A new WDRT (Whole Disk Recovery Token) is only created for an Encryption Desktop client if the client can connect to Encryption Management Server over https and authenticate.

If the client cannot connect over https to the server then the existing WDRT remains active.

A new WDRT is created after a WDRT is used to authenticate at bootguard and the user logs into Windows.

If a client cannot connect to the server, an entry like this appears in the Encryption Desktop log:

Scheduled sync with keys.example.com failed; server is unreachable

If a client can connect and authenticate, an entry like this appears in the Encryption Desktop log:

Completed synchronization with configuration server keys.example.com

In addition, in the administration console of Encryption Management Server under Reporting / Logs / Client log, an entry like this will be seen when a client authenticates:

authenticated internal Encryption Desktop 10.5.0.1721 user first.last from [192.168.1.198]

• Symantec Encryption Desktop 10.5 and above.
• Symantec Encryption Management Server 10.5 and above.

Please ensure that Encryption Desktop clients are authenticating to Encryption Management Server if you want new WDRTs to be generated.