If Symantec Endpoint Encryption (SEE) client machines are 'migrated' from one SEE environment to another, typically by running an over-top upgrade using client installers from the new SEE environment, this will hinder a Help Desk assisted recovery procedure on the endpoint when performed in conjunction with the server-side Help Desk console through the new SEE Environment.
Definition: An SEE environment is one where all SEE Management Servers (SEEMS servers) are connected to the same backend SQL database. Two separate SEE environments would have two completely different SQL databases on the backend, that are not synchronized in any fashion--due to having multiple SEE Database environments, the SEE Clients are also unique and tied to their specific Management Servers.
This KB will discuss how to ensure the SEE Clients can be moved from one SEE database to another, and still perform recovery.
"Incorrect Authentication. Try Again"
Symantec Endpoint Encryption Clients are unique and tied to a specific SEE Management Server. This is because unique encryption keys are configured for these environments. When moving from one SEE Database to another, it is necessary to create a new SEE Client that will build-in these unique encryption keys. This is because SEE can perform Connectionless Recovery and this process will reinstate these keys properly.
This guide will have two sections as listed in the Table of Contents to go through this entire process:
This process will go over creating a new SEE Client and how to deploy it in the scenario where a completely new SQL Database has been created and the new Symantec Endpoint Encryption Management Server has been installed and configured.
Migration of Symantec Endpoint Encryption Clients may be done while the drive is still encrypted.
Symantec Endpoint Encryption Windows Clients
1. From the new Symantec Endpoint Encryption Manager, create a new Management Agent Client with updated communication settings.
2. From the client machine, open Command Prompt as Administrator and run the following command to upgrade the Management Agent Client. (replace <path to .msi> with the full path to the install file)
If you are upgrading from an older version of Symantec Endpoint Encryption to a newer version, such as SEE Client 11.3.1 to SEE Client 11.4, run the following command to deploy:
msiexec /i SEEClientinstall.msi
3. When prompted, reboot the client machine.
The client machine should now be checking in with the new Symantec Endpoint Encryption Management Server
Symantec Endpoint Encryption for FileVault Clients:
1. From the new Symantec Endpoint Encryption Management Server, create a new Mac FileVault Client with the new communication settings.
2. Double-click the newly created Mac FileVault Client and follow the prompts to update the client machine. A reboot is not necessary.
The client machine should now be checking in with the new Symantec Endpoint Encryption Management Server
The solution is to disable and re-enable the following settings through policy (either through SEE Native Policies or through GPO)
Policy setting 1: Enable Help Desk Recovery
Policy setting 2: Help Desk Recovery Communication Unlock (if this feature is in use)
Once the new SEE Client from the new SEE Database has been installed over the top of the old SEE Client from the old SEE Database, the clients will start to check in with the new SEE Management Server. Whatever policy the clients are checking in to, have the two policy settings above be disabled. This will clear the old recovery key set from the old SEE Database.
Once all the New SEE Clients have done this and are successfully checking in, then enable the two settings above and the next time the clients check in, the new recovery keys will be reinstated.
Step to accomplish the above
Step 1: Once you've installed the SEE Client from the new database/environment, then uncheck the two settings from the new server and save the policy:
Step 2: Once the policy above has been unchecked, have all your SEE Clients Check in to the new SEE Management Server:
SEE Clients can check in manually via the SEE Management Agent, or they will check in automatically as per the check-in interval (Default value is every 60 minutes).
Step 3: Check the Computer Status Report to validate all the clients have checked in *after* this new policy update has gone into effect.
Step 4: Once you have validated all the SEE Clients have checked in after this policy update, re-enable the two settings on the SEE Management Server by checking the two boxes (make sure to save these settings):
Step 5: Check in with the SEE Client again.
Step 6: Once you validate all the SEE Clients have checked in, the recovery keys will have been recalculated to the new SEE Clients and all should be working again.
The above steps will reset Help Desk settings properly on the endpoint so that it can successfully complete a Help Desk recovery procedure in conjunction with the server-side Help Desk console through the new SEE Environment.
Scenario 1: Moving SEE Client from Old SEE Management Server to New SEE Management Server
163292 - Migrating from one SEE Management Server to another (Completely new SEE Database)
Scenario 2: (Moving from PGP client/sever to SEE client/server)
227509 - Migrating from Symantec Encryption Desktop to Symantec Endpoint Encryption (Drive Encryption components)
Scenario 3: Moving SEE Clients from the same database to another SEE Management Server with the same Database
154122 - How to Migrate Symantec Endpoint Encryption Management Console and all the clients from one Server to another Server, without moving the existing SQL Server
Scenario 4: Moving same SEE database from one DB instance to another
152340 - How to move the SEE-MS SQL database from one server/instance to another
Scenario 5: Update which hostname the SEE Clients use for communications (Keeping same database)
249333 - Changing Web Access for SEE Clients on Symantec Encryption Management Server
Scenario 6: Moving the SEE Database from one domain (original.example.com) to a completely new domain (new.example.net)
266993 - Migrating from one Domain to a New Domain with Symantec Endpoint Encryption Management Server (From Old Domain to a new Domain)