuardianEdge Roles on page 1
Best Practices on page 2
GuardianEdge Roles
Policy AdministratorAn organizations centralized point of control for the GuardianEdge Platform is one or more Policy Administrators. A
Policy Administrator defines installation settings and policy updates that are pushed out to Client Computers through
Active Directory. Policy Administrators create Client Administrator accounts. Installation settings and policy updates
may differ from computer to computer, and from user to user. Once policies are pushed out, they affect computer
behavior and user interface displays. Policy Administrators also assist registered users who have the One-Time
Password (OTP) recovery method available. The Policy Administrator runs the help-desk side of the OTP utility,
which requires the availability of the GuardianEdge Manager console.
Client AdministratorWhile the GuardianEdge Policy Administrator sets policies from a centralized location, Client Administratorssupport the distributed Client Computers and their users.
As a Client Administrator, you may have one or more of the following rights and responsibilities:
To unregister user accounts;
To extend the next date by which a Client Computer is required to check in with the GuardianEdge Server to
prevent a lockout condition;
To unlock a Client Computer;
To encrypt partitions;
To run the GuardianEdge Hard Disk Recover Program if an unexpected error prevents a Client Computer from
booting;
To decrypt partitions.
A Policy Administrator uses the GuardianEdge Manager console to create and manage passwords for Client
Administrators not using tokens, by pushing out installation settings and policy updates from a centralized server.
This single-source password management allows Client Administrators to remember only one password as they
move among many Client Computers. If password(s) were local to each computer, then remembering multiple
passwords would become unwieldy.
8/8/2019 Guardian Edge Client Administrator Guide
7/49
GuardianEdge Hard Disk Encryption 2
Client Administrator Guide Introduction
Registered UserGuardianEdge Hard Disk protects the data stored on a users hard disk by requiring users to authenticate before it
allows Windows to load. This could have been configured in one of three ways:
Single Sign-On (SSO) enabledIf Single Sign-On is enabled, registered users will be prompted to authenticate
once, each time they restart their computer.
Single Sign-On not enabledIf the user is an authenticating user and Single Sign-On is not enabled, the user will
need to log on in pre-Windows to GuardianEdge Hard Disk and then separately to Windows.
Automatic authenticationUsers are not prompted to provide credentials to GuardianEdge Hard Disk and the
process is completely transparent to them.
Client Administrator/Registered User ComparisonTable 1.1 shows a comparison between registered users and Client Administrators.
Best Practices
Partition ChangesOnce partitions have been encrypted, they must not be repartitioned, reformatted, or resized with any third-party
utility that is not a part of Windows. In addition, the drive letters of encrypted partitions must not be changed.
Table 1.1Client Account Comparison
Client eatures Registered User Client Administrator
Account CreationCreated when user registers interactively or is
registered silently.
Created by installation settings
and/or policy updates.
Account Deletion
Deleted by Client Administrator through
unregister function, if allowed. Also may be
deleted automatically when account is unused for
a specified period.
Deleted by Policy Administrator
through policy updates.
Password Changes Can change their password.Changed by Policy
Administrator.
Single Sign-On (SSO)Enabled by installation settings and/or policy
updates.Not available.
Logon Assistance
Authenti-Check and One-Time Password (OTP)
may be enabled by installation settings and/or
policy updates. Client Administrators can always
provide logon assistance.
Not available.
EncryptionEncryption rights assigned by installation
settings and policy updates.Always available.
DecryptionDecryption rights assigned by installation
settings and policies.
Decryption rights assigned by
installation settings and policy
updates.
Lockout
Can become locked out of Client Computer if
computer is required to check in with the
GuardianEdge Server at a required interval but
does not, and lockout is used for enforcement.
Cannot become locked out.
Removes and prevents lockout
conditions.
http://-/?-8/8/2019 Guardian Edge Client Administrator Guide
8/49
GuardianEdge Hard Disk Encryption 3
Client Administrator Guide Introduction
Boot-Time DefragmentersGuardianEdge Hard Disk relies on its client database files. Boot-time defragmenters can scramble the client database
files. If used, they will cause the Client Computer to fail to boot.
System Restore ToolsGuardianEdge Hard Disk encryption relies on the Client Computers master boot record (MBR). System restore tools
that replace the MBR, such as IBMs Rescue and Recovery, can cause the Client Computer to fail to boot.
Trusted Softwareirewalls and anti-virus software should be installed on Client Computers to protect against viruses and secure
computers against invasive software that arrives over the network, such as a Trojan horse. ile sharing, peer-to-peer
networks, and TP servers are not recommended. Network logon scripts must be approved scripts. If remote access to
stored data is allowed, users with remote access must be required to authenticate.
Restricted UsersOnly administrators should have software installation privileges. Users should not have the ability to edit the
GuardianEdge Registry settings or the system date and time.
Computer ShutdownIt is best not to leave a computer unattended, particularly in an insecure location, such as a cafe. If you must step
away, you should invoke the Windows screensaver that requires Windows credentials before it allows you to get backinto Windows.
Password SecurityBoth Client Administrators and registered users should not share passwords and should avoid writing them down.
Client Administrators and registered users should be aware of others watching over his/her shoulder as s/he types. If
this has happened, the password should be changed.
Frequent Information BackupUser data as well as log files should be backed up on a regular basis. This will allow users to recover from theft or
hard disk failure. The user data backups should be physically protected or encrypted.
8/8/2019 Guardian Edge Client Administrator Guide
9/49
GuardianEdge Hard Disk Encryption 4
Client Administrator Guide Pre-Windows Authentication
2. Pre-Windows Authentication
Overview
BasicsPre-boot authentication prevents unauthorized users from accessing encrypted data. This important feature takes full
effect after the first user registers in Windows to GuardianEdge Hard Disk. The first user is forced to register after
any grace restarts expire.
Once the first user has registered, a Client Computers behavior upon restart is based on the GuardianEdge policy.
Password/Token AuthenticationIf a policy is enabled that requires all users on a Client Computer to authenticate, upon restart the computer will first
display the GuardianEdge Startup screen. This screen begins the GuardianEdge Hard Disk pre-Windows logon
process.
As a Client Administrator, you gain access to the computer by authenticating to GuardianEdge Hard Disk at the
pre-Windows logon prompt using your GuardianEdge password or PIN. You then log on at the Windows prompt
using your Windows credentials.
The exception to the pre-Windows logon process is when an Autologon policy is in place. This process bypasses
pre-Windows authentication so that administrators can run software installations and upgrades that require system
reboots. Should an Autologon policy be in effect, you and other users authenticate only at the Windows prompt.
