Symantec Endpoint Encryption Drive Encryption permits managed clients connected to the Symantec Endpoint Encryption Management Server (SEE Management Server) to encrypt hard drives. This means that you can create a SEE Client from the SEE Management Server and once the machine checks in with the server, a Recovery Key can then be used. This is the scenario where the SEE Client was able to communicate with the SEE Management at least once.
This article will cover the general flow of the Help Desk Recovery process that is typically seen.
For "disconnected" or "Connectionless" recovery, see the following article:
If the user forgets their pre-boot passphrase and presses F4 to enter a recovery token, they will see the Help Desk Recovery screen.
The typical recovery screen for systems that have connected will display the Computer Name, and a Sequence Number that can be provided to the SEE Helpdesk Admin.
The Helpdesk Admin will provide a Recovery Key that is entered on this screen to allow the system to boot up.
Client Side Experience
If a client has connected to the SEE Management Server at least one time, a Computer Name and Sequence number is all that is needed to obtain the recovery key from the SEE Management Server Help Desk Recovery portal.
To get to this screen, on the main Preboot Screen, Press F4, and then read to the Help Desk Administrator this information.
Help Desk Recovery Experience
The administrator will login to the SEE Management Server Web Console:
Note: If you do not have the proper Help Desk Role, this will not work. For more information on Server Roles, see the following article:
214027 - Symantec Endpoint Encryption Admin Server Roles and Server Roles Report
Next, clicks on the "Help Desk" icon on the left side:
The Help Desk Administrator then enters the information provided by the end user:
If the information provided does not match the records, the following error may be displayed:
Enter the proper information on the screen and try again to display the Recovery Key:
The administrator provides this information to the end user. The checksum values "AX" are used so the end user knows the proper Recovery Key was entered.
If the end user receives different checksum values, they should check the entry and enter the proper values.
The end user will then be able to boot up the system.
If you have machines that have been encrypted, but have not yet connected to the SEE Management Server, recovery is still possible.
For more information on "Connectionless Recovery", see the following article:
For additional guidance, reach out to Symantec Encryption Support.