So this maybe a little long but here is the general jist of the article - SEP can install SEE - using a specialized group and the Host Integrity Policy - you can Install or Upgrade the Client using the steps below.
SEE ver 11 has no embedded way to native deploy or upgrade its own agents -
Keep in Mind - you need to know your network and your clients to use HIC to install or upgrade the clients -
1 - NEVER - NEVER - NEVER - try to install over another encryption product - if its a MAC OS - using the native encryption client - leave it alone - SEE ver 11 will eventually be able to manage those keys also - same with BitLocker - Do NOT do double work just for the sake of having everything on one platform - That goes for Symantec Whole Disk Encryption also - the road map is to merge PGP WDE and SEE at some point just let the WDE clients chill and phase them out as they go -
2 - NEVER - NEVER - NEVER - try to update an entire Windows Service Pack on an encrypted client - Bad Idea - do not do this -
-------------- Symantec Endpoint Encryption - Pre-Work -
1) You must be on 12.1 RU5 on the Management Server -
2) You must create a specialized group - call it SEE HIC INSTALL - with a Subgroup - SEE HIC Upgrade
2a) Open the Management Console - click on My Company - or Default Group - right click - chose Add group - name group
3) Go to the new group you just created - Uncheck inherit policies from XXXXXX -
4) Go to Policies -- Add Policy - add the Default HIC Policy - KEEP IN MIND there are no Computers in this Group currently
5) Right Click the HIC policy you just added and create a NON-SHARED from COPY
6) Rename this POLICY to something apporpriate - SEE TEST HIC INSTALL
7) CLick Requirements in the middle screen click ADD - Windows - Use Existing Template - Symantec Encryption Full Disk - click OK
8) on the requirements tab - Open the new entry when we are done it will look like this - remove the current information as the existing template is for SEE version 8.2 - not SEE ver 11.
9) IF not Line is the only change besides the Downloaded program file name that changes between these two policies
<- INSTALL
You could also look for the running Service for your current Encryption Product -
10) To use the Download File option - You need a Network accessible share that all users can access - and know the target Directory you want it downloaded to - %WINDIR%\Temp
11) Once Downloaded - RUN THE PROGRAM - set it too run in SYSTEM CONTEXT - not User -
12 - WAIT - this sets a time frame for the system to wait before moving to the next step - any time frame you are comfortable with - keep in mind the files this downloads to install on the System are an average of 20mb for MGMT and DE or 25 mb with MGMT / DE and Auto Logon.
13) Fail line - self explanatory -
--------------- UPGRADE ---- same steps as starting at 9 and continueing on to 13 -
9) - IF not Line is the only change besides the Downloaded program file name that changes between these two policies
Product Build Numbers by Version -
11.0 MP1 - 7726 / 11.0 MP2 - 8350 / 11.0 MP3 - 8723
<- Change the String Value to the Product Build Number above the corresponds with your currently installed client
--------------------- DO NOT USE THIS ON A CLIENT on IN PROGRESS CLIENTS - i.e ENCRYPTING / DECRYPTING