Automatic AuthenticationIf a policy is enabled that allows all GuardianEdge users on a Client Computer to be automatically authenticated, no
pre-Windows authentication is required. You and all other users authenticate only at the Windows prompt. If
automatic authentication is enabled, you can skip to Computer Lockout on page 8.
The Startup ScreenOnce the first user registers, the GuardianEdge Startup screen is displayed each time the computer is turned on,
unless users are automatically authenticated.
The Policy Administrator may have configured the Startup screen to contain:
The default image and text, or
The default image with changed logon instructions, or
The default image with a changed legal notice, or
The default image with both changed instructions and changed legal notice, or
A custom image.
8/8/2019 Guardian Edge Client Administrator Guide
10/49
GuardianEdge Hard Disk Encryption 5
Client Administrator Guide Pre-Windows Authentication
igure 2.1 shows the default Startup screen.
Figure 2.1Pre-Windows Startup, Default
If you are authenticating with a token and the token is already inserted, you may not see this Startup screen, or you
may see it flash briefly. Go directly to Token Logons on page 7. If you authenticate with a token and have not yet
inserted it, insert it now, then go to Token Logons on page 7.
If you authenticate with a password, press CTRL+ALT+DEL and proceed to the next section.
Password LogonsOnce you have pressed CTRL+ALT+DEL, the pre-Windows password Logon screen appears.
Keyboard SelectionGuardianEdge Hard Disk shows the active keyboard layout in a bar displayed in the lower right-hand corner of your
computer screen, similar to this: . If your administrator defined multiple
keyboards and you need a keyboard layout different than the one identified in the bar, you can press Left
ALT+SHI T or CTRL+SHI Tthe key sequence depends on which sequence was defined to Windowsto toggle
to another keyboard.
8/8/2019 Guardian Edge Client Administrator Guide
11/49
GuardianEdge Hard Disk Encryption 6
Client Administrator Guide Pre-Windows Authentication
Figure 2.2Pre-Windows Password Logon
Credential Entry and Verification
To log on to GuardianEdge Hard Disk, type your user name or UPN into the User name field. The UPN syntax [email protected]; for example, [email protected]. Select your domain from the Domain
drop-down menu. If you used UPN syntax, no domain selection is necessary.
Type your password into the Password field. ClickOK.
If your password is correct, you advance to the Windows logon prompt. If your password is not correct, the logon
fails. Check your password and re-enter the logon information.
Your Policy Administrator may have implemented a logon delay to occur when one or more incorrect password
attempts are made. This delay helps protect the computer against unwanted password-guessing attacks. If such a
setting or policy is in place and you trigger that restriction, a message appears informing you that the number of
allowed logon attempts has been exceeded and that you can try again in 60 seconds. Figure 2.3 shows an example.
Figure 2.3Pre-Windows Logon, One-Minute Delay for Incorrect Logon
8/8/2019 Guardian Edge Client Administrator Guide
12/49
GuardianEdge Hard Disk Encryption 7
Client Administrator Guide Pre-Windows Authentication
Token Logons
Keyboard SelectionGuardianEdge Hard Disk shows the active keyboard layout in a bar displayed in the lower right-hand corner of your
computer screen, similar to this: . If your administrator defined multiple
keyboards and you need a keyboard layout different than the one identified in the bar, you can press LeftALT+SHIFT or CTRL+SHIFTthe key sequence depends on which sequence was defined to Windowsto toggle
to anotherkeyboard.
Token PreparationIf you are using an RSA token, connect the USB-connector end of your token to a USB port or into a USB extension
cable attached to your computer.
If you are using a smart card, when you insert it, hold the card so that the side containing the gold chip is on top and
the card end containing the chip is closest to the reader.
If your token or the reader has a light, the light blinks when information from your token is being read. Wait until the
blinking stops before taking the next action, such as clicking OK from the Logon screen. Do not remove your token
until authentication is complete.
First LogonFigure 2.4 shows an example of the token Logon screen that displays the first time you log on to the Client Computer.
Figure 2.4Pre-Windows Token Logon, Initial Logon
To authenticate, type your PIN into the PIN field then clickOK. Do not remove your token until processing
completes.
Subsequent LogonsOnce you log on the first time, the next time you reboot, the screen will display User name and Domain fields in
addition to the PIN field (Figure 2.5), and the unrecognized token message will not appear.
The first time this Logon screen appears, it displays only the PIN field. Once you enter your PIN and
clickOK, this message appears, Unrecognized token. Please wait. This will take a few moments. This
short delay occurs because the system is recording the token ID and certificate information.
8/8/2019 Guardian Edge Client Administrator Guide
13/49
GuardianEdge Hard Disk Encryption 8
Client Administrator Guide Pre-Windows Authentication
Figure 2.5Pre-Windows Token Logon, Subsequent Logons
Type your PIN into the PIN field and clickOK. Do not remove your token until processing completes.
PIN VerificationIf your PIN is correct, you advance to the Windows logon prompt once the credentials are verified.
If your PIN is not correct, the logon fails. Check your PIN and re-enter the information, then clickOK to resubmit. If
it fails again, contact the appropriate administrator.
You can also reference Appendix B Token Error Messages and check the section Pre-Windows Logon on
page 33.
Computer Lockout
About LockoutsIf lockouts are used to force a Client Computer to check in with the GuardianEdge Server according to a prescribed
schedule, when a computer fails to check in, users will not be able to boot to Windows.
Lockout PreventionIf a Client Computer is about to be locked, a Server Communication Required warning message appears before the
Startup screen loads (Figure 2.6).
Figure 2.6Pre-Windows Logon, Lockout Warning
Tip: If you are using an RSA SID800 token and your authentication fails, remove the token, then re-insert
it and re-enter your credentials. ClickOK.
8/8/2019 Guardian Edge Client Administrator Guide
14/49
GuardianEdge Hard Disk Encryption 9
Client Administrator Guide Pre-Windows Authentication
The message identifies the number of days left before the lockout and advises the user to contact a Client
Administrator. After the user clicks OK, the Startup screen will be displayed.
If a user contacts you about this warning, prevent the lockout in one or more of the following ways:
Resolve the problem that is preventing the Client Computer from connecting to the GuardianEdge Server.
Log on to the Client Computer at the pre-Windows logon prompt, which automatically extends the nextcommunication due date.
Use the Client console Check-In panel to extend the due date further.
Lockout RecoveryIf the Client Computer is already locked, an Access Denied error message appears immediately upon reboot as shown
in Figure 2.7.
Figure 2.7Computer Lockout
ClickOK. The Client Administrator Logon screen for lockouts appears (Figure 2.8).
Figure 2.8Pre-Windows Logon, Client Administrator Logon to Unlock Computer
Only you can log on to the computer; users cannot proceed to Windows. Your action will unlock the computer and
extend the next communication due date.
