03-31-2022 02:26 AM
is there a Windows Event log message, or reg key, or AnyConnect log file whichshows categorically that a user has used SBL ?
thanks
Solved! Go to Solution.
03-31-2022 09:59 AM
The AnyConnect event viewer will have a few logs that might help you determine this.
This is when a connection is started using SBL. The connection could still fail, but would at least tell you if they tried.
Description : Tunnel initiated by Start Before Logon Component.
This message is logged only during an SBL connection attempt
SCEP Certificate Enrollment not checked due to SBL detection.
This is might be the best one. This indicates that a VPN connection was established and the user can now login to the OS.
VPN established. Continuing with login.
03-31-2022 02:38 AM
You mean "Start Before Logon"
If yes, we need to know your environment - are you looking posture ? or just check SBL ?
some information may help you :
03-31-2022 03:16 AM
HI thanks for the quick reply. So, a little more information.....
SBL is in place and is being used by the majority of users. We simply want to find the users who do not use SBL, so we can remind these users that they SHOULD be using it. We cannot force SBL to be used...only advise the users who continue to VPN after logging on.
We have tried to use the Windows Security logs and can detect a Windows Security Event ID Type 11 from Logonui.exe (this is a cached logon whilst off the network) or a type 2 (this is a Network login) but this could mean the user used SBL, or is in the office. So we need to find the actual successful SBL connection from the log files.
is this possible?
03-31-2022 05:56 AM
Take a known client that has SBL installed. Open up reg edit and search for 'gina' there are several reg key options you could target to determine if it is installed or not. On my test machine here is what I see for options:
HKLM\Software\Classes\Installer\Products\D783879C2B2312A47A3C946B3D16674F
There are several possibilities located there
HKLM\Software\Classes\Installer\Products\D783879C2B2312A47A3C946B3D16674F\SourceList
PackageName = actual msi
HTH!
03-31-2022 09:15 AM
Hi Mike, thanks for the reply, we know PLAP/SBL is installed. We want to confirm whether a user has used it prior to logging on to Windows, or if they are logging on to Windows and THEN connecting to VPN. the way we are doing this via the Windows Security Event Log is cumbersome and over complex. If there was an Even, or log file entry, which stated "PLAP connection successful" or similar, this would be more useful.
thanks
03-31-2022 09:59 AM
The AnyConnect event viewer will have a few logs that might help you determine this.
This is when a connection is started using SBL. The connection could still fail, but would at least tell you if they tried.
Description : Tunnel initiated by Start Before Logon Component.
This message is logged only during an SBL connection attempt
SCEP Certificate Enrollment not checked due to SBL detection.
This is might be the best one. This indicates that a VPN connection was established and the user can now login to the OS.
VPN established. Continuing with login.
03-31-2022 10:34 AM
This might be a better solution.
If you do not use OnConnect scripting today you can use this option to perhaps create a file and put a timestamp in the file for each SBL connection made. With the setting below the file would only be updated when SBL connection are made.
Look into OnConnect scripts in the Admin guide on how to configure them.
-- Enable Post SBL On Connect Script—Launches the OnConnect script if present, and SBL establishes the VPN session. (Only supported if VPN endpoint is running Microsoft Windows.)
If you already use scripting today then this will not work because the script you already have would be executed for Desktop VPN connection also.
Hope this helps
Steve S.
04-01-2022 08:19 AM
Hi Steve, Thank you for your reply. looking through the logs I can see the:
"SCEP Certificate Enrollment not checked due to SBL detection"
message. It is after a few "established" messages so indicates the connection via SBL.
So I think we will use that as the confirmation that the user has used SBL to login.
Many thanks !
Sven
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide