With Symantec Drive Encryption before version 10.3.2, it was very easy to incorrectly deploy an image when including Symantec Drive Encryption (formerly known as PGP Whole Disk Encryption) on the image. Although doing so was easy, it is very difficult to fix the problems that can arise.
This article details the specific guidelines and requirements that should be followed deploying Symantec Drive Encryption to a large quantity of systems using a system image or Golden Image.
Due to the serious nature of issues that arise by including Symantec Encryption Desktop 10.3.1 or previous in a system image, special considerations should be given.
Starting with Symantec Drive Encryption 10.3.2, it is now possible to include the client as an installed application in a system image (Golden Image, Corporate Image, Base Image, etc.) to be deployed to systems. NOTE: Any version before Symantec Drive Encryption 10.3.2 should never be included as an installed application on the system image to avoid issues.
If Symantec Encryption Desktop clients 10.3.1 or previous have been included in a corporate image that has been rolled out, the MACHINEGUID value that sets the encrypted Device ID is duplicated so every machine using this image will have the same MACHINEGUID, and render Whole Disk Recovery Tokens for individual users useless as all users would have the same device id value.
With Symantec Encryption Desktop 10.3.1 or before, it is highly discouraged and not supported to include in the system image as an installed application. When the system image is deployed to a machine, install Symantec Encryption Desktop 10.3.1 or earlier versions after the system has been imaged. This will ensure a unique Disk UUID is assigned to the encrypted drive and allow a usable Whole Disk Recovery Token to be uploaded to the Symantec Encryption Management Server (formerly known as PGP Universal Server).
If Symantec Encryption Desktop 10.3.1 is included as an installed application in the system image, please see the following KB for more detailed information on how to remedy incorrectly deployed images of Symantec Drive Encryption 10.3.1 or previous:
- If using PGP Remote Disable & Destroy, it is critical to follow these strict requirements and not include PGP Desktop on the system image deployed to systems. Having improper Device IDs for a system encrypted with PGP RDD enabled will cause rendezvous errors to PGP Universal Server and possibly lock user out of the computer.
- Do not remove the MACHINEGUID in the registry. This can cause logging errors and unexpected behavior in the software. Please see TECH203267 for more information.
Support for "Creating System Images with Symantec Encryption Desktop" was added in version 10.3.2 of Symantec Encryption Desktop. Please see Symantec Encryption Management Server 3.3.2 Release Notes - DOC7056.