DESlock+ Support DESlock+ Support
Knowledgebase
DESlock+ Maintenance Mode
Article ID: KB471 email a link to this article

What is Maintenance Mode?

The new Maintenance Mode feature allows a DESlock+ Full Disk Encrypted workstation to restart without requiring the user to authenticate with the DESlock+ pre-boot environment.  This may be used by system administrators that are working remotely and wish to restart Windows but there is no one physically present to enter credentials at the pre-boot screen. 

This feature can be useful when performing software updates or configuration changes that require restarts of Windows to complete.

This feature is optional and disabled by default.  Once the configured period or number of restarts without authentication has been reached authentication is required once more.

IMPORTANT: While Maintenance Mode is enabled on a workstation the system will boot with no authentication and thus is not secure from attack.

Requirements

  • DESlock+ client v4.9.2 or later
  • Workstation is encrypted and using EFI boot mode to start
  • The user account enabling maintenance mode must have Windows system administrator rights
  • The password for the Full Disk Encryption admin user

Setup Guide

Step 1. Configure workstation to allow Maintenance Mode

Enable maintenance mode use on the PC by setting the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\DESlock\Client]

"MaintenanceMode"=dword:00000001

 A sample registry file can be downloaded here: enable_maintenance_mode.reg

Step 2. Enabling Maintenance Mode

To put the system in Maintenance Mode the DESlock+ Command line tool is invoked with the maintenance command switch.  There are options to use a timed expiry, a number of reboots or both types together.  When both types are used whichever occurs first removes the Maintenance Mode state from the workstation.

When enabling Maintenance Mode the Full Disk Encryption admin user login password is required.  This can be passed on the command line or if the value is omitted the command will prompt the user to enter the password interactively.

Example usage:

Allow workstation to restart 4 times without authentication:

DlpCmd64 maintenance -b:4 -p:Password

The command will confirm what has happened when processed successfully:

Allow workstation to restart 4 times without authentication prompting the user to enter the password interactively:

DlpCmd64 maintenance -b:4 -p:

Allow workstation to restart for the next 3 hours without authentication:

DlpCmd64 maintenance -h:3 -p:Password

Allow workstation to restart without authentication until 8:30PM on March 11 2018 or until 6 reboots whichever occurs first.

DlpCmd64 maintenance -b:6 -d:3/11/2018 -t:20:30 -p:Password

Notes:

For additional help run DlpCmd64 maintenance with no switches for help display.

For 32bit systems the command is DlpCmd.

Specifying a time longer than 3 days time or more than 10 restarts will require that you confirm the choice by pressing Y.  This can be automated by passing the -n switch with the command to skip the warning.

Attempting to enable Maintenace Mode 3 times repeatedly with incorrect passwords will require the system is then restarted (and authentication used to boot) before further attempts can be made.

When calling the command line tool from for example a batch file, the exit code for a successfull command is 0.

Step 3. Leaving Maintenance Mode

Maintenance mode will be removed and normal startup behaviour will return automatically after the selected number of restarts or time passing.  Alternatively, you can manually remove the maintenance mode state from the system with the -r switch.

Removing maintenance mode from a system does not require a password.

Example usage:

DlpCmd64 maintenance -r 


Related Articles

KB186 - Using the DESlock+ Command Line Tool

 

Keywords : windows update IPMI