Endpoint Encryption

I have installed Symantec Endpoint Encryption 11.1.1 and have been trying unsuccessfully to get the Workgroup Keys feature working.  I have successfully created a GPO with a Workgroup key set, however, if I copy a file to a USB stick on one PC (encrypts automatically) and take it to another PC in the same group, I still get prompted to enter a password to decrypt.  I'm was under the impression that if both machines were assigned the same Workgroup Key that they would not be prompted for a password.

The event viewer on both machines is indicating that "the group key has been updated succesfully" at boot up, so it appears the workgroup keys are being applied correctly.  Any ideas?  Are there any special pre-requistes for this to work correctly?  It appears as though the Workgroup Key may not be getting applied at the time the file is being encrypted in addition to the user provided password.  I'm only able to decrypt the files by using the password provided by the user at the time of encryption.

Thanks!

Brian  

A little more info.  I have read through http://www.symantec.com/docs/DOC9126 (Configuring Active Directory and LDAP to use the RME Workgroup key feature).  All of our computers are in the same domain as the management server.  Everything meets the requirements outlined in the document above.

If I open the SEE database directly, under the Computers table, I can see that the column for GrpKeyEnabled is currently False and GrpKey is NULL for all of the machines, even though a GPO has been set up to enable and provide one.  So it looks like the WorkGroupKey may not be getting applied after all.

Any suggestions?

Just to verify, in the SEEMS Configuration Manager, have you enabled Windows Authentication?  It is also required to distribute the keys.

Correct, Windows Authentication is enabled through the SEEMS Configuration Manager.

I had no issues during the install, everything seemed to install correctly, it's syncing fine with Active Directory, the SQL Database was created successfully by the installer (seperate SQL server in the same domain) and it seems to be updating correctly as client machines check in and update the tables accordingly.  All of the other SymatnecEE group policy settings get applied correctly.  It's just the Workgroup Key feature that is not working.  I'm puzzled.

Symantec support concluded that you MUST have LDAPS enabled to secure the communication between the Active Directory and Symantec Endpoint Encryption Management Server in order for the Workgroup Key feature to work even though the instructions and other documentation indicate that it is optional.  This means that you must have a public key infrastructure (PKI) in place which we do not.  Symantec recommended simply adding the AD Certificate Services role on the domain controllers, however, everything I have read says that is a bad idea to have your domain controller also be a root CA.

Unfortunately, I will likely not be able to test this as we don't have the resources to set up a proper PKI.  So it it looks like we will be looking for a different product.  We are a small organization with minimal resources and properly setting up a PKI just to enable this functionality would involve additional windows server licenses and hardware to (to host an offline root CA).  One would think that Symantec could leverage some of the Windows API's and utilize Kerberos or NTLM instead of performing a simple bind necessitating the need for LDAPS.