How do I setup and use Symantec Endpoint Protection Cloud (SEPC) to encrypt my devices and manage my key(s)?
With SEPC, there is no "installation package" to deploy. If you meet the conditions found in this article, one of your licenses will be consumed. We leverage the encryption capabilities of your device, and we retain the recovery key, in the cloud.
Windows 10 Professional
Requirements for SEPC (Symantec Endpoint Protection Cloud ) Managed Encryption:
REQUIREMENT: SEPC ENCRYPTION LICENSES AVAILABLE
You need to purchase encryption licenses in order to have Symantec manage your recovery key.
REQUIREMENT: POLICY WITH ENCRYPTION ENABLED
Create (or edit) existing SEPC security policy so that Device Encryption is in the "on" position
In SEP Cloud, create a new security policy > Under Device Encryption, select Encrypt device > If required, adjust other security policy settings, and then press Create a policy or Save changes.
Before you encrypt macOS or Android devices, review the manual steps that are required to decrypt them.
(to encrypt iOS and Android devices, install SEPC Mobile, and put the device into a group that contains an encryption policy, and it should encrypt the device)
Verify that you are installing on a compatible device.
These OS's are not supported :
Verify Windows device has TPM 2.0 chip installed : in the start menu or run command box, you can type tpm.msc
TPM pictured is version 1.2 so SEPC won't be able to leverage Bitlocker to encrypt the device or manage the encryption key. TPM 2.0 required.
Alternate check: open device manager and find security devices and expand that category. Trusted Platform Module should show version and indicate if enabled.
For more on the TPM general topic from Microsoft, click HERE
Check Windows Bitlocker : Control Panel\System and Security\BitLocker Drive Encryption
If Bitlocker is off, and your machine is in a security group with an encryption policy, and there are SEPC encryption licenses available on your account, the device encryption should begin.
If Bitlocker shows a status of "waiting for activation" then the drive is likely already at least partially encrypted as some devices come pre-encrypted from the manufactured but need additional setup to complete the process. The following process will allow you to check the status and decrypt the device if found to be at least partially encrypted.
Similarly, FileVault2 needs to already be OFF. On your Mac device, open System Preferences > Security and Privacy > click on the FileVault tab
Click on the lock to make changes on your mac and enter the Mac password
Now click to turn on FileVault
You will now be presented with options for storing the recovery key : Choose "store your recovery key at the location above (SEP Cloud or SEPC)
Once this is done, you will be prompted to restart the computer to begin the encryption process
Encryption time will vary depending on the amount of data on a disk . Look for the evidence of encryption once you have followed all the steps.
Once the Encryption has begun there will ways you can verify : Recovery key will be visible from the device page as seen in the picture below
You will also be able to see the encryption state of the device under events, and that the device is encrypting as pictured below :
Finally, the device page will show this icon seen below, to signify the device is encrypted :
If your Windows computer is still not starting the encryption process after you've followed everything on this checklist, please follow this :
More questions ? Please check out these SEPC encryption topics below :