Technical support

Knowledgebase
Full Disk Encryption Maintenance Mode
Article ID: KB471 email a link to this article

What is Maintenance Mode?

Maintenance Mode is a feature that allows a Full Disk Encrypted (FDE) Workstation to restart without requiring the user to authenticate in the pre-boot environment.  This may be used by system administrators that are working remotely and wish to restart Windows but there is no one physically present to enter credentials at the pre-boot screen. 

This feature can be useful when performing software updates or configuration changes that require restarts of Windows to complete.

This feature is optional and disabled by default. Once the configured period or number of restarts without authentication has been reached authentication is required once more.

IMPORTANT: While Maintenance Mode is enabled on a workstation, the system will boot with no authentication and thus is not secure from attack.

Requirements

  • DESlock+ client v4.9.2 or later
  • Workstation is encrypted and using EFI boot mode to start, ESET Endpoint Encryption v5.0.0 or later supports Legacy mode
  • The user account enabling maintenance mode must have Windows system administrator rights
  • The password for the FDE admin user

Setup Guide

Step 1. Configure workstation to allow Maintenance Mode

Enable maintenance mode use on the PC by setting the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\DESlock\Client]

"MaintenanceMode"=dword:00000001

Step 2. Enabling Maintenance Mode

To put the system in Maintenance Mode, the ESET Endpoint Encryption (EEE) Command line tool is invoked with the maintenance command switch.  There are options to use a timed expiry, a number of reboots or both types together.  When both types are used whichever occurs first removes the Maintenance Mode state from the workstation.

When enabling Maintenance Mode the FDE admin password is required.  This can be passed on the command line or if the value is omitted the command will prompt the user to enter the password interactively.

Example usage:

Allow workstation to restart 4 times without authentication:

DlpCmd64 maintenance -b:4 -p:Enter Your Password Here

Please note, you must first navigate to the same directory as DlpCmd64.exe before entering the command. This is in C:\Program Files\ESET Endpoint Encryption\

The command will confirm what has happened when processed successfully:

Allow workstation to restart 4 times without authentication prompting the user to enter the password interactively:

DlpCmd64 maintenance -b:4 -p:

Allow workstation to restart for the next 3 hours without authentication:

DlpCmd64 maintenance -h:3 -p:Enter Your Password Here

Allow workstation to restart without authentication until 8:30PM on March 11 2018 or until 6 reboots whichever occurs first.

DlpCmd64 maintenance -b:6 -d:3/11/2018 -t:20:30 -p:Enter Your Password Here

Notes:

For additional help run DlpCmd64 maintenance with no switches for help display.

For 32bit systems the command is DlpCmd.

Specifying a time longer than 3 days time or more than 10 restarts will require that you confirm the choice by pressing Y.  This can be automated by passing the -n switch with the command to skip the warning.

Attempting to enable Maintenance Mode 3 times with an incorrect password, will require a system restart (and authentication used to boot) before further attempts can be made.

When calling the command line tool from for example a batch file, the exit code for a successfull command is 0.

Step 3. Leaving Maintenance Mode

Maintenance mode will be removed and normal startup behaviour will return automatically after the selected number of restarts or time passing. Alternatively, you can manually remove the maintenance mode state from the system with the -r switch.

Removing maintenance mode from a system does not require a password.

Example usage:

DlpCmd64 maintenance -r 

 

Important 

Following a change in the system time/date settings (including timezone), ensure you fully reboot your Workstation before enabling Maintenance Mode. 

Related Articles

KB186 - Using the ESET Endpoint Encryption Command Line Tool

Keywords : windows update IPMI


We use cookies on our website to enhance your browsing experience. Read more