If Autologon is activated while a computer is in a lockout state, the Autologon policy preempts the
lockout condition for as long as the Autologon policy is in effect. This functionality ensures that a
communication lockout condition does not disrupt the completion of the Autologon process, which is
used to allow software installations and upgrades to run without users authenticating in pre-Windows.
8/8/2019 Guardian Edge Client Administrator Guide
15/49
GuardianEdge Hard Disk Encryption 10
Client Administrator Guide The Client Console
3. The Client Console
Overview
The Client console allows you to perform the following tasks:
Encrypt one or more partitions on the hard disk, if they are not already encrypted or have been decrypted.
Decrypt one or more partitions on the hard disk, if decryption is necessary and allowed by policy.
Unregister user accounts, if unregistering is allowed by policy.
View the encryption status of the hard disk partitions.
View and extend the date the computer must next check in with the GuardianEdge Server, if check-in is required.
View the GuardianEdge user accounts on the computer.
This chapter begins with instructions on how to log on to the Client console, and then describes how to perform
GuardianEdge Hard Disk tasks and GuardianEdge Account Settings tasks.
Once you are in Windows, launch the GuardianEdge Client console by selecting GuardianEdge Client from theStart menu.
LogonWhen the Client console launches, it prompts you for your credentials. If you log on with a token, see Token
Logons on page 11. If you log on with a password, see the next section.
Password LogonsIf your account uses a password to authenticate, the Logon screen prompts you for your password ( igure 3.1).
Figure 3.1Client Console Logon, Password
To log on to the Client console with a password, in the Password field type your GuardianEdge Client Administrator
password, then clickLog On.
If your password is not correct, the logon will fail. Check your password and re-enter the information.
8/8/2019 Guardian Edge Client Administrator Guide
16/49
GuardianEdge Hard Disk Encryption 11
Client Administrator Guide The Client Console
Your Policy Administrator may have implemented a logon delay to occur when one or more incorrect logon attempts
are made. This delay helps protect the computer against unwanted password-guessing attacks. If such a setting or
policy is in place and you trigger that restriction, a message appears informing you that the number of allowed logon
attempts has been exceeded and that you can try again in 60 seconds.
If your authentication succeeds, you will be given access to the Client console. Skip to the section Welcome on
page 13.
Token Logons
Token Insertion
The Logon panel prompts you to insert your token.
Figure 3.2Client Console Logon, Token
If your token is already inserted, skip to the next section; otherwise, insert your token.
If you are using an RSA token, connect the USB-connector end of your token to a USB port or into a USB extension
cable attached to your computer. Make sure that the RSA token software recognizes your token: wait until the RSA
icon in your system tray changes to include a plus sign .
If you are using a smart card, when you insert your token, hold the card so that the side containing the gold chip is on
top and the card end containing the chip is closest to the reader.
If your token or the reader has a light, it blinks when information from your token is being read. If you are using an
Axalto smart card, the icons computer screen changes from black to blue while the icons golden token blinks, then
returns to black when the blinking stops . Wait until all blinking stops before taking the next action, such as
clicking Next. Do not remove the token until authentication is complete.
PIN Entry
In the PIN field, type your PIN, then clickLog On. Do not remove the token until authentication completes.
If your authentication succeeds, you are given access to the Client console. Skip to the section Welcome on
page 13.
If your authentication fails or if you encounter token, certificate, or PIN errors during logon, please refer to Appendix
B Token Error Messages and check the section Client Console Logon on page 56 for possible causes and
resolution.
http://../User%20Guide/CCUserGuide.pdfhttp://../User%20Guide/CCUserGuide.pdfhttp://../User%20Guide/CCUserGuide.pdf8/8/2019 Guardian Edge Client Administrator Guide
17/49
GuardianEdge Hard Disk Encryption 12
Client Administrator Guide The Client Console
Your Policy Administrator may have implemented a logon delay to occur when one or more incorrect logon attempts
are made. This delay helps protect the computer against unwanted attacks. If such a setting or policy is in place and
you trigger that restriction, a message appears informing you that the number of allowed logon attempts has been
exceeded and that you can try again in 60 seconds.
Certificate Selection
If the Select Certificate dialog (Figure 3.3) appears, continue reading; otherwise, skip to the next section Welcome
on page 13.
Figure 3.3Select Certificate
Your administrator may have set up your GuardianEdge certificate with the values listed immediately below. These
are the values that the GuardianEdge software uses to identify your certificate automatically for authentication.
For RSA SID800:
DATA_ENCIPHERMENT and KEY_ENCIPHERMENT (Key Usage)
EMAIL_PROTECTION (Enhanced Key Usage)
For Smart Card:
DATA_ENCIPHERMENT and KEY_ENCIPHERMENT (Key Usage)
EMAIL_PROTECTION (Enhanced Key Usage)
For Common Access Card (CAC):
KEY_ENCIPHERMENT (Key Usage)
However, if more than one certificateor no certificateexists with these values, the Select Certificate dialog
(Figure 3.3) opens and you must manually identify your GuardianEdge certificate.
Select your GuardianEdge certificate by clicking on the appropriate row, then clicking OK. In the Figure 3.3
example, the administrator created two certificates with the expected Key Usage settings, so this user identifies their
certificate based on Expiration Date.
If you select a certificate that is not valid, you will receive an error message. If you dont know which certificate to
choose, contact your administrator.
8/8/2019 Guardian Edge Client Administrator Guide
18/49
GuardianEdge Hard Disk Encryption 13
Client Administrator Guide The Client Console
WelcomeThe Client console opens to the Welcome panel, which appears with an enabled navigation pane (Figure 3.4).
Figure 3.4Client Console Welcome
8/8/2019 Guardian Edge Client Administrator Guide
19/49
GuardianEdge Hard Disk Encryption 14
Client Administrator Guide The Client Console
Navigation
User Interface ElementsThe Client console is divided into several sections.
Figure 3.5Client Console User Interface Elements
The elements are as follows:
The banner displays the product logo, the name of the currently logged on user, and the users domain or local
computer name.
The navigation pane contains hyperlinks to all tasks. Each task has its own panel.
The main pane displays a task panel.
The Quick Help pane provides context-sensitive help based on the location of your mouse. See the next section
for how to display Quick Help.
Mouse NavigationYou may navigate the Client console using a mouse or using the keyboard.
If you are using a mouse: To load a panel, click the desired hyperlink in the navigation pane; the panel loads into the main pane.
To display Quick Help, click the help icon . The Quick Help pane appears. To close the Quick Help pane, click
the help icon again.
