This article describes how to change an embedded policy PGP Desktop client to be managed by a PGP Universal Server without decrypting and uninstalling PGP Desktop.
For more information on the Embedded Policy client, and how to use it, see article TECH148945.
(This scenario assumes you are using LDAP Directory Synchronization for user enrollment.)
PGP Desktop clients with an embedded policy never receive any updated policy information from the PGP Universal management server, even if the policy is updated on the server side. Policy information normally downloaded during installation is instead embedded in the installer itself. If a PGP Whole Disk Encryption deployment never connects to the PGP Universal Server, you cannot use Whole Disk Recovery Tokens or get policy changes/updates.
An embedded policy client can be changed to a managed client of the PGP Universal Server by editing the registry and re-enrolling the user without decrypting and uninstalling PGP Desktop. During enrollment the PGP Desktop client will generate a Whole Disk Recovery Token (WDRT) for a PGP Whole Disk Encrypted systems (if your client policy is set to do so).
You can find the PGP Universal Server registry PGPSTAMP setting in the following registry container:
Note: The mail server entry may also use a wildcard character * for the mail server entry. This allows users to bind automatically to all mail servers.
Note that the important difference between the two examples is the "&group=xxxxxx" section. To convert to a managed client intead of an embedded policy, this group section must be removed from the registry entry. (In the above example, to convert the preset policy client to a managed client reporting to the keys.example.com server, you would change 'ovid=keys.example.com&mail=*&group=b659cfb8-7f66-42d9-91a4-4c143b2cf72f&admin=1' to 'ovid=keys.example.com&mail=*&admin=1' .)
If needed, you can confirm the value of the desired PGP Universal Server registry PGPSTAMP setting on another managed client computer by looking at it's PGPSTAMP registry entry. Then copy the text to use on the new managed client.
Warning: Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. For more information on backing up the registry see the following article on the Microsoft support site:
Browse to the PGP folder in Application Data folder for the user account:
Windows XP: C:\Documents and Settings\%username%\Application Data\PGP Corporation\PGP Windows Vista/7: C:\Users\%username%\AppData\Roaming\PGP Corporation\PGP
Delete the PGPpolicy.xml and PGPprefs.xml files.
Browse to the PGP folder in Application Data folder for All users:
Windows XP: C:\Documents and Settings\All Users\Application Data\PGP Corporation\PGP Windows Vista/7: C:\ProgramData\PGP Corporation\PGP
Delete the PGPadmin file, if it exists.
Click Start > All Programs > Startup > PGPtray.exe. The PGP Enroll Assistant is displayed.
Enroll with the PGP Universal Server to update the user as managed PGP Desktop client.
Note: If using an different version of PGP Desktop than the corresponding version of the server e.g 10.2/3.2, you should send an updated Whole Disk Recovery Token (WDRT) to the server using the PGP command line utility on the client instead.
Imported Document ID: TECH149637
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.