Symantec Endpoint Encryption Drive Encryption permits managed clients that are disconnected from the Symantec Endpoint Encryption Management Server to encrypt hard drives. This means that you can create a SEE Client from the SEE Management Server and even if you are not connected, or have never connected to the server, you can get a recovery key.
This article will cover how to use the "Challenge Keys" for Symantec Endpoint Encryption Clients that have not ever checked in to the SEE Management Server.
For more information on how to use Recovery Keys for SEE Clients that have checked in to the SEE Management Server at least once, see the following article:
258513 - Symantec Endpoint Encryption Help Desk Recovery (Connected Recovery - SEE Client connected to the SEE Management Server)
If the Symantec Endpoint Encryption Management Server is unreachable at the time that a drive is encrypted, the encryption will still take place and pre-boot authentication will be required.
If the user forgets their pre-boot passphrase and presses F4 to enter a recovery token, they will see the Advanced Help Desk Recovery screen.
The typical recovery screen for systems that have connected will display the Computer Name, and a Sequence Number that can be provided to the SEE Helpdesk Admin. The Helpdesk Admin will provide a Response Key that is entered on this screen.
Client Side Experience
If a client has **not** connected to the SEE Management Server or is "offline", this is okay--in this scenario a Challenge Key would then be used. This is the "Connectionless" recovery. To get to this screen, on the main Preboot Screen, Press F4, and then on this screen press "F5".
This screen displays the Computer name, a Sequence Number and a Challenge Key. The Challenge Key comprises 32 characters split into two parts each comprising 16 characters. Each 16 character part is followed by a two character checksum in square brackets. The user provides the Help Desk with the Computer name, Sequence Number and both parts of the Challenge Key:
As you can see in the screenshot above, checksum values are displayed so that Helpdesk knows they typed this in properly. In the example above, the first line is "TT" and the second line is "ZB".
The user provides the Help Desk Administrator the Challenge Key.
Help Desk Recovery Experience
The administrator will login to the SEE Management Server Web Console:
Note: If you do not have the proper Help Desk Role, this will not work. For more information on Server Roles, see the following article:
214027 - Symantec Endpoint Encryption Admin Server Roles and Server Roles Report
Next, clicks on the "Help Desk" icon on the left side:
The admin then enters the Challenge Key from the user to get a "Response Key" that they then give to the user.
There is a two character checksum associated with the Response Key (LL in this example):
The Help Desk administrator can confirm that they have entered both parts of the Challenge Key correctly by referring to the two character checksums which match what the user sees (TT and ZB in this example):
If this does not match the Challenge Key for the machine name, the following error will be displayed (You can see the checksum values on the server do not match that of the client):
The Help Desk Administrator then enters the proper Challenge Key and will then get back a valid Response Key (The response key also has a checksum value):
The end user then enters this "Response Key"
Now you can see the proper checksum values.
The Challenge Keys are longer than a normal response key, but these are needed only if the SEE Client has not ever communicated with the Symantec Endpoint Encryption Management Server.
This is not the typical process for recovery as most clients will be communicating with the SEE Management Server. For more information on the recovery process for "connected" machines, see the following article:
For further guidance, reach out to Symantec Encryption Support.