Banner
Navigation
Pane
QuickHelp
Pane
Main
Pane
8/8/2019 Guardian Edge Client Administrator Guide
20/49
GuardianEdge Hard Disk Encryption 15
Client Administrator Guide The Client Console
Keyboard NavigationIf you are using the keyboard:
Press the TAB key to move among the screen elements. A dotted line surrounds the link, input field, button, or
icon, indicating which element has the focus.
To load a panel, press the TAB key to the desired link in the navigation pane, then press ENTER. The panel loads
into the main pane (Figure 3.6).
Figure 3.6Client Console User Interface, Focus on Password Link
To display Quick Help, press the TAB key until the focus is on the help icon , then press ENTER or the
SPACEBAR. To close the Quick Help pane, press ENTER or the SPACEBAR again. Note that Quick Help
applies at the panel level; context-sensitive Quick Help is available only when using a mouse.
To select a check box, press the TAB key to place focus on the box, then press the SPACEBAR. To toggle off the
selection, press the SPACEBAR again.
To activate a button, press the TAB key to place focus on the button, then press ENTER or the SPACEBAR
The TAB key follows standard user-interface behavior:
Tabbing order within each panel is top to bottom, left to right.
To move down, press the TAB key; to move up, press Shift-TAB.
To scroll, use the UP ARROW key and the DOWN ARROW key.
Hard Disk Tasks
EncryptionThe full encryption of the Client Computer is usually set up to begin immediately after installation. It is unlikely that
you will need to use the Client console to start this process manually.
When you use the TAB key to navigate, you may need to press the key more than once to place the focus
on the next desired link, input field, button, or icon, depending on the location of the current focus.
8/8/2019 Guardian Edge Client Administrator Guide
21/49
GuardianEdge Hard Disk Encryption 16
Client Administrator Guide The Client Console
Use the Encryption panel to view the encryption status of the hard disk partitions or manually begin the encryption of
a hard disk partition. To open the Encryption panel, clickEncryption. The Encryption panel appears. Figure 3.7
shows an example.
Figure 3.7Client Console Encryption Panel
The Status field next to each partition shows which state a partition is in. The states are: Encryption Pending,
Encrypting, Encrypted, Decryption Pending, Decrypting, and Decrypted.
If partitions are listed with a status ofDecrypted, Decrypting, or Decryption Pending you can check the check box
beside them to select them for encryption. A check box beside a partition will not be available if the partition has a
status ofEncrypted, Encrypting, or Encryption Pending. This unavailability could also occur if a remotedecryption policy prevents encryption.
Should you need to encrypt the disk, you should first connect to an uninterruptible power source, since an
interruption of power could cause data corruption. For example, if you are encrypting a laptop, fully charge the
battery or plug in the laptop before you start.
Once you select one or more partitions, the Encrypt Selected Partitions button becomes available. ClickEncrypt
Selected Partitions. A partitions status changes to Encryption Pending, then to Encrypting.
While encryption is running, the panel shows the (0-99) percentage of partition encryption, such as Encrypting
(80 %). When encryption completes, no percentage is shown; a lock icon accompanies theEncrypted state for
easy visual confirmation that this partition is fully encrypted.
Users can continue to work while partitions are encrypting.
DecryptionUse the Decryption panel to view the decryption status of the hard disk partitions or manually begin the decryption of
a hard disk partition. To open the Decryption panel, clickDecryption. The Decryption panel appears. Figure 3.8
shows an example.
8/8/2019 Guardian Edge Client Administrator Guide
22/49
GuardianEdge Hard Disk Encryption 17
Client Administrator Guide The Client Console
Figure 3.8Client Console Decryption Panel
The Status field next to each partition shows which state a partition is in. The states are: Encryption Pending,
Encrypting, Encrypted, Decryption Pending, Decrypting, and Decrypted.
While decryption is running, the panel shows the (0-99) percentage of partition decryption, such as Decrypting
(20 %). When decryption completes, no percentage is shown; an unlock icon accompanies theDecrypted state for
easy visual confirmation that this partition is fully decrypted.
The Encryption panel also shows encryption and decryption status information.
If you have decryption rights, you may need to use them for the following reasons: The operating system is about to be upgraded.
A major physical change in the core hardware is about to occur. For example, an upgraded processor or
motherboard is going to be installed. Changes to the partition table are not possible on an encrypted computer and
the hard disk must be decrypted prior to the repartitioning.
You are uninstalling GuardianEdge Hard Disk.
Should you need to decrypt the disk, first connect to an uninterruptible power source, since an interruption of power
could cause data corruption. For example, if you are decrypting a laptop, plug in the laptop before you start.
If partitions are listed with a status ofEncrypted, Encrypting, or Encrypting Pending you can check the check box
beside them to select them for decryption. Once you select one or more partitions, the Decrypt Selected Partitions
button becomes available. ClickDecrypt Selected Partitions. A decrypted partitions state changes to Decryption
Pending, then to Decrypting.
A check box beside a partition will not be available if the partition has a status ofDecrypted, Decrypting, or
Decryption Pending, if you do not have the right to decrypt, or if a remote decryption policy is active.
Users can continue to work while partitions are decrypting.
8/8/2019 Guardian Edge Client Administrator Guide
23/49
GuardianEdge Hard Disk Encryption 18
Client Administrator Guide The Client Console
Check-InClient Computers may be configured to connect with the GuardianEdge Server. At designated intervals, they attempt
to send important recovery, status, and account information, including:
The date and time of the connection;
The encryption state of the hard disk;
Data used by the One-Time Password recovery method; and
Information used by the Recover Program.
The Policy Administrator optionally can add a policy to enforce check-in by locking out users when a computer is
required to check in but does not. If lockout occurs, the Client Computer remains in a pre-Windows state after restart
so that no user can log on and a Client Administrator must log on to allow the user to boot into Windows.
Use the Check-In panel:
To find out what check-in policy is in place;
To obtain the time and date of the last communication attempt;
To see the next communication date information, if check-in is enforced by lockout;
To extend the next communication date, if check-in is enforced by lockout and a network problem or a users or
computers known circumstance is preventing communication.
To access the panel, from the navigation pane clickCheck-In. The Check-In panel appears.
Figure 3.9Client Console Check-In Panel, Check-In With No Enforcement
Figure 3.9 shows an example of a computer that has checked in and is not subject to a lockout enforcement policy.
The information displayed in the Check-In panel varies as described in the following table.
