ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Troubleshooting: Symantec Endpoint Encryption Drive Encryption

book

Article ID: 161188

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

This article details some general troubleshooting steps to use with Symantec Endpoint Encryption Drive Encryption version 11.0.

General Troubleshooting
If you need help, press F1 or click the Help (?) icon to open the context-sensitive help of Symantec Endpoint Encryption.

Resolution

Unable to access a drive

  1. Use a customized Microsoft Windows PE (Win PE) recovery disc or USB flash drive. You must use a customized Windows PE recovery disc or USB flash drive that is created for Symantec Endpoint Encryption 11.0. To know how to create and use a customized Windows PE for recovery, see Windows PE Recovery Tools for Symantec Endpoint Encryption 11.0.0.
  2. Ensure that the policies were pulled down from Symantec Endpoint Encryption Management Server. To verify, on the client computer, look for the “CurrentPolicies” registry key at the following location:

    • HKLM\Software\Encryption Anywhere\Hard Disk\Client Database
    • Note: These are the effective policies that are applied to a client computer.
       
  3. Check the local client logs for errors.
  4. Enable the debug logs.

    • Edit the registry key
      HKLM\Software\Encryption Anywhere\Framework\LoggerConfig
       
    • Set LogLevel=DEBUG

  5. Review the debug logs.

    • On a 32-bit (X86) system, the logs are available at Program Files (x86)\Symantec\Endpoint Encryption Clients\Management Agent\TechLogs
    • On a 64-bit (X64) system, the logs are available at Program Files\Symantec\Endpoint Encryption Clients\Management Agent\TechLogs
       

To know more about event logs and debug logging, see Enabling Logging and Debug Logging in Symantec Endpoint Encryption v11.
 

Recovery Troubleshooting

Drive Encryption Help Desk Recovery (previously One-Time Password or OTP) does not work

  1. Confirm that the registry entries are present.
    • Check that the Help Desk Recovery Server public key is present in:
      [HKLM\SOFTWARE\Encryption Anywhere\Framework\Client Database\]
    • PGPComm=”ec-pk/P-256/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX”

  2. Ensure Help Desk Recovery policy is enabled on the client.
    • [HKLM\SOFTWARE\Encryption Anywhere\Framework\Client Database\CurrentPolicies\{GUID.EN_US}\]
    • OTPEnable = dword:00000001

  3. Verify Administrator Command line support
    • Check if Help Desk Recovery is enabled through bootprop eedAdmincli.exe --bootprop-set --name “OTPE” --au <user> --ap <password< If OTPE=1, then Help Desk Recovery is enabled. If OTPE=0, then Help Desk Recovery is disabled
    • Check if Help Desk Recovery is in Online or Offline mode through bootprops eedAdmincli.exe --bootprop-set --name “OTPO” --au <Admin> --ap <password>
    • If OTPO=1, then the Help Desk Recovery for the client is Online. If OTPE=0, then the Help Desk Recovery for the client is Offline.