How to include Symantec Endpoint Encryption 11.X in a System Image


Article ID: 178589


Updated On:


Endpoint Encryption




A system image, or also known as a "golden image", is a template of a system configuration that can then be deployed to multiple systems.  A system administrator prepackages the image with the operating system and applicable software, which would then be used to deploy to endpoint computers so each computer shares the same setup and configuration.  Larger Enterprise environments commonly use system images to configure computers to a pristine, working state.

In some cases, Symantec Endpoint Encryption can also be included as part of the system image as an installed application so that installation is not necessary later. You can provision Symantec Endpoint Encryption Drive Encryption and Removable Media Encryption on system images, which are then managed by Symantec Endpoint Encryption Management Server. Starting in version 11.0.0 MP2, Endpoint Encryption has the ability to be included into a system image, or Global Image when installed properly.

Before you provision Drive Encryption and Removable Media Encryption on a system image, be aware of the following considerations:

  • Symantec Endpoint Encryption 11.3.1 
  • When you install on system images, the installation must be run via the command line with msiexec used with a specific switch (instead of with a double-click to install).
  • This functionality is not supported as VDI master images.
  • The install time on cloned images is not unique. Each cloned image shares the same install time. Your reports in Symantec Endpoint Encryption Management Server display the same install time for each cloned computer. If you need to access the specific time when a cloned image first started running Symantec Endpoint Encryption, the event logs can be used. The logs include an event called "cloned."
  • You cannot use Drive Encryption and Removable Media Encryption functionality on your system image. However, when you create a cloned image, Symantec Endpoint Encryption applies the install-time policies and can run as normal
  • Drive Encryption and Removable Media Encryption do not work until the image is deployed to the system.  On the cloned image, the install-time policies execute normally.
  • Creating an image from another system that already has Symantec Endpoint Encryption installed is not supported.  In other words, create your image with all the applications installed that are needed, and at the very end, install Symantec Endpoint Encryption using the supported msiexec command.

Installing Symantec Endpoint Encryption products on a system image

When you install Symantec Endpoint Encryption products on a system image, you must use a specific command line parameter. This command line parameter instructs the installer to install into a system image environment and to use specific settings.

The command line parameter is: IMAGE=SYSTEM

For SEE 11.0.x:
msiexec /i "SEE Management Agent Client_x64.msi" IMAGE=SYSTEM

Note: Symantec Endpoint Encryption 11.0.0 included the use of multiple MSI files, so the command above used the Management Agent.

Symantec Endpoint Encryption 11.1 and above use a single MSI installer which includes the Management Agent, Drive Encryption and Removable Media Encryption clients. Symantec no longer recommends using the Symantec Endpoint Encryption 11.0 branch, and instead recommends using the latest version available, which takes advantage of the single-installer functionality.

For SEE 11.1 and above:
msiexec /i "SEE Client.msi" IMAGE=SYSTEM


To install Symantec Endpoint Encryption products on a system image:

  1. On the Symantec Endpoint Encryption Management Server, create the client installer packages (MSIs) by running the Installation Wizards (For SEE 11.0, the server will create a single MSI installer for the Management Agent, the Drive Encryption client, and the Removable Media Encryption client).  Symantec Endpoint Encryption 11.1 and above would create a single installer for all (32-bit and 64-bit installers is still applicable).
  2. On your system image, prepare the system image by running the command line above for the applicable version of Symantec Endpoint Encryption.
  3. Deploy the system image.
  4. When the computer is imaged the install-time policies are instantiated.
  5. Update the clone as you would any client computer, using GPOs or SEE Native policies, as desired.
  6. Over time, the cloned clients check in with the server. Run reports to track the state of your cloned clients.