Starting with Endpoint Encryption 11.3.1, when upgrading, it is no longer necessary to connect to the Endpoint Encryption database (SEEMSDb by default) using SQL Server Authentication and an account that has the sysadmin role.
Instead, you can upgrade by connecting to the database using an account that has the db_owner role. Note that a sysadmin account is still needed in order to do a fresh install because the installer needs to create the database.
Using an account with db_owner membership is far more convenient because in most organizations, obtaining even temporary access to a sysadmin account can prove difficult.
The db_owner role can be assigned to a Windows account. You can then connect to the database using Windows Authentication during the upgrade.
You may see this error when trying to upgrade:
The account does not have db_owner membership.
Symantec Endpoint Encryption 11.3.1 and above.
In order to grant the account db_owner membership, please do the following:
Note that the account with db_owner membership will not necessarily be able to manage the SEEMSDb database using SQL Server Management Studio. This is by design. However, that account can still be used to upgrade Endpoint Encryption Management Server.
The Endpoint Encryption database access account is used by the Endpoint Encryption web service to interact with the database. It is specified in SEEMS Configuration Manager. At a minimum, it requires db_datareader and db_datawriter membership. You can add db_owner membership to this account and use it to upgrade Endpoint Encryption. However, please bear in mind the principle of least privilege and consider removing db_owner membership from this account once you have upgraded Endpoint Encryption Management Server.