Encryption Desktop (formerly PGP Desktop) installation MSI switches to disable components at installation

Article:HOWTO84112  |  Created: 2013-05-09  |  Updated: 2014-01-03  |  Article URL http://www.symantec.com/docs/HOWTO84112
Article Type
How To



This article lists the Symantec Encryption Desktop (previously PGP Desktop) component installation switches and the correct syntax to use with the msi switches.
 
By using the msi switches, administrators can control what features are available to Symantec Encryption Desktop client users by disabling specific components. This is accomplished by using the msiexec.exe command line utility when installing the client.
 
By disabling a Symantec Encryption Desktop component via the msi, it will not appear in the user interface and it ensures that there are no compatibility issues with the operating system or third-party products.
 
Note: Upgrades, including automatic upgrades, honor the disabling of components and do not re-enable disabled components unless the MSI file has been specifically edited to re enable the disabled component.

 

 
Warning: Editing these registry options after the installation is not supported and must be done at the time of installation and/or upgrade of the client. 

 

 

The syntax to disable Encryption Desktop components is:

  
msiexec /i pgpdesktop.msi PGP_INSTALL_[component]=0 Where [component] is the Symantec Encryption Desktop component you want to disable. 
 
Example :  Install without WDE or SSO :  msiexec /i pgpdesktop.msi PGP_INSTALL_WDE=0 PGP_INSTALL_SSO=0
 
Generally, since this is a binary value in the registry 0 means off and 1 means on (unless otherwise noted)
 
The following switches are available to disable Encryption Desktop components:
 
Component
Description
Default Value
Default State
MAPI
MAPI messaging proxy used in Outlook
1
Enabled
NOTES
Lotus Notes message proxying
1
Enabled
LSP
IM encryption feature and POP, SMTP, and IMAP proxy
1
Enabled
SSO
Drive Encryption Single Sign-On
1
Enabled
WDE
Symantec Drive Encryption (formerly PGP Whole Disk Encryption)
1
Enabled
NETSHARE
Symantec File Share Encryption (formerly PGP NetShare)
1
Enabled
GROUPWISE
Novell Groupwise messaging proxy
0
Disabled
MEMLOCK
The memory locking feature (which keeps sensitive data from leaving volatile memory) is disabled. Disabling the memory lock means you can disable all kernel-level items, if desired. It should generally not be disabled unless you have a specific reason to do so
1
Enabled
VDISK
Virtual Disk feature
1
Enabled
RDD
The PGP Remote Disable & Destroy with Intel® Anti-Theft Technology (End of Life see here for more information)
1
Enabled
MAPI_PLUGIN
Encrypt and Sign buttons in Outlook
1
Enabled
DISABLESSOENROLL
Invisible silent enrollment
1
Disabled
PGP_SET_HWORDER
Symantec Encryption Desktop will check to ensure it is at the top of the network provider order
0
Disabled
PGP_SILENT_FORCE_LDAP
This setting allows the disk to be encrypted to a local Windows password but enrollment to occur using LDAP credentials which are different than the local Windows ones
0
Disabled
 
NOTE: As of May 2013 - If Drive Encryption\PGPWhole Disk Encryption is being used, DO NOT install with RDD disabled (RDD=0) as this will disable the capability to decrypt the disk.  There is an issue where Drive Encryption is dependent on this component until we release a compatible version.  See TECH191844 for more information.
 
If using the Invisible Silent Enrollment feature, enable this feature by setting it to 0. Please note that by setting PGP_SILENT_FORCE_LDAP to 1 the two settings will conflict with each other and the user will be prompted with an LDAP enrollment screen every time enrollment occurs.  If you are using Invisible Silent Enrollment, make sure that PGP_SILENT_FORCE_LDAP is set to 0 (Default).
 
Note: To re-enable a Symantec Encryption Desktop component that was disabled requires a reinstalling the software with the disabled component specifically re-enabled.  This may not work unless the version you are installing is a newer build of the product like changing PGP_INSTALL_NETSHARE=0 from PGP_INSTALL_NETSHARE=1. You can uninstall the current version of the product and then reinstall with the correct MSI switches which may require decryption of the boot volume.
 
For example: 
msiexec /i pgpdesktop.msi PGP_INSTALL_MAPI=1 (to enable MAPI components that were disabled prior on the machine as part of reinstalling)
 




Article URL http://www.symantec.com/docs/HOWTO84112


Terms of use for this information are found in Legal Notices