How do I setup and use Symantec Endpoint Protection Cloud (SEPC) to encrypt my devices and manage my key(s)?
Windows 10 Professional
With SEPC, there is no "installation package" to deploy. If you meet the conditions found in this article, one of your licenses will be consumed. We leverage the encryption capabilities of your device, and we retain the recovery key, in the cloud.
Requirements for SEPC (Symantec Endpoint Protection Cloud ) Managed Encryption:
REQUIREMENT: SEPC ENCRYPTION LICENSES AVAILABLE
You need to purchase encryption licenses in order to have Symantec manage your recovery key.
REQUIREMENT: POLICY WITH ENCRYPTION ENABLED
Create (or edit) existing SEPC security policy so that Device Encryption is in the "on" position
In SEP Cloud, create a new security policy > Under Device Encryption, select Encrypt device > If required, adjust other security policy settings, and then press Create a policy or Save changes.
Before you encrypt macOS or Android devices, review the manual steps that are required to decrypt them.
(to encrypt iOS and Android devices, install SEPC Mobile, and put the device into a group that contains an encryption policy, and it should encrypt the device)
Verify that you are installing on a compatible device.
These OS's are not supported :
Windows 10 (Home)
Windows 7 (Home and Pro)
Windows Vista (Home and Pro)
Windows XP (All Versions)
These OS's are supported:
Windows 10 Professional
REQUIREMENT: TPM CHIP FOR WINDOWS DEVICE(S)
Verify Windows device has TPM 2.0 chip installed : in the start menu or run command box, you can type tpm.msc
TPM pictured is version 1.2 so SEPC won't be able to leverage Bitlocker to encrypt the device or manage the encryption key. TPM 2.0 required.
Alternate check: open device manager and find security devices and expand that category. Trusted Platform Module should show version and indicate if enabled.
For more on the TPM general topic from Microsoft, click HERE
REQUIREMENT: BITLOCKER FOR WINDOWS SHOULD BE OFF (note: if you already have bit locker on, or use a 3rd party disk encryption tool, SEPC won't be able to acquire the decryption key from either bit locker or that 3rd party tool. We can only help you manage the bit locker key or macOS FileVault2 key if these resources are disengaged prior to the deployment of the encryption license.
Check Windows Bitlocker : Control Panel\System and Security\BitLocker Drive Encryption
If Bitlocker is off, and your machine is in a security group with an encryption policy, and there are SEPC encryption licenses available on your account, the device encryption should begin.
If Bitlocker shows a status of "waiting for activation" then the drive is likely already at least partially encrypted as some devices come pre-encrypted from the manufactured but need additional setup to complete the process. The following process will allow you to check the status and decrypt the device if found to be at least partially encrypted.
Open a command prompt using Run as Administrator and run the following command: "manage-bde -status"
Bitlocker will then report it's status. If the "Percentage Encrypted" is anything more than 0.0% then the drive is at least partially encrypted and SEPC will not be able to start the encryption or store the key until the drive(s) are fully decrypted.
To decrypt the drive run the following command for each drive that showed some level of encryption: "manage-bde -off c:"
Run the above command, replacing C: with the proper drive letter, for each encrypted drive.
After that's completed, run the status command again to confirm the drives are 0.0% encrypted: "manage-bde -status"
Once no drives show any encryption, give SEPC some time to try to start the encryption again. If it does not start automatically after a short period of time then you can toggle the encryption slider in the policy to off, hit Save, then back on a couple minutes later to trigger a policy update and have it try again.
REQUIREMENT: FILEVAULT FOR MAC SHOULD BE OFF
Similarly, FileVault2 needs to already be OFF. On your Mac device, open System Preferences > Security and Privacy > click on the FileVault tab
Click on the lock to make changes on your mac and enter the Mac password
Now click to turn on FileVault
You will now be presented with options for storing the recovery key : Choose "store your recovery key at the location above (SEP Cloud or SEPC)
Once this is done, you will be prompted to restart the computer to begin the encryption process
ONCE YOUR DEVICE IS ENCRYPTED, THE SEPC PORTAL WILL REFLECT THIS PROTECTION STATUS
Encryption time will vary depending on the amount of data on a disk . Look for the evidence of encryption once you have followed all the steps.
Once the Encryption has begun there will ways you can verify : Recovery key will be visible from the device page as seen in the picture below
You will also be able to see the encryption state of the device under events, and that the device is encrypting as pictured below :
Finally, the device page will show this icon seen below, to signify the device is encrypted :
If your Windows computer is still not starting the encryption process after you've followed everything on this checklist, please follow this :