Symantec Endpoint Encryption Management Server has a feature that allows you to clean up machines and client events that are older than 1, 2, or 3 years.
This article will go over the steps on how to do this.
TIP: For additional reporting help, see the following articles:
195890 - Building Custom Reports with Symantec Encryption Management Server
200820 - Aging systems report for Symantec Endpoint Encryption (non-reporting computers)
There are times when machines are retired, or otherwise repurposed, and in these scenarios, it is useful to remove them from the reporting as they are no longer officially managed by the SEE Management Server. Symantec Endpoint Encryption 11.4 and above include Archive and Delete capability of individual machines.
Definitions for Symantec Endpoint Encryption Web Portal:
Archived/Inactive Computers - This means the machine is moved to a hidden container (Deleted Computers) where the machines still exist in the database, but are not going to be included in the regular reports.
The reports will, therefore, contain only the those active systems that are still checking in to the SEE Management Server on a regular basis.
Archived/Inactive Computers will **not** show up in the regular reporting under two conditions:
1. The machine was archived manually by the SEE Management Server Administrator (This event is logged).
2. The machine has not checked in within the last three years (This is not an event, but rather a natural movement from Active to Inactive).
3. The machine was reimaged with the same hostname (This is an automatic event that happens during re-imaging).
If the system was checking in to the server, and was re-imaged, but kept the same hostname, the previous entry will be moved automatically to the hidden container and the last checked in system will appear.
Important Note: If you are comparing the Web portal items to the MMC items in reporting, these numbers will not match because the MMC will show All machines, even if they haven't checked in for 3 years.
The web portal will show only systems that have reported to the SEE Management Server within the last three years.
Once you find a machine in the Web Portal, you can check the box next to the system that you would like to archive and then click the "Archive" option. Once you do this, you will get a prompt stating the system will go into the Deleted Computers container and will no longer appear in the reports. This functionality can be done for multiple systems at once or individually:
If you would like to delete the computer so that it no longer appears even in the Deleted Computers table, you can click the option to "Delete".
TIP: Once machines are archived the machine is still in the database in the container mentioned above and can be restored from there. Although these systems can be restored, it is a good idea to have frequent backups of the SEE Database prior to perform these maintenance tasks.
If you would like to have the machine removed permanently, this can be done by first finding the machine, and then clicking the "Delete" option at the top:
Once a machine is deleted, it skips the "Deleted Computers" container and will be gone forever, so use this feature with caution. For this reason, it is not possible to delete more than one machine at a time.
Note: If you delete a machine in the encryption environment, and the system comes online and checks in with the SEE Management Server, it may appear in the reports again.
If you would like to perform a mass removal of machines that have not checked in with the SEE Management Server for 1, 2, or 3 years, you can follow the rest of this article:
First, Open SEE Management Server:
Next, Click File, Then "Add/Remove Snap-in...":
This will pull up the available snap-ins. Look for SEE Database Maintenance
Add this to the Selected snap-ins list to the right:
Now that it has been added, you'll see the SEEMS Database Maintenance available from the list:
As you can see, you have the ability to clean up machine and events that are older than One Year, Two Years, or Three Years.
Important: Before performing this cleanup routine, it is recommended to first backup the SEEMS SQL database itself in case you may need these records.
Symantec Enterprise Division always recommends making regular backups of the servers.
In this example, we will delete some client events. Once you select the option to delete, a message appears.
Depending on the amount of data it needs to purge, this could take some time, and may have an effect on the system performance of the server.
The safest time to do this would be after hours.
If this is a good time to purge these client events, say "Yes".
Similar messages pop up when cleaning up machines that are older than 1, 2, or 3 years.
These events are logged as can be seen in the Admin Log of SEEMS:
Important TIP: After you click the "X" to close the MMC snap-in, be sure to say "Yes" to save the SEE Database Maintenance" snap-in, otherwise, the next time you open this, you'll have to re-add this component. This will need to be done for each user logging in and using this snap-in.
For more information on the SEE 11.4 Dashboard, and Reports, see the following article:
240649 - Symantec Endpoint Encryption 11.4 Dashboard and Reports
Scenario 1: Computers going into the "Deleted Computers" container or Archived status automatically.
Potential Cause 1: If you have a scenario where systems have gone into this status, or automatically placed into Deleted computers, you may have included SEE into your Global Image improperly.
There is a specific way for this to be done.
Ideally, we recommend installing SEE fresh on each system post imaging and not include, but if you need to include SEE, follow the steps in the following article:
178589 - How to include Symantec Endpoint Encryption 11 in a System Image - Provisioning the SEE Client for new Machines
Potential Cause 2: If you have Active Directory enabled in the SEEMS Configuration Manager, this may be causing systems to go into Archived status automatically.
Once systems check in, they appear proper, but after a synchronization, the systems may go back to archived status.
If you are seeing this behavior, reach out to Symantec Encryption Support for further guidance and troubleshooting and reference ID EPG-34688 for further review.
For more details on this feature, please review the SEEMS Help file.
For further assistance cleaning up these systems, contact Symantec Enterprise Division Support.
ISFR-2025
EPG-22856
ISFR-1674/EPG-24116
ISFR-1675/EPG-24117
ISFR-1574/EPG-22610
ISFR-2025
ISFR-2051
ISFR-2050
195890 - Building Custom Reports with Symantec Endpoint Encryption Management Server
227761 - Create a Symantec Endpoint Encryption Client Report based on build number
200820 - Aging systems report for Symantec Endpoint Encryption (non-reporting computers)