Working with Endpoint Maintenance

The Endpoint Maintenance feature generates an endpoint maintenance ticket that provides provisional permission to modify, repair, or remove the client, registry keys, or special directories. The endpoint maintenance ticket is then sent to a specific computer or user.

When the client starts, a 15-byte random value key, called Salt, is generated. The Salt key is used to ensure that only authorized processes and users can perform endpoint maintenance. The Salt key works in conjunction with the Client Hardening default option value. To create an endpoint maintenance ticket when the Client Hardening value is set to:

  • Basic, the Salt value is not required
  • Extended, the Salt value is required

Endpoint Maintenance Ticket Rules

The following rules apply to creating and using endpoint maintenance tickets:

  • You can only generate one endpoint maintenance ticket per client computer.
  • You can define a validity period for the ticket.
    • If the ticket has not been accepted at the end of this period, the ticket is no longer valid for the client computer.
    • If a ticket is accepted, there is no expiration time limit.
  • You must reboot a client computer to deactivate a valid ticket.
  • A user must be logged in to accept an endpoint maintenance ticket generated specifically for the user. Otherwise, the ticket is rejected.
  • If you choose to reduce the client hardening value by creating and using a maintenance ticket for a computer without choosing a user and another user logs into the same computer, the computer continues in a modified state until the next reboot.
  • If the client computer is not connected to the network, you can always get the Salt value and hardening status of the client computer by right-clicking the client icon, located in the system tray, and selecting Endpoint Maintenance from the shortcut menu.
  • When you create a relaxation ticket with a Salt value for a client computer that has a client hardening value set to Extended, and the client machine is running a different operating system than the administrator, the user specified must be Administrators because file ownership changes when files are copied to the ticket directory under different operating systems.

Related Information