Including software into a global image can be useful and help save time when done properly, but using deployment solutions to include PGP Encryption Desktop can have some risks when it comes to Drive Encryption.  This article will discuss how to avoid this issue so that the client deployment can be successful. 

When PGP Encryption Desktop's Drive Encryption component is installed (Symantec Encryption Desktop), a unique value known as MACHINEGUID is configured.  This value is in turn used to set the Device ID in the Drive Encryption BootGuard File System (BGFS) or Preboot.  

Once a system has been encrypted, it is not possible to change the Device ID in the BGFS as it is then a hard-coded entry so installing the software properly is important.

NOTE: This MACHINEGUID entry is no longer available in Symantec Drive Encryption 10.3.2 and will not be visible in this location as a different mechanism is in place to set the Disk UUID or Device ID value.  PGP Drive Encryption 10.5.1 and above are now recommended (or whichever is current). 

The MACHINEGUID entry in the registry contains a unique UUID that is linked to the Disk or Device ID for Symantec Drive Encryption.

This MACHINEGUID entry uses the following convention for its value data:

{A25F4A63-338B-4B6C-AD44-C7D7E0C59662}

Upon starting the PGP Drive Encryption process on a machine, the value for MACHINEGUID is then linked to the Disk UUID and Group UUID on the system. These values are the same for fixed primary disks and are then linked to a value sent to the PGP Encryption Server (Symantec Encryption Management Server) to be associated to a Whole Disk Recovery Token.

The Whole Disk Recovery Tokens can be used to unlock only specific devices linked at time of encryption.  All versions of PGP Drive Encryption behave in this way, although version 10.3.2 obtains the Disk UUID value differently than previous versions.  Now that 10.3.2 and older are no longer supported, it's recommended to upgrade to the new versions of our software.  Symantec Endpoint Encryption could also be considered for this. When in doubt, reach out to Symantec Encryption Support for further guidance.

If the MACHINEGUID entry is the same for each machine and the system is deployed to a user and allowed to encrypt, the MACHINEGUID value will then be associated to multiple users and machines, and the PGP Encryption Server will contain the same Whole Disk Recovery Token for that specific Device ID.

It will then be unlikely to unlock a system if the user forgets their passphrase, because the Whole Disk Recovery Token will not match the correct device for the user.

If another user has been deployed with the same image, and the same MACHINEGUID is present, upon encryption, the same Disk UUID will be used to identify the disk and this new user’s Recovery Token will replace that of the previous user. The recovery token may work for the second user, but not the first. 

To find out which Disk UUID and Group UUID are associated to a user, run the following command on an already encrypted machine:

C:\Program Files <x86>\PGP Corporation\PGP Desktop>pgpwde --list-user --disk 0

Compare this value to the known MACHINEGUID value that was deployed on the images causing this issue.  It is also good to find multiple affected systems and run this same command to determine who is affected and has the same MACHINEGUID or Disk UUID values.

To properly include PGP Encryption Desktop in a corporate image:

1. Install PGP Encryption Desktop on the system
2. Immediately shut down the system and create the image.

Do not attempt to login to any user profile after the PGP Encryption Desktop client installation as this is when the MACHINEGUID in question is then set.  If anyone has logged in to the system post install, redo the image and try it again.

It's best to not include PGP Encryption Desktop in the image if possible, but if it is needed, get everything else configured properly and reboot the system a few times to ensure proper usage, and then install the client and then shut down the system.

If it is identified that the users are affected, Symantec Support has a tool called PGPwdeupdatemachineUUID.exe that can be provided to help resolve the duplicate MACHINEGUID values on versions 10.1.x, 10.2.x, 10.3.0, 10.3.1, and 10.3.2.  If you encounter this issue with duplicate MACHINEGUID values and not running any of the versions listed, reach out to Symantec Encryption Support for further guidance.