How to remotely decrypt a Symantec Endpoint Encryption - Full Disk (SEE-FD) client

Article:TECH104209  |  Created: 2008-01-21  |  Updated: 2008-01-26  |  Article URL
Article Type
Technical Solution


Remotely decrypting an SEE-FD client.


Remote decryption can be done in five ways:
  1. If the User was given the ability to decrypt the machine open the Client Console and use the option to decrypt manually
  2. When logging into the encrypted machine using the Symantec Endpoint Encryption Client Admin and opening the Client Console the option to decrypt the machine can be done manually.
  3. Create a Group Policy Objects (GPO) (see steps 1-10 below), and run the .msi file manually on the machine
  4. Create a GPO policy (see steps 1-14 below), and apply it to all the machines which are in the location in the Symantec Endpoint Encryption Manager. The remote decryption policy is used by policy administrators to decrypt all encrypted disk partitions on computers protected by Symantec Endpoint Encryption-Full Disk without having to physically send a client administrator to the location(s) of the computers.

Creating a Remote Decryption Policy. To create a remote decryption policy, perform the following steps:
  1. Right-click Group Policy Objects on the navigation tree.
  2. Click New. The New GPO (Group Policy Object Editor) window displays.
  3. Type the name of the Group Policy Object you wish to create.
  4. Click OK. The new Group Policy Object you created is displayed in the navigation tree.
  5. Right-click the new Group Policy Object on the navigation tree.
  6. Click Edit. The Group Policy Object Editor (GPOE) displays.
  7. Click Software Settings > Symantec Endpoint Encryption > Symantec Endpoint Encryption-Full Disk> Remote Decryption.
  8. Select the Change this Setting option.
  9. Select Decrypt all disk partitions.
  10. Click Save.
  11. Close the GPOE window.
  12. Drag and drop to link the policy to the target location containing the computers you wish to decrypt.
  13. Restart the computers receiving this computer policy to cause it to take effect.
  14. Monitor decryption progress using the Client Monitor.

    Note: When recover.exe /D or /B is successfully run on a client computer, a new workstation encryption key (WEK) is created, causing the computer’s data stored in Active Directory Application Mode (ADAM) to become out of date. After successfully executing recover.exe /D or /B on a client computer, always make sure that the client computer checks in at least once so that the new data can be stored in ADAM.

    Warning: Although decryption of all disk partitions begins immediately after the remote decryption policy has been processed on the client computer, remote decryption is a computer policy which is only processed at boot time.

  15. When necessary the machine may be decrypted using the Recover utility option /d. This should be done only when other methods can not be utilized.

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices