What is the Embed Policy Option for PGP Desktop Configured Installations?

Article:TECH148945  |  Created: 2006-09-01  |  Updated: 2012-09-11  |  Article URL http://www.symantec.com/docs/TECH148945
Article Type
Technical Solution


PGP Whole Disk configured Installs with the Embed policy option

Special consideration should be given when using the Embed Policy option as some functionality is not available when using this feature as listed below: 

  • PGP Whole Disk Recovery Tokens are not supported because the PGP Whole Disk client does not communicate with the PGP Universal Server.
  • PGP Reconstruction data is also not available as this data needs to be synchronized to the PGP Universal Server.
  • Server managed keys such as Guarded Key Mode (GKM), Server-Client Key Mode (SCKM), and Server Key Mode (SKM) are not supported as these key modes require communication with the Universal Server. Because no PGP Universal Server-managed keys can be used, this makes recovery of keys difficult or not possible (It is possible to export the private portion of a key after it has been created and upload to the PGP Universal Server, however this is a manual process).
  • No Additional Decryption Keys (ADKs) will be included and are not supported when using the Embed policy option.
  • Email encryption is also unsupported when using the Embed policy option.
  • If a license number has been used with the Embed policy option and enables PGP email encryption, problems will occur when attempting to send email as this Embed policy is for Whole Disk Only.


Note: The Embed Policy option is for Windows only.  This feature is not intended to be used for Linux or Mac OSX.  The Embed option is grayed out when attempting to download from the PGP Universal Server for Linux or Mac operating systems.


Creating a Configured PGP Whole Disk Installation with Embedded Policy

  1. Login to the PGP Universal Server
  2. Click Policy, Internal User Policy
  3. Create the custom policy for the PGP Whole Disk-Only client. 
  4. Make sure no Key Reconstruction, PGP Whole Disk Recovery Tokens, Server Managed-Keys or PGP License numbers that have Email encryption enabled are used in the PGP policy being created.
  5. WDE Admin Passphrase and WDE Admin Keys are supported with the Embed Policy option and can be enabled in policy. 
  6. After the custom policy for PGP Whole Disk Only has been created, save the changes to the policy.
  7. On the Policy/Internal User Policy page, click the Download Client button.
  8. Check the Customize box, select Preset Policy, and select the custom policy just created, then check the box Embed policy...for offline use.
  9. When downloading the client with Embed policy, if the PGP Universal Server field for hostname of the PGP Universal Server is entered and the PGP Universal Server is available, the Embed policy will not work properly. Either change the hostname in this field to one that does not exist so that the PGP Whole Disk client will not contact the PGP Universal Server, or ensure the client will not have communication to the existing PGP Universal Server.
  10. Leave the Mail Server Binding empty as this will also cause the Embed policy to fail. 
  11. Click Download. When installing, there should be a prompt confirming a locally embedded administrator preference will be used. If this does not occur, the configured install should be re-created following the steps outlined above.


Caution: Make sure when creating the PGP Configured Install with the Embed policy option that a Whole Disk-Only license number is being used, that is, the license number only enables Whole Disk Encryption.  License numbers that enable email encryption will cause problems when attempting to send email.


Changing PGP Desktop configured client Policies 


Note: If there is a requirement to install a new PGP Desktop configured client with the Embed option, or a Standard PGP Desktop configured client that must contact a PGP Universal Server, be sure to delete the PGP preferences (both Embedded and Standard preference files) that are left behind as these files will interfere with the new installation and will use old settings.

PGP Preference files for Windows 2000/XP

Embedded Preference file: C:\Documents and Settings\All Users\Application Data\PGP Corporation\PGP\PGPadmin.xml
Standard Preference files: C:\Documents and Settings\User Account\Application Data\PGP Corporation\PGP\PGPprefs.xml and PGPpolicy.xml

PGP Preference files for Windows Vista:

Embedded Preference file:
C:\ProgramData\PGP Corporation\PGP\PGPadmin.xml
Standard Preference files: C:\Users\User Account\AppData\Roaming\PGP Corporation\PGP\PGPprefs.xml and PGPpolicy.xml

Delete the PGP preference files after PGP has been uninstalled as these files are re-created once PGP has been run again, so make sure they are removed after the uninstall has completed. 



Errors caused by the Embed policy option 

If the Embed policy option has been used during the creation of a Standard configured PGP Desktop installation that must contact a PGP Universal Server, the enrollment process will not work properly and the error "Unable to connect to configuration server" can occur.

If using a Standard configured PGP Desktop installation and sending Whole Disk Recovery Tokens to the PGP Universal Server is enforced, the error "The administrative server is not available for storing the Whole Disk Recovery Token" will be displayed:

In addition to the errors displayed above, enrolling with LDAP will also be problematic. The Embedded preference policy was not designed to connect to any PGP Universal Servers. Because this connection cannot be established with the PGP Universal Server, an email address prompt will be displayed instead of LDAP credentials during LDAP enrollment.  Enrollment will fail at this point and will display one or more of the errors displayed above.

The solution to the above errors when using a Standard PGP Desktop configured install that must contact a PGP Universal Server is to uninstall the PGP Desktop software, delete the above mentioned preference files (pgpprefs.xml and PGPadmin.xml) and create a new configured installation without the Embed policy option.  To obtain a completely fresh installation, simply delete the PGP Corporation folders located in Application Data (AppData for Windows Vista).

If the intention was to use a configured policy with the Embed option and the PGP Whole Disk client is unable to contact the PGP Universal Server, most likely a valid hostname for the PGP Universal server was used.  This should be changed to an invalid hostname so the PGP Whole Disk client does not attempt to contact the PGP Universal Server. Also, a Mail Server Binding may have been entered. In both cases, a new PGP Desktop configured install should be created with the Embed option.


Note: PGP Universal Server 3.2 has a current issue where the Embed Policy option prevents encrypting a machine.  Please see the following article for more details:


Legacy ID


Article URL http://www.symantec.com/docs/TECH148945

Terms of use for this information are found in Legal Notices