How to include Symantec Endpoint Encryption 11 in a System Image - Provisioning the SEE Client for new Machines
search cancel

How to include Symantec Endpoint Encryption 11 in a System Image - Provisioning the SEE Client for new Machines

book

Article ID: 178589

calendar_today

Updated On:

Products

Endpoint Encryption Drive Encryption Desktop Email Encryption Encryption Management Server File Share Encryption Gateway Email Encryption PGP Command Line PGP Encryption Suite PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

Symantec Endpoint Encryption can be included inside of a "Golden Image", "Corporate Image", or "System Image".  However; including Symantec Endpoint Encryption into the image must be done carefully to avoid duplicating GUID values.

If the SEE Client is improperly deployed to endpoints, it will result in the "ComputerID" value being the same for all machines.  When this happens, the machines will not show up on the server properly.  Systems will typically appear to check in, but only the last-updated machine will be present.

It will still be possible to get a recovery key because Symantec Endpoint Encryption has "Connectionless Recovery" which can recover an encrypted machine even if it has not checked in. However, it is still a problem that would need to be manually fixed.

This article goes over all the steps to properly include the client into a corporate image.

 

Resolution

There are two methods for "Provisioning" systems with Symantec Endpoint Encryption and this article cover these topics:

 

 

Method 1:  Install Symantec Endpoint Encryption at the end of the Imaging process (SEE Client not included in the Golden Image)

Symantec recommends deploying/installing the SEE Client to machines after the systems are imaged so that the software is not included in the image itself, but will be installed at the end of the imaging process.  One very beneficial feature of the Symantec Endpoint Encryption software is it can be installed on a system and encryption can start automatically without any "Enrollment" or "Registration" process needed from the end user.  As a result, this is the preferred method to use.

To have this happen, install Symantec Endpoint Encryption on the system and after installation is finished, reboot the system.  The system can stay at the Windows login screen and will start encrypting.  

If the machine is rebooted without any users logging in, the preboot screen will be skipped, even though all sectors are encrypted.

Once a user logs in for the first time, they will be automatically registered and this will engage the preboot upon rebooting the system.

 

For information on how to install the SEE Client, see the following article:
252118 - Installing the Symantec Endpoint Encryption Client

If this method is chosen, it's a good idea to reboot the system after all the imaging operations have completed so that any pending reboots may be cleared.

If you install the SEE client on a machine, it would be recommended to not login if at all possible, so the system can be delivered to the end user.  Otherwise, the user may need to reach out to HelpDesk for assistance getting passed the preboot screen.

The Autologon functionality can be engaged until the user can register as well.  

For more information on  Autologon, see the following two handy articles:

178697 - How to use the Autologon Utility for Symantec Endpoint Encryption version 11

213085 - Enabling or disabling Autologon for Symantec Endpoint Encryption using Advanced Settings

 

 

Method 2:  Including the SEE Client into the Golden Image

A system image, or also known as a "Golden Image", is a template of a system configuration that can then be deployed to multiple systems.  A system administrator prepackages the image with the operating system and applicable software which would then be used to deploy to endpoint computers so each computer shares the same setup and configuration.  Larger Enterprise environments commonly use system images to configure computers to a pristine, working state.

In some cases, Symantec Endpoint Encryption can also be included as part of the system image as an installed application so that installation is not necessary later. You can provision Symantec Endpoint Encryption Drive Encryption and Removable Media Encryption on system images, which are then managed by Symantec Endpoint Encryption Management Server. 

Before you provision Drive Encryption and Removable Media Encryption on a system image, be aware of the following considerations:

  • When you install on system images, the installation will be run via the command line with Msiexec used with a specific switch (instead of with a double-click to install).
  • This functionality is not supported as VDI master images.
  • The install time on cloned images is not unique. Each cloned image shares the same install time. Your reports in Symantec Endpoint Encryption Management Server display the same install time for each cloned computer. If you need to access the specific time when a cloned image first started running Symantec Endpoint Encryption, the event logs can be used. The logs include an event called "cloned."
  • You cannot use Drive Encryption and Removable Media Encryption functionality on your system image. However, when you create a cloned image, Symantec Endpoint Encryption applies the install-time  or client-embedded policies and can run as normal.
  • Drive Encryption and Removable Media Encryption do not work until the image is deployed to the system.  On the cloned image, the install-time policies execute normally.
  • Creating an image from another system that already has Symantec Endpoint Encryption installed is not supported.  In other words, create your image with all the applications installed that are needed, and at the very end, install Symantec Endpoint Encryption using the supported Msiexec command.

 

Command line for preparing Symantec Endpoint Encryption agent in a mass deployable image:

When you install Symantec Endpoint Encryption products on a system image, you must use a specific command line parameter. This command line parameter instructs the installer to install into a system image environment and to use specific settings.

The command line parameter is: IMAGE=SYSTEM

 

For SEE 11.1 and above:

msiexec /i "SEE Client.msi" IMAGE=SYSTEM

 

To install Symantec Endpoint Encryption products on a system image:

  1. On the Symantec Endpoint Encryption Management Server, create the client installer packages (MSIs) by running the Installation Wizards (For SEE 11.0, the server will create a single MSI installer for the Management Agent, the Drive Encryption client, and the Removable Media Encryption client).  Symantec Endpoint Encryption 11.1 and above would create a single installer for all (32-bit and 64-bit installers is still applicable).
     
  2. On your system image, prepare the system image by running the command line above for the applicable version of Symantec Endpoint Encryption.
     
  3. Deploy the system image.
     
  4. When the computer is imaged the install-time policies are instantiated.
     
  5. Update the clone as you would any client computer, using GPOs or SEE Native policies, as desired.
     
  6. Over time, the cloned clients check in with the server. Run reports to track the state of your cloned clients.

 

It is highly recommended to test this deployment process on several systems with differing hostnames so that you can validate that all systems are checking in and no duplicate GUIDs are encountered.
If you do run into issues with systems going into the Deleted Computers container on the server, most likely this is due to duplicate GUIDs.  Reach out to Symantec Encryption Support for further guidance to correct this situation where an "UpdateSEEGUID" script can be provided to help.

Intune Considerations:  Managing systems encrypted with Symantec Endpoint Encryption

Using Microsoft's Intune to manage  Symantec Endpoint Encryption is known to work and no special steps are required to deploy using this solution.
The SEE Client employs a standard .MSI format installation file and can be deployed easily and quickly using any deployment utility, such as Symantec IT Management Suite (Altiris), or other deployment solutions such as SCCM, Intune, etc. 

If you are using Intune to "Reset" machines, depending on how the system is being managed, and related to one-click "Wipe/Reset" functionality for the system, Intune may require additional configuration.  For more details on this, reach out to Symantec Encryption Support for further guidance and mention this article.
IMSFR-899

Troubleshooting and Validation:
If you have included Symantec Endpoint Encryption into your corporate image improperly, this can be fixed, but will require Symantec Encryption support for guidance using a corrective script.

 

To check if the machine has the same value, open the registry on the affected machines that may not be showing up on the SEE Management Server, and go to the following registry key:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Encryption Anywhere\Framework\Client Database

Make note of the UUID listed for "ComputerID".  

If multiple systems have the same ComputerID value, then you will want to contact Symantec Support for further assistance. 

Additional Information