8/8/2019 Guardian Edge Client Administrator Guide
24/49
GuardianEdge Hard Disk Encryption 19
Client Administrator Guide The Client Console
Table 3.1Check-In Panel Information
The Extend Due Date button is only available under the following circumstances:
If you are logged in as a Client Administrator,
If at least one user has registered,
If a lockout enforcement policy is in effect, and
If the Client Computer is configured to communicate with the GuardianEdge Server.If lockouts are used for enforcement of check-in and the computer fails to check in, then users will not be able to boot
to Windows. If the Check-In panel indicates that a lockout is imminent, clickExtend Due Date. The Next
communication due by field will be incremented from todays date and time by the required communication
interval.
Separately, you should ensure that the issue preventing the Client Computer from connecting to the GuardianEdge
Server is resolved. The lockout experience is discussed further in Computer Lockout on page 8.
Account Settings Tasks
Users
Use the Users panel to view GuardianEdge accounts on a computer and to unregister users. To open the Users panel,clickUsers in the navigation pane. The Users panel appears, populated with the registered user and Client
Administrator accounts on that computer. Figure 3.10 shows an example.
Field Label Value Meaning
Last communication
with theGuardianEdge Server
Date and timeCommunication with the GuardianEdge Server
occurred on the specified date at the specified time.
never connected
This Client Computer has never connected to theGuardianEdge Server. The user will not have access to
the OTP recovery method. The recover /B option is not
available.
Next communication
due by
Future date and time
A lockout enforcement policy is in effect and this
Client Computer must make contact with the
GuardianEdge Server no later than the specified date
and time.
Past date and time in red with
a warning icon . Tooltip
message, Communication is
overdue, appears.
A lockout enforcement policy is in effect and this
Client Computer has failed to connect within the
mandatory interval. A lockout is imminent.
not applicable until the
first user registersThe first user has not yet registered.
not applicable A lockout enforcement policy is not in effect.
8/8/2019 Guardian Edge Client Administrator Guide
25/49
8/8/2019 Guardian Edge Client Administrator Guide
26/49
GuardianEdge Hard Disk Encryption 21
Client Administrator Guide The Client Console
PasswordYour password is set by installation setting or policy. Therefore, your password panel will display as follows:
Figure 3.11Client Console Password Panel
Authenti-CheckYou do not have Logon Assistance methods available. Therefore, your Authenti-Check panel will display as follows:
Figure 3.12Client Console Authenti-Check Panel
AboutUse the About panel to find out which version of GuardianEdge Framework and GuardianEdge Hard Disk the Client
Computer is running. To open the About panel, clickAbout.
8/8/2019 Guardian Edge Client Administrator Guide
27/49
GuardianEdge Hard Disk Encryption 22
Client Administrator Guide The Client Console
Figure 3.13Client Console About Panel
The build number is accessible as a Tool Tip when you hover your mouse over the version number. The build number
can be used to see whether patches have been applied.
8/8/2019 Guardian Edge Client Administrator Guide
28/49
GuardianEdge Hard Disk Encryption 23
Client Administrator Guide Hard Disk Access & Recovery
4. Hard Disk Access & Recovery
Overview
GuardianEdge provides utilities and a Recover Program to assist you in the event that a GuardianEdge Hard DiskClient Computer fails to boot. While the Recover Program can be run by a qualified Client Administrator, we
recommend that you contact GuardianEdge Technical Support for assistance with the process.
Utilities and the Recover ProgramThe following utilities and Recover Program can be used to attempt data recovery on a users computer:
GuardianEdge Hard Disk Access Utility (32-bit)GuardianEdge provides the 32-bit Access Utility separately. It
enables a Client Administrator to boot from a CD-ROM and access the hard disk by using the Microsoft Windows
Preinstallation Environment (Windows PE). Accessing the computer through Windows PE allows administrators
to back up data to servers or external disks for hard disk replacement, perform file system and Windows system
repair, and complete other system administration tasks.
GuardianEdge Hard Disk Access Utility (16-bit)The 16-bit Access Utility ships with GuardianEdge Hard Disk
as access.exe and is installed by default in the following directory on the server: C:\Program Files\EncryptionAnywhere\Encryption Anywhere Hard Disk\DOS. This version can be handy if you are off site; its smaller size is
useful for email distribution. However, this version requires extra hardware and software to run, such as a New
Technology File System (NTFS) reader and shareware to view the data. Therefore, the 32-bit Access Utility is
recommended.
Recover ProgramThis program can be used in the event that the problem is related to GuardianEdge Hard Disk.
The program attempts to regain access to data on your hard disk by repairing the GuardianEdge client database
files or by performing an emergency decryption of the entire hard disk.
Contact GuardianEdge Technical Support at your earliest convenience when dealing with a technical issue that
involves critical data. Document all events that preceded the problem, list any actions taken, and identify any error
messages encountered. Depending on your situation, Technical Support personnel may walk you through one or more
of the following steps as you attempt recovery.
The Recover Floppy or CDYour Policy Administrator will provide you with a bootable medium that includes the files listed below:
access.exe (16-bit version)
ephdxlat.bin
ephdxlat.ovl
RECOVER.EXE
Readme.txt
These files can be used on any Client Computer, as long as the Client Computer and the Manager Computer are
running the same version of GuardianEdge Hard Disk.
Recovery Steps
BasicsThe following steps should be performed in sequence:
1. Recover /A
2. Access Utility
8/8/2019 Guardian Edge Client Administrator Guide
29/49
GuardianEdge Hard Disk Encryption 24
Client Administrator Guide Hard Disk Access & Recovery
3. Hard Disk Consistency Check
4. Recover /D
5. Recover /B
Recover /A
If your computer has encountered a serious error and you cannot load Windows, first run the Recover Program withthe /A option. The /A option attempts to repair damaged client database files.
After Recover /A runs, the Audit Trail is reset and all events logged in pre-Windows that have not been moved to the
Windows Event Log are lost.
To run Recover with the /A option, you will need the bootable Recover floppy or CD that the Policy Administrator
created.
To run Recover with the /A option:
1. Remove any bootable media.
2. Insert the Recover floppy or CD (see The Recover Floppy or CD on page 23) into the appropriate drive.
3. Restart the computer, booting from the Recover floppy or CD. You may need to modify the BIOS to boot from
CD.
4. At the A:> prompt, type Recover.exe /A.
5. You will be asked to authenticate with a Client Administrator name and password, after which you follow the
program prompts.
If the /A option succeeds in repairing the client database files and you are able to boot, you once again have access to
the computer. If the /A option does not succeed, proceed to the next step: Access Utility.
Access UtilityTwo versions of the Access Utility are available: 32-bit and 16-bit. Both versions contain text-based instructions in an
accompanying Readme file. The 32-bit version is preferred and is delivered separately from GuardianEdge; the 16-bit
version is included with GuardianEdge Hard Disk. If you do not have the 32-bit version, request it from your Policy
Administrator.Both versions of the Access Utility address possible Windows problems. If you succeed in booting with the Access
Utility, it indicates that the problem is with your Windows installation. The Access Utility will allow you to pull off
the critical files before you attempt to work on the Windows operating system.
