Symantec Endpoint Encryption - Generating and Deploying a Recovery Certificate

Assumptions:

Symantec Endpoint Encryption 11.1.2
Server 2012 R2 standard
Microsoft Active Directory Certificate Services is installed and configured on the domain

Creating the MMC

Creating the Certificate

Open or create an MMC with the Snap-in called Certificate – Current User.
Expand Certificates – Current User.
Right click on Personal and choose All tasks, Request New Certificate...
When the Certificate Enrollment wizard starts, click Next.
On the Select Certificate Enrollment Policy page, click Next.
On the Request Certificates page, select Basic EFS and click details and click Properties.
On the General tab, enter a Friendly Name: SEEM Server Recovery Certificate <Date>.
Click on the Subject tab.
Under Subject name, choose Common name and set the SEEM server FQDN as the Value and click Add.
Click on the Extensions tab and click on Key usage.
Click on Data encipherment and click Add >.
Click OK.
Click Enroll.
Click Finish.

Exporting PKCS #12 (Certificate and Private Key)

Open or create an MMC with the Snap-in called Certificate – Current User.
Expand Certificates – Current User, Personal, Certificate.
Double click the certificate that you just created.
Click on the Details tab.
Click on Copy to File…
On the Certificate Export Wizard click Next.
On the Export Private Key page, choose Yes, export the private key and click Next.
On the Export File Format page ensure Personal Information Exchange – PKCS #12 (.PFX) is selected and click Next.
On the Security page, select Password and type in a password and click Next.
Click Browse and select where to save the file and choose a descriptive file name and click Save.
Click on Finish.
Click OK.

Exporting PKCS #7 (Certificate)

Open or create an MMC with the Snap-in called Certificate – Current User.
Expand Certificates – Current User, Personal, Certificate.
Double click the certificate that you just created.
Click on the Details tab.
Click on Copy to File…
On the Certificate Export Wizard click Next.
On the Export Private Key page, choose No, do not export the private key and click Next.
On the Export File Format page ensure Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) is selected, choose Include all certificates in the certification path if possible and click Next.
Click Browse and select where to save the file and choose a descriptive file name and click Save.
Click on Finish.
Click OK.

Deploying the Recovery Certificate to a SEE Client

Log onto the server that hosts the SEE Management Console.
Open the SEE Management Console.
Expand the Symantec Endpoint Encryption Software Setup node and click on Windows Client.
Work your way through the wizard and when you reach the Removable Media Encryption Installation Settings – Recovery Certificate page, choose Encrypt files with a recovery certificate.
Browse to the PKCS #7 certificate and choose Open.
Review the Confirm Certificate window and click OK.
Complete the wizard.

Deploying the Recovery Certificate to GPO Based Policies

Log onto the server that hosts the SEE Management Console as a user who has rights to deploy GPO based policies.
Open the SEE Management Console.
Click on the Group Policy Management node.
Drill down, Forest, Domains, Domain, Group Policy Objects.
Right click on the desired GPO based policy and choose Edit…
Expand Computer configuration, Policies, Software Settings, Symantec Endpoint Encryption, Removable Media Encryption and choose Recovery Certificate.
Choose Change this setting, choose Encrypt files with a recovery certificate and click Change certificate…
Browse to the PKCS #7 certificate and choose Open.
Review the Confirm Certificate window and click OK.
Click Save.
Click OK.
Click File, Exit.