How To Install Symantec Encryption Desktop for Windows - Managed by Symantec Encryption Management Server


Article ID: 178367


Updated On:


Desktop Email Encryption Drive Encryption Encryption Management Server




This article includes all the steps necessary to install the Symantec Encryption Desktop client which is Managed by Symantec Encryption Management Server.  All points will be discussed, including where to download the software, as well as performing the actual installation.

NOTE: If you do not use a Symantec Encryption Management Server and need instructions for the Standalone client, or unmanaged client, please see article HOWTO101895.

Click the links in the Table of Contents below to skip directly to each topic discussed in this article.


Table of Contents

Encryption Desktop for Windows - System Requirements

Considerations and Best Practices

Downloading the proper Symantec Encryption Products

Finding Your Serial Number or License Number

Downloading the Proper Symantec Encryption Products

Downloading Client From Server

Installing Symantec Encryption Desktop



Encryption Desktop for Windows - System Requirements

 For all information related to Symantec Encryption Desktop system requirements, including compatible Operating Systems, see KB TECH224415.


Hardware Requirements

  • 512 MB of RAM
  • 300 MB of free disk space available


Compatible Virtual Servers

  • VMware ESXi 5.1 (64-bit version)


^Back to Top


Considerations and Best Practices

Additional Requirements for Drive Encryption on UEFI Systems


The following requirements apply only if you are encrypting your disk. If you are installing Symantec Encryption Desktop for email or other Symantec Encryption Desktop functions, you can install on Windows 8/8.1 32-bit systems and boot using UEFI mode without having to meet these requirements.  To encrypt systems booting in UEFI mode, the following additional requirements must be met:

  • System must be certified for Microsoft Windows 8/8.1 64-bit or Microsoft Windows 7 64-bit
  • UEFI firmware must allow other programs or UEFI applications to execute while booting
  • Boot drive must be partitioned in GPT with only one EFI system partition on the same physical disk
  • Boot drive must not be configured with RAID or Logical Volume Managers (LVM)
  • Tablets and any systems without a wired or OEM-supplied attachable keyboard are not supported For more information on the firmware and boot drive, contact your system administrator or hardware manufacturer.


Note: Symantec Drive Encryption is not compatible with other third-party software that could bypass the Symantec Drive Encryption protection on the Master Boot Record (MBR) and write to or modify the MBR. This includes such off-line defragmentation tools that bypass the Symantec Drive Encryption file system protection in the OS or system restore tools that replace the MBR.

For more information about requirements for UEFI systems, see article TECH203071, "Symantec Encryption Desktop 10.3.2 compatibility with Microsoft Windows 8/8.1".

Symantec Drive Encryption on Windows Servers

Symantec Drive Encryption is supported on all of the following Windows Server versions:

  • Windows Server 2012 R2 64-bit Edition with internal RAID 1 and RAID 5
  • Windows Server 2012 64-bit Edition with internal RAID 1 and RAID 5
  • Windows Server 2008 R2 64-bit Edition with internal RAID 1 and RAID 5
  • Windows Server 2008 64-bit Edition (Service Pack 1 and Service Pack 2) with internal RAID 1 and RAID 5

Note: Dynamic disks and software RAID are not supported.


For additional system requirements and best practices information for use on Windows Servers, see article TECH149613 "Drive Encryption on Windows Servers"


The following best practices prior to the installation of Symantec Encryption Desktop:


^Back to Top

Finding your Serial number or License Number:

You should have received your Serial and License numbers in emails sent from Symantec. If you have not received your Serial or License numbers for your Symantec Encryption products, or if you have questions or concerns related to getting your Serial or License numbers, please contact Symantec Customer Care at 1-800-721-3934.

For a list of all Customer Care numbers in your region, click here.

Downloading the proper Symantec Encryption Products

  Selecting the proper download:

TIP: Before being able to download the Managed or Customized Symantec Encryption Desktop client, a Symantec Encryption Management Server must be installed and properly configured.  Review the Symantec Encryption Management Server 3.3.2 Installation Guide for more information. The next steps in this article go over how to download Symantec Encryption Management Server.  After that, the rest of this article assumes the proper configuration of Symantec Encryption Management Server has been completed.



  • Click the Product version you want to download, which should be Symantec Encryption Management Server and choose the latest version available.  TIP:  For information on the latest version of Symantec Encryption Management Server, see article TECH187067.