The 32-bit Access Utility contains an NTFS reader and brings up a plug-and-play environment, allowing you to boot
from a CD using a Windows Preinstallation Environment (Windows PE). This allows you to map to a network drive
and copy your data to a safe location.
8/8/2019 Guardian Edge Client Administrator Guide
30/49
GuardianEdge Hard Disk Encryption 25
Client Administrator Guide Hard Disk Access & Recovery
The 16-bit Access Utility ships with GuardianEdge Hard Disk. The Policy Administrator provides you with a copy.
This version runs in DOS and can be handy if you are off site and do not have disk access. Its smaller size is more
suited to being distributed by email. If you use the 16-bit Access Utility, you also need:
The Recover floppy or CD (see The Recover Floppy or CD on page 23).
An NTFS reader. This reader is a freeware tool that provides read access to NTFS partitions within the MS-DOS
environment. You can preview files on NTFS and copy files from NTFS to File Allocation Table (FAT) volumes
or network drives. The reader can be run from a DOS bootable floppy. Many sources provide the reader. The
http://www.sysinternals.com/Utilities/NtfsDosProfessional.html site is recommended.
A shareware program to view the data.
If either version of the Access Utility does not succeed, proceed to the next step: Hard Disk Consistency Check.
Hard Disk Consistency CheckIf running Recover /A fails and if the Access Utility is not able to see the hard disk or to authenticate the person
running the utility, then the possibility exists that the drive has physically failed. One frequent cause of failure is a
read/write arm failure.
Locate the bootable repair CD provided by the manufacturer and run a consistency check.
If the consistency check fails, physical problems exist.
The next step depends on the specifics of your situation. One step may be for you to send the disk to a data recovery
house for repair. Or GuardianEdge Technical Support may try a sector-by-sector image copy to back up your data
onto another disk.
Recover /DIf your disk passed the consistency check, run the Recover Program with the /D option once, to attempt to regainaccess to the data on your hard disk. The /D option attempts to repair the GuardianEdge Hard Disk client database
files, then tries to decrypt the hard disk. After Recover /D runs, the Audit Trail is reset and all events logged in pre-
Windows that have not been moved to the Windows Event Log are lost.
To run Recover /D:
1. Connect the computer to an uninterruptible power supply.
2. Remove any bootable media.
3. Insert the Recover floppy or CD (see The Recover Floppy or CD on page 23) into the appropriate drive.
4. Restart the computer.
5. At the prompt, type Recover.exe /D.
6. Authenticate with your Client Administrator user name and password.
7. When prompted, follow the program prompts.
Once the program starts running, do not stop it or shut down the computer. The process must run to completion. A
typical problem disk can take weeks to decrypt.
If the process runs into a series of bad sectorsperhaps hundreds of thousands of themit will try multiple times to
read them and the process may appear to have stopped. You will see a percentage of disk decryption displayed on the
screen; that percentage may remain at the same number for quite some time. If the process cannot successfully read a
sector after multiple attempts, the process moves to the next sector. Readable sectors are read in, decrypted, and then
written back to the disk.
Never run this option more than once, whether it succeeds or fails. Running Recover /D twice will cause
double decryption and permanent loss of data.
8/8/2019 Guardian Edge Client Administrator Guide
31/49
GuardianEdge Hard Disk Encryption 26
Client Administrator Guide Hard Disk Access & Recovery
When the program ends, if you see a success message, you will have a fully or partially decrypted disk, depending on
the extent of damage.
Until you see a final message indicating success or failure, let the program run.
If you see a failure message, proceed to the next step.
Recover /BRecover /B should be performed only with the assistance of GuardianEdge Technical Support.
If all previous steps failed, it may mean that a very important cryptographic key cannot be found. The Recover
Program using the /B option reads from a computer-specific recovery file that contains that key, allowing you to
decrypt your data.
While you already should have a Recover floppy or CD that can be used to perform Recover /A and /D, to perform
Recover /B you will need computer-specific data and a special Recover floppy or CD from your Policy
Administrator. The Administrator creates the DAT file by exporting a Client Computers data from the GuardianEdge
Server. For this reason, Recover /B is not available for silent clients. The administrator stores the data and other
recovery files on the Recover floppy or CD that is formatted as a boot disk (see The Recover Floppy or CD on
page 23).
When the Policy Administrator creates the medium, the Administrator defines a Recovery Password to protect theDAT file. When the Administrator gives you the Recover floppy or CD, they tell you the password. Typically the
Administrator gives the DAT file a meaningful name, perhaps containing a computer-specific identifier and date,
such as Laptop4849_112907.dat.
Boot from the Recover floppy or CD and enter Recover.exe /B. You will be prompted for the Recovery Password
associated with this file. Enter the password. The Recover Program will generate several information and warning
messages and/or prompts, depending on what the program encounters. The most severe warning message occurs ifsomething goes wrong when the Recover Program attempts to compare values in the DAT file with the client
database files, as described below.
If the Recover Program detects a mismatch between the DAT file and the client database files, the program halts and
issues a warning that the data on the hard disk will be destroyed if you continue the recovery process. Cancel the
process.
If the Recover Program is unable to compare the backup file and the client database files due to file corruption of
client database files, the program halts and issues the same warning message as stated in the previous paragraph.
Only if you are absolutely certain that the DAT file is the correct file should you continue the process; otherwise,
cancel the process.
If the Recover Program detects that the DAT file is corrupted, the Recover Program halts.
Make sure that you execute the Recover /B option on the intended computer by checking the filename on
the medium. Since the data in the DAT file is computer-specific, running /B using a recovery data file
intended for another computer will corrupt your hard disk files.
Also make sure that the computer is connected to an uninterruptible power supply; otherwise, data loss
can occur if the process stops.
8/8/2019 Guardian Edge Client Administrator Guide
32/49
GuardianEdge Hard Disk Encryption 27
Client Administrator Guide Keyboards
Appendix A. Keyboards
Overview
For com uters that require re-boot authentication, GuardianEdge offers a means of selecting different keyboardlayouts in re-Windows.
Keyboard ListThe keyboards that GuardianEdge Hard Disk su orts are:
Canadian French,
French,
German,
S anish,
United Kingdom, and
US English.
Keyboard Use
Active Keyboard Layout IdentificationAfter a com uter reboot, when you ress CTRL-ALT-DEL or insert a token at the Startu screen, the GuardianEdge
re-Windows Logon screen a ears. The active keyboard layout is identified in a bar dis layed in the lower right-
hand corner of that com uter screen, similar to this: .
