When using Symantec Encryption Desktop in Virtual Environments, such as VDI environments, Dell Wyse vWorkspace, etc., where Roaming Profiles Persona Management is used instead of Windows Roaming,each login causes Symantec Encryption Desktop to prompt for enrollment and ask for LDAP credentials each login attempt.
Windows Roaming always loads the complete AppData\Roaming folder. Persona Management optimizes the login process by only loading specific parts.
Symantec Encryption Desktop uses a folder in %appdata%\Microsoft\Protect, which is unique to each user who logs in. Upon login, a unique folder is generated based on the user's profile, and inside this folder are files used to protect encryption data if used. Upon initial enrollment, Symantec Encryption Desktop uses this folder to establish authentication to the Symantec Encryption Management server with an enrollment cookie. Each time the user logs in to the user profile, the enrollment cookie is authenticated, and communication with the Symantec Encryption Management Server is successful. If this folder is re-created each time, the enrollment cookie is no longer linked and the enrollment prompt will then force the user to enroll before being able to successfully communicate with the server.
In order to prevent this re-enrollment behavior from happening, the %appdata%\Microsoft\protect folder must be persistent each time the user logs in.
If the modified timestamp of the folder matches the time of when the user logged in to Windows, the folder is most likely not persistent.
Alternatively, modify the Persona Management Group Policy to include the Microsoft\Protect folder from the user profile in addition to the PGP appdata folder to be loaded during login.
For more information, review the Microsoft documentation.
Imported Document ID: TECH203415
Subscribing will provide email updates when this Article is updated. Login is required.