Endpoint Encryption

Hi there

I've installed Symantec Endpoint Encryption (Trialware) on a 2012 R2 Std server, and am aiming to encrypt a test laptop with it via a deployed GPO. The purpose being that I can demonstrate this and make a business case to purchase the software for one of our offices.

I have successfully installed the Management Server, Disk Encryption software on the 2012 server, configured IIS etc.

I have used group policy to deploy the two MSI files I have created (SEE Management Agent - Test x64.msi and  SEE Disk Encryption Client - Test x64.msi) to a laptop, using a computer GPO policy. All works well, the two things install in the correct order and take about 30 minutes to install. When it's installed, I can successfully check-in.

Now, here is the problems(s)...

1) Encryption does not automatically take place. The user does not see any registration page etc.

2) If I open the SSE client application, I see it a message saying self-recovery enrollment cannot be done as the user has not been registered yet.

3) If I look at the files in C:\Program files\Endpoint Encryption Clients\Management Agent\TechLogs - I am seeing messages like 'hard disk not innumerated yet' and 'registeruserprocess() failed'.

Any ideas?

Many thanks

Rob

This might be a silly question, but have you rebooted the machine yet?  SEE does require a reboot to complete installation.

Hi there, no worries, any suggestion is welcome thank you.

Yes, I have rebooted the test laptop several times. Also, I have uninstalled both the Agent & Encryption Disk package via the GPO, and created a new set up Agent/Encryption MSI's and GPO's to redeploy it. Same thing unfortunatly. Product installs but doesn't get very far.

I that case, have you tested a manual install to verify it's not something in the deployment method that's messing things up for you?

Also, you might want to take a quick flick through the below article to see if there's some sort of compatibilty conflict going on:

http://www.symantec.com/docs/TECH229139

Thanks. Checked the list, can't see any compatiblity issues.

I think you're on to something though. I installed the MSI's I generated manually - the agent then the encryption client, and hooray, the recovery enrollment box does pop up on restart - and started ecnrypting 5 mins later.

I also noticed that installing the Agent manually took seconds, whilst when I deploy via the GPO, the 'Installing Managed Software Symantec Endpoint Management Agent' takes about 20-30 minutes.

My guess at this point is that when deploying via GPO it's timing out a half-baked installation.

Just now, I am going to clear all event logs, re-deploy, and see if there are any obvious signs in the event log after a GPO deployment. I'll update you shortly.

Also please let me know if you want to throw in any other ideas.

Thanks very much for your time today!

Many thanks

Hi there

So, after re-deploying with GPO, I can see the same issue persists:

* It takes *ages* to deploy (~20 mins)

* I don't get an enrollment dialog even when restarted a few times. If I load SEE Management Agent on the laptop - as seen below - there is no self-enrollment recovery option.

 I have adjusted the GPO policy to say that the computer should be able to run software with elevated priveleges as the Policy Guide states (I have even completely disabled UAC)

I get these messages in the event log after the deployment:

MsiInstaller 1013 Error: failed to call ImportInitialHardDiskSettings

WinLogon 6006 The winlogon notification subscriber <GPClient> took 274 second(s) to handle the notification event (CreateSession).

WinLogon 6005 The winlogon notification subscriber <GPClient> is taking long time to handle the notification event (CreateSession).

WinLogon 6006 The winlogon notification subscriber <GPClient> took 614 second(s) to handle the notification event (CreateSession).

I have attched the log files as well in case they are useful.

If SMLatCST or anyone has any ideas I'd be really greatful - I'll be so happy when this nightmare comes to an end.

Many thanks!

Rob

Attachment(s)

LOGS.zip   4 KB 1 version

What do you have configured as far as your GPO install?  Have you tried separating them out so that you install only the SEE Management Agent first?

Also, more detailed logging on the MSI side might help:

http://www.symantec.com/docs/TECH104165

Hi SMLatCST

If I roll out the Management Agent, restart, then roll out the Encryption Disk client and restart, it appears to work fine. Odd.

I guess we will have to roll this out to the office in two phases then. Many thanks for your help.

Update:

In case anyone finds it useful, here is how I am deploying:

* Computer GPO policy , runs this batch script:

IF NOT EXIST "C:\Program Files\Symantec\Endpoint Encryption Clients\Management Agent\" GOTO MANAGENT
IF NOT EXIST "C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption\" GOTO ENCAGENT
exit
:MANAGENT
pushd \\SERVERNAME\NETLOGON\ENCRYPTIONCLIENTS\
msiexec /i SEE-MAN-LNKGT-64.msi
popd
exit
:ENCAGENT
pushd \\SERVERNAME\NETLOGON\ENCRYPTIONCLIENTS\
msiexec /i SEE-ENC-LNKGT-64.msi
popd
exit

End result should be that the user has the software within a couple of days in most cases (eg. two restarts).