3 Replies Latest reply: May 16, 2009 12:52 AM by mrgui RSS

    Bypass Preboot Authentication Recovery Code with SbAdmCl

    Christopher-Boston
      I notice that through the webHelpDesk I can generate a recovery code for bypassing preboot authentication, but I cannot do this through the GetRecoveryGet command using SbAdmCl (don't see it in the docs anyway) - is it perhaps a yet to be documented parameter for the action variable, or is it truly not available?
        • 1. RE: Bypass Preboot Authentication Recovery Code with SbAdmCl
          SafeBoot

          C:\Program Files\SBAdmin5500>sbadmcl -command:getrecoveryresponsecode -help
          McAfee Endpoint Encryption Scripting Tool
          Copyright ® 1991-2008 McAfee, Inc. All Rights Reserved.
          Executable version : 5.1.7.0
          DLL version : 5.1.7.0
          Get a response code for a recovery challenge
          -Challenge:<challenge> Challenge string from client machine
          -Action:<action> Action to perform. Must be one of:
          ResetPassword
          UnlockUser
          ChangeToken
          CreateToken
          BootOnce
          CancelScreenSaver
          -Token:<token> Optional new token type (for ChangeToken)

          Command result:
          Command = getrecoveryresponsecode
          ResultCode = 0x00000000
          ResultDescription = The operation completed successfully.

          C:\Program Files\SBAdmin5500>


          you need boot once I think?
          • 2. RE: Bypass Preboot Authentication Recovery Code with SbAdmCl
            Christopher-Boston
            BootOnce is my 2nd choice if there's no BypassPreboot. BootOnce, I believe, generates a recovery code for the machine, so I can't pass it a user name and have it reject the user name if the user isn't assigned to the machine. I'll be able to work around this by seeing who's assigned to the machine first, but was just checking first.
            • 3. RE: Bypass Preboot Authentication Recovery Code with SbAdmCl
              The only way to bypass pre-boot is sbadmcl.exe -command:disablesecurity, prior to reboot. This will create an autoboot user account, that will be removed the next time the machine syncs. If you try using this option, be sure that the machine allows autoboot to be locally managed and uncheck the "do not check for autoboot user" (or whatever the verbage is).