Migrating / moving a SEE client from one SEE environment to another (Symantec Endpoint Encryption)


Article ID: 163292


Updated On:


Endpoint Encryption Desktop Email Encryption Drive Encryption Encryption Management Server File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK


If Symantec Endpoint Encryption (SEE) client machines are 'migrated' from one SEE environment to another, typically by running an over-top upgrade using client installers from the new SEE environment, this will hinder a Help Desk assisted recovery procedure on the endpoint when performed in conjunction with the server-side Help Desk console through the new SEE Environment.

Definition:  An SEE environment is one where all SEE Management Servers (SEEMS servers) are connected to the same backend SQL database. Two separate SEE environments would have two completely different SQL databases on the backend, that are not synchronized in any fashion.

"Incorrect Authentication. Try Again"


The solution is to disable and re-enable the following settings through policy (either through SEE Native Policies or through GPO)

Policy setting 1: Enable Help Desk Recovery

Policy setting 2: Help Desk Recovery Communication Unlock  (if this feature is in use)

Once the SEE Clients check in with the server after toggling these two settings and the clients check in for each, then the communications can continue with the new server and recovery will then be reinstated.

Scenario: If your SEE clients pointing to one SEE database are being migrated to a completely new SEE database.

Step 1: Once you've installed the SEE Client from the new database/environment, then uncheck the above two settings from the new server and save the policy:

Step 2: Once the policy above has been unchecked, have all your SEE Clients Check in to the new SEE Management Server:

Step 3: Check the Computer Status Report to validate all the clients have checked in *after* this new policy update has gone into effect. 


Step 4: Once you have validated all the SEE Clients have checked in after this policy update, re-enable the two settings on the SEE Management Server by checking the two boxes (make sure to save these settings):

Step 5: Check in with the SEE Client again.

Step 6: Once you validate all the SEE Clients have checked in, the recovery keys will have been recalculated to the new SEE Clients and all should be working again. 

The above steps will reset Help Desk settings properly on the endpoint so that it can successfully complete a Help Desk recovery procedure in conjunction with the server-side Help Desk console through the new SEE Environment.



Additional Information

Scenario 1:
163292 - Migrating from one SEE Management Server to another (Completely new SEE Database)

Scenario 2: (PGP to SEE)
227509 - Migrating from Symantec Encryption Desktop to Symantec Endpoint Encryption (Drive Encryption components)

Scenario 3: Moving SEE Clients from the same database to another SEE Management Server with the same Database
154122 - How to Migrate Symantec Endpoint Encryption Management Console and all the clients from one Server to another Server, without moving the existing SQL Server

Scenario 4: Moving same SEE database from one DB instance to another
152340 - How to move the SEE-MS SQL database from one server/instance to another

Scenario 5: Moving from one SEE database to a completely different SEE database.
178631 - How to migrate Symantec Endpoint Encryption version 11 Clients from one Management Server to another