Symantec Endpoint Encryption can be included inside of a "Golden Image", "Corporate Image", or "System Image". However; including Symantec Endpoint Encryption into the image must be done carefully to avoid duplicating GUID values.
If the SEE Client is improperly deployed to endpoints, it will result in the "ComputerID" value being the same for all machines. When this happens, the machines will not show up on the server properly. Systems will typically appear to check in, but only the last-updated machine will be present.
It will still be possible to get a recovery key because Symantec Endpoint Encryption has "Connectionless Recovery" which can recover an encrypted machine even if it has not checked in. However, it is still a problem that would need to be manually fixed.
This article goes over all the steps to properly include the client into a corporate image.
There are two methods for "Provisioning" systems with Symantec Endpoint Encryption and this article cover these topics:
Symantec recommends deploying/installing the SEE Client to machines after the systems are imaged so that the software is not included in the image itself, but will be installed at the end of the imaging process. One very beneficial feature of the Symantec Endpoint Encryption software is it can be installed on a system and encryption can start automatically without any "Enrollment" or "Registration" process needed from the end user. As a result, this is the preferred method to use.
To have this happen, install Symantec Endpoint Encryption on the system and after installation is finished, reboot the system. The system can stay at the Windows login screen and will start encrypting.
If the machine is rebooted without any users logging in, the preboot screen will be skipped, even though all sectors are encrypted.
Once a user logs in for the first time, they will be automatically registered and this will engage the preboot upon rebooting the system.
For information on how to install the SEE Client, see the following article:
252118 - Installing the Symantec Endpoint Encryption Client
If this method is chosen, it's a good idea to reboot the system after all the imaging operations have completed so that any pending reboots may be cleared.
If you install the SEE client on a machine, it would be recommended to not login if at all possible, so the system can be delivered to the end user. Otherwise, the user may need to reach out to HelpDesk for assistance getting passed the preboot screen.
The Autologon functionality can be engaged until the user can register as well.
For more information on Autologon, see the following two handy articles:
A system image, or also known as a "Golden Image", is a template of a system configuration that can then be deployed to multiple systems. A system administrator prepackages the image with the operating system and applicable software which would then be used to deploy to endpoint computers so each computer shares the same setup and configuration. Larger Enterprise environments commonly use system images to configure computers to a pristine, working state.
In some cases, Symantec Endpoint Encryption can also be included as part of the system image as an installed application so that installation is not necessary later. You can provision Symantec Endpoint Encryption Drive Encryption and Removable Media Encryption on system images, which are then managed by Symantec Endpoint Encryption Management Server.
Before you provision Drive Encryption and Removable Media Encryption on a system image, be aware of the following considerations:
Command line for preparing Symantec Endpoint Encryption agent in a mass deployable image:
When you install Symantec Endpoint Encryption products on a system image, you must use a specific command line parameter. This command line parameter instructs the installer to install into a system image environment and to use specific settings.
The command line parameter is:
For SEE 11.1 and above:
msiexec /i "SEE Client.msi" IMAGE=SYSTEM
To install Symantec Endpoint Encryption products on a system image:
It is highly recommended to test this deployment process on several systems with differing hostnames so that you can validate that all systems are checking in and no duplicate GUIDs are encountered.
If you do run into issues with systems going into the Deleted Computers container on the server, most likely this is due to duplicate GUIDs. Reach out to Symantec Encryption Support for further guidance to correct this situation where an "UpdateSEEGUID" script can be provided to help.
If you have included Symantec Endpoint Encryption into your corporate image improperly, this can be fixed, but will require Symantec Encryption support for guidance using a corrective script.
To check if the machine has the same value, open the registry on the affected machines that may not be showing up on the SEE Management Server, and go to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Encryption Anywhere\Framework\Client Database
Make note of the UUID listed for "ComputerID".
If multiple systems have the same ComputerID value, then you will want to contact Symantec Support for further assistance.