This article includes all the steps necessary to install the Symantec Encryption Desktop client which is Managed by Symantec Encryption Management Server. All points will be discussed, including where to download the software, as well as performing the actual installation.
NOTE: If you do not use a Symantec Encryption Management Server and need instructions for the Standalone client, or unmanaged client, please see article HOWTO101895.
Click the links in the Table of Contents below to skip directly to each topic discussed in this article.
Table of Contents
Encryption Desktop for Windows - System Requirements
For all information related to Symantec Encryption Desktop system requirements, including compatible Operating Systems, see KB TECH224415.
Compatible Virtual Servers
Considerations and Best Practices
Additional Requirements for Drive Encryption on UEFI Systems
The following requirements apply only if you are encrypting your disk. If you are installing Symantec Encryption Desktop for email or other Symantec Encryption Desktop functions, you can install on Windows 8/8.1 32-bit systems and boot using UEFI mode without having to meet these requirements. To encrypt systems booting in UEFI mode, the following additional requirements must be met:
Note: Symantec Drive Encryption is not compatible with other third-party software that could bypass the Symantec Drive Encryption protection on the Master Boot Record (MBR) and write to or modify the MBR. This includes such off-line defragmentation tools that bypass the Symantec Drive Encryption file system protection in the OS or system restore tools that replace the MBR.
For more information about requirements for UEFI systems, see article TECH203071, "Symantec Encryption Desktop 10.3.2 compatibility with Microsoft Windows 8/8.1".
Symantec Drive Encryption on Windows Servers
Symantec Drive Encryption is supported on all of the following Windows Server versions:
Note: Dynamic disks and software RAID are not supported.
For additional system requirements and best practices information for use on Windows Servers, see article TECH149613 "Drive Encryption on Windows Servers"
The following best practices prior to the installation of Symantec Encryption Desktop:
Finding your Serial number or License Number:
You should have received your Serial and License numbers in emails sent from Symantec. If you have not received your Serial or License numbers for your Symantec Encryption products, or if you have questions or concerns related to getting your Serial or License numbers, please contact Symantec Customer Care at 1-800-721-3934.
For a list of all Customer Care numbers in your region, click here.
Downloading the proper Symantec Encryption Products
Selecting the proper download:
TIP: Before being able to download the Managed or Customized Symantec Encryption Desktop client, a Symantec Encryption Management Server must be installed and properly configured. Review the Symantec Encryption Management Server 3.3.2 Installation Guide for more information. The next steps in this article go over how to download Symantec Encryption Management Server. After that, the rest of this article assumes the proper configuration of Symantec Encryption Management Server has been completed.
NOTE: If the serial number is entered, and different products are available, be sure to select "Symantec Drive Encryption with Encryption Management Server 10.3". This will ensure only the correct product is available for download.
For information on how to install Symantec Encryption Management Server see HOWTO103769
Once Symantec Encryption Management Server has been installed, and properly configured, creating the Managed, or Customized Installation package for Symantec Encryption Desktop is then possible. The only real difference with a customized installation package and a standalone package is the PGPStamp that is built in to the customized package, which tells the client which Symantec Encryption Management Server to enroll with, an communicate with going forward.
Downloading Client From Server
1. Login to Symantec Encryption Management Server by using a Web browser and type in the URL for your server port 9000. (ex. HTTPS://keys.yourdomain.com:9000)
2. From the System Overview page click on the Consumers tab.
3. Once you are on the Consumers page click Group tab from the overview, Then select Download Client... from bottom dialog box
4.Check the box "Customize" in order to create a Managed client, and select the proper Operating System in which to deploy the client.
The method of enrollment will dictate whether to use "Auto-Detect", or "Preset Policy". If Directory Synchronization is being used, which communicates with an LDAP server, and each end user will enroll with a username and password, choose "Auto-Detect". If Directory Synchronization is *not* being used, choose "Preset Policy".
The option "Embed Policy and license information" should be used only in environments where communication with Symantec Encryption Management Server will never happen. In most cases, communication is possible at least at time of enrollment and this setting is not recommended, however for more information on Embed Policy, please see article TECH148945.
5. In this example, the user is running Windows 64-bit, Directory Synchronization has been configured, the user will enroll with a username and password, so Auto-Detect will be chosen.
6. In the "Symantec Encryption Management Server" field, choose the FQDN the client will use to communicate back to the Symantec Encryption Management Server. If Load Balancing is being used, this may not be the actual hostname of Symantec Encryption Management Server, so use whatever hostname the client will be able to resolve to enroll, and communicate with going forward. In this example, the client will communicate with keys.manageddomain.dom. DNS Round Robin is not a supported configuration--see article TECH232699 for more information.
7. The "Mail Server Binding" field, typically "*" is used, which will use whatever mail server the mail client will be using. If a specific mail server binding is needed, enter the FQDN of the mail server in question.
8. After all the desired settings are used, click "Download" to download the Managed or Customized package. The resulting file will be similar to "PGPDesktop_en_US.msi".
Installing the Application
Before installing the application determine if the Operating System is 32-bit or 64-bit. For assistance in finding what version the machine is running please see the following article:
NOTE: if you do not accept the license agreement you will not be able to complete the installation
NOTE: The following message is caused by using 32-bit installer on 64 bit OS. Alternately if you attempt to use a 64-bit installer on 32 bit OS you will get a similar error. Please download the correct version for the system you are installing
NOTE: The following message may not be displayed depending on User Account Control settings inside the Windows Operating System.
After reboot of system once user logs into the machine they will be prompted for enrollment with the Symantec Encryption Managment Server.
Installation\Deployment Methods with the Managed client:
1. For information on including Symantec Encryption Desktop with a system image (also known as Golden Image, Master Image, Corporate Image, or Base Image), see TECH214364.
2. For information on installing Symantec Encryption Desktop without including specific components of the software, see HOWTO84112.
3. For information on installing Symantec Encryption Desktop using Invisible Silent Enrollment (Super Silent Enrollment), see HOWTO77014
4. Information on enrolling using Silent Enrollment see TECH149857