Keyboard TogglingIf the keyboard you require is not dis layed in the bar and your administrator has defined multi le keyboards, you cantoggle to another keyboard in re-Windows. The default key sequences for switching among keyboard layouts is
ressing either Left ALT+SHIFT or CTRL+SHIFT, de ending on how the key sequence was defined in Windows.
AdvantagesHaving an alternate keyboard layout to toggle to may be useful to you if you find yourself in a situation where you are
su orting a registered user whose hysical keyboard is unfamiliar to you. For exam le, you may be assisting a user
who is in France and your user name and assword are US English. If you are logging on in re-Windows and you are
about to enter your Client Administrator assword, you can toggle to your familiar keyboard layout. The section
Keyboard Layouts: Default View on age 27 shows the default-state view of each of the six su orted keyboards.
Even though you actually will be ty ing on an unfamiliar hysical keyboard, the com uter will inter ret the incoming
characters as if they were entered from the keyboard that you have selected to be the active keyboard.
Keyboard Layouts: Default ViewThis section shows the default-state layout of each su orted keyboard. To see a keyboard layout view when the
SHIFT, CAPS, or ALTGR keys are ressed, go to Microsofts web site http://www.microsoft.com/globaldev/
reference/keyboards.mspx , which shows the com lete set of keyboard layout states.
8/8/2019 Guardian Edge Client Administrator Guide
33/49
GuardianEdge Hard Disk Encryption 28
Client Administrator Guide Keyboards
Canadian French
Figure A.1Canadian French Keyboard
French
Figure A.2French Keyboard
German
Figure A.3German Keyboard
Spanish
Figure A.4Spanish Keyboard
United Kingdom
Figure A.5United Kingdom Keyboard
US English
Figure A.6US English Keyboard
8/8/2019 Guardian Edge Client Administrator Guide
34/49
GuardianEdge Hard Disk Encryption 29
Client Administrator Guide Keyboards
Keyboard DefinitionMultiple keyboard layouts may already be defined in your organization. However, if you need to add a keyboard
layout, use the Windows standard method, as described in the steps in the following sections.
Initial StepsThis section describes the first steps to take to configure the additional keyboard, on both Windows XP and Windows
2000.
1. From the Start menu clickControl Panel, then double-clickRegional and Language Options. The window
opens.
Figure A.7Regional and Language Options
8/8/2019 Guardian Edge Client Administrator Guide
35/49
GuardianEdge Hard Disk Encryption 30
Client Administrator Guide Keyboards
2. Click the Languages tab.
Figure A.8Languages Tab
3. From the Languages window, clickDetails. The Text Services and Input Languages window appears.
Figure A.9Text Services and Input Languages, Before New Keyboard Added
8/8/2019 Guardian Edge Client Administrator Guide
36/49
GuardianEdge Hard Disk Encryption 31
Client Administrator Guide Keyboards
4. ClickAdd. The Add Input Language window appears.
Figure A.10Add Input Language
5. For each keyboard layout you wish to add, select an Input language from the drop-down menu and clickOK.
The new keyboard appears in the Text Services and Input Languages dialog (Figure A.11).
Figure A.11Text Services and Input Languages, After Keyboard Added
6. ClickApply.
Windows XPIf you are running Windows 2000, skip to the section Windows 2000 on page 32 to complete the process. If you are
running Windows XP, follow the steps in this section.
1. From the Regional and Language Options window (Figure A.7), click the Advanced tab. A new window
appears (Figure A.12).
8/8/2019 Guardian Edge Client Administrator Guide
37/49
GuardianEdge Hard Disk Encryption 32
Client Administrator Guide Keyboards
Figure A.12Regional and Language Options Advanced Tab
2. Select the check box for Default user account settings. The following warning appears:
Figure A.13Change Default User Settings Warning
3. ClickOK to dismiss the warning.
4. ClickApply on the Regional and Language Options Advanced tab window.
5. Reboot the computer. The Registry settings, including the setting for the Default User Profile, are copied to the
pre-Windows environment, making them available during the pre-Windows logon process. Note that the Default
User Profile settings will affect all users of this computer.
Windows 2000In Windows 2000, once you complete Initial Steps on page 29, use the Registry editor, RegEdit, to update the
Default User Profile as follows:
1. Copy the values from HKEY_CURRENT_USER\Keyboard Layout\Preload to
HKEY_USERS\.DEFAULT\Keyboard Layout\Preload.
2. Copy the values from HKEY_CURRENT_USER\Keyboard Layout\Substitutes to
HKEY_USERS\.DEFUALT\Keyboard Layout\Substitutes.
3. Reboot.
8/8/2019 Guardian Edge Client Administrator Guide
38/49
GuardianEdge Hard Disk Encryption 33
Client Administrator Guide Token Error Messages
Appendix B. Token Error Messages
OverviewThis a endix lists the error messages that you may encounter while using your token to:
Authenticate in re-Windows, or
Authenticate to the Client console.
The tables in this a endix include an Action column, s ecifying actions that you can take in res onse to each error
message.
Pre-Windows LogonTable B.1 lists the error messages that may be generated when you attem t to log on to GuardianEdge Hard Disk in
re-Windows.
In some cases, the message itself contains the default instruction: Please call the help desk for assistance.
This instruction a ears in the Message column in italics. The instruction can be customized by your
Policy Administrator, so your instruction may differ from the default shown.
Table B.1Pre-Windows Logon Messages
Token
Ty eSeverity Message Meaning Action
CAC /
Smart
Card
GuardianEdge Hard
Disk has discovered
that the inserted token
can not be recognized.
You will need to use a
token that can be
recognized by the
system.
The ty e of token you are
attem ting to log on with does
not match the ty e of token
your administrator configured
for your use.
ClickOK to dismiss the
message, remove the incorrect
token, then insert the correct one.
If you do not know which tokenor card ty e is corrector you
have not been issued the correct
cardcontact the a ro riate
administrator. You cannot log on
until this situation is resolved.
http://-/?-8/8/2019 Guardian Edge Client Administrator Guide
39/49
GuardianEdge Hard Disk Encryption 34
Client Administrator Guide Token Error Messages
CAC /
SmartCard
A matching certificate
could not be located onthis token. The current
token needs to be
replaced or modified
by an administrator.
[Please call the help
desk for assistance.]
The certificate on this token is
not the correct certificate foryour GuardianEdge account.
ClickOK to dismiss the
message, then clickCancel toexit the Logon screen.
Contact your Policy
Administrator to verify that this
token contains the certificate that
the administrator used to
establish your account.
Your certificate was issued
today, but is not yet valid
because the Certificate
Authority issues certificates
using Greenwich Mean Time
(GMT). Therefore, your localsystem date has not yet caught
up with the GMT activation
date.
ClickOK to dismiss the
message.
If there is another Client
Administrator assigned to this
computer, ask them to log on inpre-Windows, so that you can
access Windows. Tomorrow your
certificate should work, or you
could set your local system date
ahead, to activate the certificate
now.
Smart
Card
No certificate could be
found on this token.
The current token
needs to be replaced or
modified by an
administrator.
[Please call the help
desk for assistance.]
Your token does not contain
any certificates.
ClickOK to dismiss the
message. Is this the token that
your Policy Administrator issued
to you?
If it isnt, please insert that token
now and try again. If it is,contact your Policy
Administrator and let them know
that your token is missing the
required certificate.
RSA An error occurred
during communication
with the token.
To try logging on with
a token again, click
Restart Computer.
Your computer will
restart automatically.
Your tokens certificate is not
intended for your
GuardianEdge account.
ClickRestart Computer from
the message box. Insert the token
that contains the certificate that
the Policy Administrator set up
for you. On the Logon screen,
type your PIN then clickOK.
Your token does not contain
any certificates.
If you do not know which token
or certificate to use, contact thePolicy Administrator or
appropriate token administrator
and ask for help.
All Incorrect PIN. You inserted your token for
the Startup screen but did not
enter your PIN on the Logon
screen before clicking OK.
ClickOK to dismiss the
message. On the Logon screen,
type your PIN then clickOK.
Table B.1Pre-Windows Logon Messages (Continued)
Token
TypeSeverity Message Meaning Action
8/8/2019 Guardian Edge Client Administrator Guide
40/49
GuardianEdge Hard Disk Encryption 35
Client Administrator Guide Token Error Messages
All GuardianEdge Hard
Disk has detected thatthe token has been
removed. Please
reinsert the token and
click OK.
You removed your token
before your logon process wascomplete.
ClickOK to dismiss the
message. Re-insert your token.On the Logon screen, type your
PIN then clickOK.
Your token reader was
unplugged after
GuardianEdge Hard Disk
detected your token.
ClickOK to dismiss the
message. Plug the reader back in,
then reboot. Insert your token at
the Startup screen to bring up the
Logon screen. Type your PIN
then clickOK.
All GuardianEdge Hard
Disk could not detect a
token. To resume the
authentication processwith a token, please
insert a token and then
click OK.
You removed your token
before your logon process was
complete.
ClickOK to dismiss the
message. Re-insert your token.
On the Logon screen, type your
PIN then clickOK.
Your token reader was
unplugged after
GuardianEdge Hard Disk
detected your token.
ClickOK to dismiss the
message. Plug the reader back in,
then reboot. Insert your token at
the Startup screen to bring up the
Logon screen. Type your PIN
then clickOK.
All The PIN is blocked for
this token. The current
token needs to be
replaced or modified
by an administrator.
[Please call the help
desk for assistance.]
Your PIN has been blocked by
your token software for
exceeding the maximum
number of incorrect retries to
enter your PIN.
ClickOK to dismiss the message
and contact the Policy
Administrator or appropriate
token administrator.
All Incorrect (PIN). The PIN you entered is not
correct. Type your PIN again
then clickOK.
ClickOK to dismiss the
message.
If you think that you know your
correct PIN, re-type your PIN
then clickOK.
If you do not know your PIN,
please contact your Policy
Administrator.
Table B.1Pre-Windows Logon Messages (Continued)
Token
TypeSeverity Message Meaning Action
8/8/2019 Guardian Edge Client Administrator Guide
41/49
GuardianEdge Hard Disk Encryption 36
Client Administrator Guide Token Error Messages
Client Console LogonTable B.2 lists the error messages that may occur when you are trying to log on to the Client console.
Table B.2Client Console Logon Messages
TokenType
Severity Message Meaning Action
CAC A token error has
occurred.
Your token may be using older
software (ActivClient Gold 3.0).
When this is the case, this generic
message is displayed for any of
the following conditions:
incorrect PIN, blocked PIN, or
expired certificate.
ClickOK to dismiss the
message, then click to
close the Client console.
Contact your Policy
Administrator or appropriate
token administrator to
determine the exact issue with
your token.
RSA A token error has
occurred.
It is possible that your certificate
cannot be found or is not beingrecognized.
ClickOK to dismiss the
message, then click to shutdown the Client console.
Log off Windows and restart
your computer. Log on and
launch the Client console.
When you are prompted to
log on, insert your token. If
you are using an RSA token,
make sure that the RSA token
software recognizes your
token. Wait until the RSA
icon in your system tray
changes to include a plus sign
. If you are using an
Axalto smart card, wait for
the icons gold token to stop
blinking and for the icon
computer screen to return
from blue to black .
Wait for any token light to
stop blinking before clicking
Log On from the Logon
panel. This wait time ensures
that your token is recognizedby the system.
If you receive this message
when you try again, contact
the appropriate administrator.
8/8/2019 Guardian Edge Client Administrator Guide
42/49
GuardianEdge Hard Disk Encryption 37
Client Administrator Guide Token Error Messages
All The rogram could not
log you on. The tokenwas removed.
There is no token in your reader. ClickOK to dismiss the
message. Insert your token. Inthe Logon anel, ty e your
PIN, then clickLog On.
All Incorrect PIN. You did not enter the correct PIN. ClickOK to dismiss the
message. In the Logon anel,
ty e the correct PIN, then
clickLog On.
All The PIN is blocked for
this token. The current
token needs to be
re laced or modified
by an administrator.
Your tokens certificate contains
a blocked PIN.
Call the a ro riate
administrator. You cannot use
this token and certificate for
GuardianEdge Hard Disk
until this issue is resolved.
All The rogram could not
log you on. Your
credentials could not
be verified.
The inserted token may not be for
the user who is logged in to
Windows.
It is also ossible that your token
does not contain any certificates
or that it contains certificates that
were not issued to you.
Make sure that you are the
user who is logged on to the
Windows session. If you are
not, log on to Windows now.
Make sure that the inserted
token is the one that was
issued for your GuardianEdge
account. If it is not, remove
the invalid token and insert
the valid token.
Try to log on again.
If the console still cannotverify your credentials, call
the a ro riate administrator.
You cannot use this token for
GuardianEdge Hard Disk
until the issue is resolved.
Table B.2Client Console Logon Messages (Continued)
Token
Ty eSeverity Message Meaning Action
8/8/2019 Guardian Edge Client Administrator Guide
43/49
GuardianEdge Hard Disk Encryption 38
Client Administrator Gu