Create System Images with Symantec Encryption Desktop 10.3.2

book

Article ID: 158883

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption

Issue/Introduction

When a local administrator creates a system images (also known as golden image, master image, or base image) of an operating environment with Symantec Encryption Desktop 10.3.1 or earlier and deploys the image to a large number of computers in a managed environment, Symantec Encryption Management Server (SEMS) identifies all computers to which the image has been deployed with the same MACHINEGUID.

As a result, SEMS creates only one entry for all the computers as well as overwrites their Whole Disk Recovery Token (WDRT), hostnames, and IP addresses. This document is intended for local administrators who create system images and deploy them on client computers. As the creation of system image that includes Symantec Encryption Desktop is distinct, this document helps the administrator understand how to create and deploy the images correctly.

Enterprise environments commonly use system images to configure computers to a pristine, working state. In some cases, Symantec Encryption Desktop is also included as part of the image as an installed application so that installation of Symantec Encryption Desktop will not be necessary later.

SEMS uniquely identifies each computer running Symantec Encryption Desktop in the managed environment for monitoring the events taking place on the computer.

For this purpose, SEMS uses MACHINEGUID, a unique identity that Symantec Encryption Desktop randomly generates for each computer to which it is installed. This unique identity is also sent to SEMS to create an entry for each computer. When Symantec Encryption Desktop sends an event to SEMS, it sends its MACHINEGUID as an identity for SEMS to determine the source of the event.

Cause

When a system image of the operating system is created after the MACHINEGUID is generated and deployed on multiple computers in a managed environment, each computer sends the same MACHINEGUID to SEMS for creating an entry for the computer, and therefore, SEMS identifies all the computers with the same MACHINEGUID.

Resolution

Starting from version 10.3.2, Symantec Encryption Desktop creates a new registry key in HKEY_LOCAL_MACHINE (HKLM) of the registry during installation. This editable key is used to store the MACHINEGUID when it is generated. During the enrollment of the first user, Symantec Encryption Desktop generates the MACHINEGUID for the computer and stores it in the editable registry key located in HKLM.

Therefore, the local administrator should create the system image before the first user enrolls to Symantec Encryption Desktop - a state of the computer where Symantec Encryption Desktop is installed but the MACHINEGUID is not yet generated. When such image is deployed to multiple computers, Symantec Encryption Desktop generates unique MACHINEGUID for each computer when the first user of Symantec Encryption Desktop enrolls on that system.

In some cases, the SEMS Administrator preconfigures policies for a client computer to trigger super silent enrollment, in which case enrollment automatically begins when the first user logs on to the computer. This results in generation of MACHINEGUID without any user intervention or overt notification. Therefore, to avoid duplication of MACHINEGUID to multiple computers, the system image must be generated before the user logs on to the computer. See TECH214370 for more information on how to change the MACHINEGUID of a client computer.