Our company used the Symantec Drive Encryption (managed by Symantec Encryption Management Server (SEMS) and integrate with AD authentication and single sign on).
We always upgrad the Symantec Encryption Management Server (SEMS) to the latest version and it almost works normally.
This time we upgrad the Symantec Encryption Management Server (SEMS) to the (3.3.2 MP10) version.
We found if we install a new PC and use the user account (existed in SEMS) to enroll to the SEMS and the Encryption Deaktop Setup Assistant wizard asked to enter the passphrase.
But we can not enter the current domain password (it display “The passprase did not match of the key ).
It must enter the old domain password (when the user account enrolled to the SEMS first time).
Image may be NSFW.
Clik here to view.
If we didn’t enter the match passphrase we can not press next button.
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
We refered to the URL below.
It says:
If using Silent Enrollment, we recommend using SKM mode only. Otherwise, a GKM key will be created, using their current Windows passphrase when they first enroll, but the passphrase on that key will not change, so after several Windows passphrase changes, the user will likely not remember the GKM key passphrase.
So we unchecked the Guarded Key Mode (GKM) in the key mode setting Under the LAB and the issue solved.
http://www.symantec.com/connect/forums/single-user-issue-multiple-machines
Image may be NSFW.
Clik here to view.
The key mode change to CKM.
Image may be NSFW.
Clik here to view.
We want to know why the (3.3.2 MP10) version has this issue?
What different between check and uncheck the Guarded Key Mode (GKM)?
Any effects if we uncheck the Guarded Key Mode (GKM) in the production environment?
What is the correct setting for our environment?