NOTE: If the serial number is entered, and different products are available, be sure to select "Symantec Drive Encryption with Encryption Management Server 10.3".  This will ensure only the correct product is available for download.

  • The Symantec Encryption Management Server ISO will be zipped within a single package such as "". (This package will include the Client install packages in exe format as well as the ISO file for install of the Symantec Encryption Management Server)
  • Click the plus sign on the left hand side next to the package you want to download
  • Click the link on the right hand side next to HTTPS Download

  • Save the file to your local computer:

 For information on how to install Symantec Encryption Management Server see HOWTO103769

 Once Symantec Encryption Management Server has been installed, and properly configured, creating the Managed, or Customized Installation package for Symantec Encryption Desktop is then possible.  The only real difference with a customized installation package and a standalone package is the PGPStamp that is built in to the customized package, which tells the client which Symantec Encryption Management Server to enroll with, an communicate with going forward.


^Back to Top


Downloading Client From Server


1. Login to Symantec Encryption Management Server by using a Web browser and type in the URL for your server port 9000. (ex. HTTPS://

2. From the System Overview page click on the Consumers tab.

3. Once you are on the Consumers page click Group tab from the overview, Then select Download Client... from bottom dialog box

4.Check the box "Customize" in order to create a Managed client, and select the proper Operating System in which to deploy the client.

The method of enrollment will dictate whether to use "Auto-Detect", or "Preset Policy".  If Directory Synchronization is being used, which communicates with an LDAP server, and each end user will enroll with a username and password, choose "Auto-Detect".  If Directory Synchronization is *not* being used, choose "Preset Policy".

The option "Embed Policy and license information" should be used only in environments where communication with Symantec Encryption Management Server will never happen.  In most cases, communication is possible at least at time of enrollment and this setting is not recommended, however for more information on Embed Policy, please see article TECH148945.

5. In this example, the user is running Windows 64-bit, Directory Synchronization has been configured, the user will enroll with a username and password, so Auto-Detect will be chosen.

6. In the "Symantec Encryption Management Server" field, choose the FQDN the client will use to communicate back to the Symantec Encryption Management Server.  If Load Balancing is being used, this may not be the actual hostname of Symantec Encryption Management Server, so use whatever hostname the client will be able to resolve to enroll, and communicate with going forward.  In this example, the client will communicate with keys.manageddomain.dom.  DNS Round Robin is not a supported configuration--see article TECH232699 for more information.

7. The "Mail Server Binding" field, typically "*" is used, which will use whatever mail server the mail client will be using.  If a specific mail server binding is needed, enter the FQDN of the mail server in question.

8. After all the desired settings are used, click "Download" to download the Managed or Customized package.  The resulting file will be similar to "PGPDesktop_en_US.msi".



Installing the Application

Before installing the application determine if the Operating System is 32-bit or 64-bit. For assistance in finding what version the machine is running please see the following article:

  • Browse to location where you downloaded the installation package and double-click to launch the installer.


  • Installation will start and you must select your language and hit the OK button.


  • Review the end user license agreement.
  • Once you have read and agree to the terms, select  accept license agreement and hit the next button.

NOTE: if you do not accept the license agreement you will not be able to complete the installation 


  • Next option is to choose if you want to view the Release notes after install
  • Select the option you wish and hit the next button to continue


NOTE: The following message is caused by using 32-bit installer on 64 bit OS. Alternately if you attempt to use a 64-bit installer on 32 bit OS you will get a similar error. Please download the correct version for the system you are installing 


 NOTE: The following message may not be displayed depending on User Account Control settings inside the Windows Operating System. 

  • Click yes to allow the application to install


  • Reboot of the system is required. Select the Yes button to initiate reboot, or select No and reboot at a later time (installation is not complete until you reboot the system)

After reboot of system once user logs into the machine they will be prompted for enrollment with the Symantec Encryption Managment Server.

Installation\Deployment Methods with the Managed client:

1. For information on including Symantec Encryption Desktop with a system image (also known as Golden Image, Master Image, Corporate Image, or Base Image), see TECH214364.

2. For information on installing Symantec Encryption Desktop without including specific components of the software, see HOWTO84112.

3. For information on installing Symantec Encryption Desktop using Invisible Silent Enrollment (Super Silent Enrollment), see HOWTO77014

4. Information on enrolling using Silent Enrollment see TECH149857


^Back to Top