When a system image (also known as golden image, master image or base image) of an operating environment is created after the MACHINEGUID registry entry is populated, machines built using that system image will send the same MACHINEGUID to Encryption Management Server.
The MACHINEGUID is the unique identifier for each client machine. Therefore if there are duplicate MACHINEGUID entries, machine entries in the Encryption Management Server database will be constantly overwritten. This includes the Whole Disk Recovery Token (WDRT).
This document is intended for local administrators who create system images and deploy them on client computers. This document helps the administrator understand how to change the MACHINEGUID on a client computer with the PGPwdeupdatemachineUUID.exe utility if multiple computers in the environment have the same MACHINEGUID. The utility gives each machine a unique MACHINEGUID.
With Encryption Desktop 10.3.1 or earlier, the MACHINEGUID gets generated during the installation of the software. Therefore, when an administrator deploys a system image of an operating environment with Encryption Desktop 10.3.1 or earlier to a large number of computers in a managed environment, the same MACHINEGUID gets copied to multiple computers. This duplicate MACHINEGUID value can also occur if improperly creating a .msi transform file (.mst file), which includes the registry value of MACHINEGUID. See article TECH194265 for more details on the MACHINEGUID value.
When you run the PGPwdeupdatemachineUUID.exe command-line utility, it generates a new MACHINEGUID on a client computer. The new MACHINEGUID is then sent to Encryption Management Server to create a unique entry for the computer.
There are four versions of the PGPwdeupdatemachineUUID utility. It is essential that the correct version is used:
PGP Desktop 10.1.x clients.
Encryption Desktop 10.2.x - 10.3.1 MP1.
Encryption Desktop 10.3.2 - 10.3.2 MP11.
Encryption Desktop 10.3.2 MP13 and above.
To run the utility locally via the command line
Right-click the PGP Tray icon and select Exit PGP Services.
Open a Windows command prompt.
To set a specific MACHINEGUID on the client system, run the command with the following parameter: PGPwdeupdatemachineUUID.exe –v (the -v option will provide verbose output)
Note: The following command can be used to get help: PGPwdeupdatemachineUUID.exe –help
After running the utility, open Encryption Desktop to enable PGP Tray. Enabling PGP Tray sends the new MACHINEGUID to Encryption Management Server.
You can also run the utility remotely by using tools such as PsExec, or other third-party utilities. When using the tool in this way, ensure the user running this command has administrative privileges. Before deploying this utility to affected systems, Symantec recommends testing a sample of affected systems to ensure the MACHINEGUID and Disk UUID are updated. See TECH194265 for more details on the duplicate MACHINEGUID issue.
On the client computer, ensure that the registry location has the same MACHINEGUID that is available on Encryption Management Server. See TECH149261 for more information on how to create system images for client computers with Symantec Drive Encryption.
To obtain the PGPwdeupdatemachineUUID.exe utility for the applicable versions, as well as a full consultation in resolving this issue, including cleaning up data on the Symantec Encryption Management Server, contact Symantec Support. Running this tool by itself is not enough to completely resolve this issue.
Note that with Encryption Desktop 10.3.2 and above, the following error may occur when running the utility from a folder other than C:\Program Files\PGP Corporation\PGP Desktop or C:\Program Files (x86)\PGP Corporation\PGP Desktop: