Full Disk Encryption Maintenance Mode
What is Maintenance Mode?
Maintenance Mode is a feature that allows a Full Disk Encrypted (FDE) Workstation to restart without requiring the user to authenticate in the pre-boot environment. This may be used by system administrators that are working remotely and wish to restart Windows but there is no one physically present to enter credentials at the pre-boot screen.
This feature can be useful when performing software updates or configuration changes that require restarts of Windows to complete.
This feature is optional and disabled by default. Once the configured period or number of restarts without authentication has been reached authentication is required once more.
IMPORTANT: While Maintenance Mode is enabled on a workstation, the system will boot with no authentication and thus is not secure from attack.
Step 1. Configure workstation to allow Maintenance Mode
Enable maintenance mode use on the PC by setting the following registry key:
Step 2. Enabling Maintenance Mode
To put the system in Maintenance Mode, the ESET Endpoint Encryption (EEE) Command line tool is invoked with the maintenance command switch. There are options to use a timed expiry, a number of reboots or both types together. When both types are used whichever occurs first removes the Maintenance Mode state from the workstation.
When enabling Maintenance Mode the FDE admin password is required. This can be passed on the command line or if the value is omitted the command will prompt the user to enter the password interactively.
Allow workstation to restart 4 times without authentication:
DlpCmd64 maintenance -b:4 -p:Enter Your Password Here
Please note, you must first navigate to the same directory as DlpCmd64.exe before entering the command. This is in C:\Program Files\ESET Endpoint Encryption\
The command will confirm what has happened when processed successfully:
Allow workstation to restart 4 times without authentication prompting the user to enter the password interactively:
DlpCmd64 maintenance -b:4 -p:
Allow workstation to restart for the next 3 hours without authentication:
DlpCmd64 maintenance -h:3 -p:Enter Your Password Here
Allow workstation to restart without authentication until 8:30PM on March 11 2018 or until 6 reboots whichever occurs first.
DlpCmd64 maintenance -b:6 -d:3/11/2018 -t:20:30 -p:Enter Your Password Here
For additional help run DlpCmd64 maintenance with no switches for help display.
For 32bit systems the command is DlpCmd.
Specifying a time longer than 3 days time or more than 10 restarts will require that you confirm the choice by pressing Y. This can be automated by passing the -n switch with the command to skip the warning.
Attempting to enable Maintenance Mode 3 times with an incorrect password, will require a system restart (and authentication used to boot) before further attempts can be made.
When calling the command line tool from for example a batch file, the exit code for a successfull command is 0.
Step 3. Leaving Maintenance Mode
Maintenance mode will be removed and normal startup behaviour will return automatically after the selected number of restarts or time passing. Alternatively, you can manually remove the maintenance mode state from the system with the -r switch.
Removing maintenance mode from a system does not require a password.
DlpCmd64 maintenance -r
Following a change in the system time/date settings (including timezone), ensure you fully reboot your Workstation before enabling Maintenance Mode.
Keywords : windows update IPMI