HOW TO: Converting an Embedded Policy Client to a PGP Universal Server 3.0 Managed Client

Article:HOWTO42113  |  Created: 2009-12-03  |  Updated: 2011-02-09  |  Article URL
Article Type
How To

This article details how to change an embedded policy PGP Desktop client to be managed by a PGP Universal Server without decrypting and uninstalling PGP Desktop.

PGP Desktop clients with an embedded policy never receive any updated policy information from the PGP Universal management server, even if the policy is updated on the server side. Policy information normally downloaded during installation is instead embedded in the installer itself. If a PGP Whole Disk Encryption deployment never connects to the PGP Universal Server, you cannot use Whole Disk Recovery Tokens.

An embedded policy client can be changed to a managed client of the PGP Universal Server by editing the registry and re-enrolling the user without decrypting and uninstalling PGP Desktop. During enrollment the PGP Desktop client will generate a Whole Disk Recovery Token (WDRT) for a PGP Whole Disk Encrypted systems.

When using LDAP Directory Synchronization for enrollment, you can confirm the PGP Universal Server registry PGPSTAMP setting on another client computer in the following folder:




Note: The mail server entry may also use a wildcard character * for the mail server entry. This allows users to bind automatically to all mail servers.

If you are not using LDAP Directory Synchronization for enrollment, you must use the Preset Policy setting for PGP Desktop clients. To check for the correct registry entry, confirm the PGPSTAMP on a computer using a Preset Policy for its client installation or enroll another client to determine the registry entry. Then copy the text to use on the new managed client.



Warning: Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. For more information on backing up the registry see the following article on the Microsoft support site:

How to back up and restore the registry

To update an embedded client to a managed client


  1. Click the PGP Tray icon in the Windows System tray then click Exit PGP Services.
  2. Browse to the following folder in the registry: HKEY_LOCAL_MACHINE\Software\PGP Corporation\PGP
  1. Browse to the PGP folder in Application Data folder for the user account:

    Windows XP: C:\Documents and Settings\%username%\Application Data\PGP Corporation\PGP

    Windows Vista/7: C:\Users\%username%\AppData\Roaming\PGP Corporation\PGP

  2. Delete the PGPpolicy.xml and PGPprefs.xml files.
  3. Browse to the PGP folder in Application Data folder for All users:

    Windows XP: C:\Documents and Settings\All Users\Application Data\PGP Corporation\PGP

    Windows Vista/7: C:\ProgramData\PGP Corporation\PGP

  4. Delete the PGPadmin file.
  5. Click Start > All Programs > Startup > PGPtray.exe. The PGP Enroll Assistant is displayed.
  6. Enroll with the PGP Universal Server to update the user as managed PGP Desktop client.


Note: If using an different version of PGP Desktop than the version of the server, you should send an updated Whole Disk Recovery Token (WDRT) to the server using the PGP command line utility on the client.




Legacy ID


Article URL

Terms of use for this information are found in Legal Notices