DESlock+ Maintenance Mode
What is Maintenance Mode?
The new Maintenance Mode feature allows a DESlock+ Full Disk Encrypted workstation to restart without requiring the user to authenticate with the DESlock+ pre-boot environment. This may be used by system administrators that are working remotely and wish to restart Windows but there is no one physically present to enter credentials at the pre-boot screen.
This feature can be useful when performing software updates or configuration changes that require restarts of Windows to complete.
This feature is optional and disabled by default. Once the configured period or number of restarts without authentication has been reached authentication is required once more.
IMPORTANT: While Maintenance Mode is enabled on a workstation the system will boot with no authentication and thus is not secure from attack.
Step 1. Configure workstation to allow Maintenance Mode
Enable maintenance mode use on the PC by setting the following registry key:
A sample registry file can be downloaded here: enable_maintenance_mode.reg
Step 2. Enabling Maintenance Mode
To put the system in Maintenance Mode the DESlock+ Command line tool is invoked with the maintenance command switch. There are options to use a timed expiry, a number of reboots or both types together. When both types are used whichever occurs first removes the Maintenance Mode state from the workstation.
When enabling Maintenance Mode the Full Disk Encryption admin user login password is required. This can be passed on the command line or if the value is omitted the command will prompt the user to enter the password interactively.
Allow workstation to restart 4 times without authentication:
DlpCmd64 maintenance -b:4 -p:Password
The command will confirm what has happened when processed successfully:
Allow workstation to restart 4 times without authentication prompting the user to enter the password interactively:
DlpCmd64 maintenance -b:4 -p:
Allow workstation to restart for the next 3 hours without authentication:
DlpCmd64 maintenance -h:3 -p:Password
Allow workstation to restart without authentication until 8:30PM on March 11 2018 or until 6 reboots whichever occurs first.
DlpCmd64 maintenance -b:6 -d:3/11/2018 -t:20:30 -p:Password
For additional help run DlpCmd64 maintenance with no switches for help display.
For 32bit systems the command is DlpCmd.
Specifying a time longer than 3 days time or more than 10 restarts will require that you confirm the choice by pressing Y. This can be automated by passing the -n switch with the command to skip the warning.
Attempting to enable Maintenace Mode 3 times repeatedly with incorrect passwords will require the system is then restarted (and authentication used to boot) before further attempts can be made.
When calling the command line tool from for example a batch file, the exit code for a successfull command is 0.
Step 3. Leaving Maintenance Mode
Maintenance mode will be removed and normal startup behaviour will return automatically after the selected number of restarts or time passing. Alternatively, you can manually remove the maintenance mode state from the system with the -r switch.
Removing maintenance mode from a system does not require a password.
DlpCmd64 maintenance -r
Keywords : windows update IPMI