Symantec Endpoint Encryption Database Maintenance - Cleanup old machines and client data

Products

Endpoint Encryption

Issue/Introduction

Symantec Endpoint Encryption Management Server has a feature that allows you to clean up machines and client events that are older than 1, 2, or 3 years.

This article will go over the steps on how to do this.

TIP: For additional reporting help, see the following articles:

195890 - Building Custom Reports with Symantec Encryption Management Server

200820 - Aging systems report for Symantec Endpoint Encryption (non-reporting computers)

Resolution

There are times when machines are retired, or otherwise repurposed, and in these scenarios it is useful to remove them from the reporting as they are no longer officially managed by the SEE Management Server. Symantec Endpoint Encryption 11.4 and above include Archive and Delete capability of individual machines.

Definitions for Symantec Endpoint Encryption Web Portal:

Archived/Inactive Computers - This means the machine is moved to a hidden container (Deleted Computers) where the machines still exist in the database, but are not going to be included in the regular reports.
The reports will, therefore, contain only the those active systems that are still checking in to the SEE Management Server on a regular basis.

Archived/Inactive Computers will **not** show up in the regular reporting under two conditions:

1. The machine was archived manually by the SEE Management Server Administrator (This event is logged).
2. The machine has not checked in within the last three years (This is not an event, but rather a natural movement from Active to Inactive).
3. The machine was reimaged with the same hostname (This is an automatic event that happens during re-imaging).
If the system was checking in to the server, and was re-imaged, but kept the same hostname, the previous entry will be moved automatically to the hidden container and the last checked in system will appear.

Important Note: If you are comparing the Web portal items to the MMC items in reporting, these numbers will not match because the MMC will show All machines, even if they haven't checked in for 3 years.
The web portal will show only systems that have reported to the SEE Management Server within the last three years.

Once you find a machine in the Web Portal, you can check the box next to the system that you would like to archive and then click the "Archive" option. Once you do this, you will get a prompt stating the system will go into the Deleted Computers container and will no longer appear in the reports. This functionality can be done for multiple systems at once or individually:

If you would like to delete the computer so that it no longer appears even in the Deleted Computers table, you can click the option to "Delete".

TIP: Once machines are archived the machine is still in the database in the container mentioned above and can be restored from there. Although these systems can be restored, it is a good idea to have frequent backups of the SEE Database prior to perform these maintenance tasks.

If you would like to have the machine removed permanently, this can be done by first finding the machine, and then clicking the "Delete" option at the top:

Once a machine is deleted, it skips the "Deleted Computers" container and will be gone forever, so use this feature with caution. For this reason, it is not possible to delete more than one machine at a time.

Note: If you delete a machine in the encryption environment, and the system comes online and checks in with the SEE Management Server, it may appear in the reports again.

If you would like to perform a mass removal of machines that have not checked in with the SEE Management Server for 1, 2, or 3 years, you can follow the rest of this article:

First, Open SEE Management Server:

Next, Click File, Then "Add/Remove Snap-in...":

This will pull up the available snap-ins. Look for SEE Database Maintenance:

Add this to the Selected snap-ins list to the right:

Now that it has been added, you'll see the SEEMS Database Maintenance available from the list:

As you can see, you have the ability to clean up machine and events that are older than One Year, Two Years, or Three Years.

Important: Before performing this cleanup routine, it is recommended to first backup the SEEMS SQL database itself in case you may need these records.

Symantec Enterprise Division always recommends making regular backups of the servers.

In this example, we will delete some client events. Once you select the option to delete, a message appears.

Depending on the amount of data it needs to purge, this could take some time, and may have an effect on the system performance of the server.

The safest time to do this would be after hours.

If this is a good time to purge these client events, say "Yes":

Once the cleanup has completed, the following message appears:

Similar messages pop up when cleaning up machines that are older than 1, 2, or 3 years.

These events are logged as can be seen in the Admin Log of SEEMS:

Important TIP: After you click the "X" to close the MMC snap-in, be sure to say "Yes" to save the SEE Database Maintenance" snap-in, otherwise, the next time you open this, you'll have to re-add this component. This will need to be done for each user logging in and using this snap-in.