Ensuring WDRT integrity when executing forced re-enrollment - PGP Desktop 9.x

Article:TECH149402  |  Created: 2009-04-29  |  Updated: 2012-02-03  |  Article URL http://www.symantec.com/docs/TECH149402
Article Type
Technical Solution


Issue



When executing forced re-enrollment of PGP Desktop 9.x, there are specific scenarios where the WDRTs may not be properly synchronized to the PGP Universal Server. This could result in an invalid WDRT.

 


Solution




The conditions under which this may occur are:

 

  1. You are using non-matching client / server installations.

    For example, a PGP Whole Disk Encryption 9.7.2 client managed by PGP Universal Server v2.10 or PGP Whole Disk Encryption 9.8 managed by PGP Universal v2.9. This does not occur when performed on matching versions of PGP WDE & PGP Universal Server e.g. 9.10/2.10.

     
  2. Administrator deletes user account from the PGP Universal Server.

If re-enrollment has occurred under these conditions, you must regenerate the WDRTs.

How to regenerate a WDRT

Run the following pgpwde tool command on the client system to re-generate the WDRT.

Windows XP

 

  1. Click Start>All Programs>Run.
  2. Type cmd and click OK.
  3. At the command prompt, change to the PGP Desktop directory.

    cd\
    cd program files\pgp corporation\pgp desktop


  4. Type pgpwde --new-wdrt --disk 0 --aa

    Note: Using the --aa option requires the command be run by a member of WDE-ADMIN group in Active Directory.

    If not using a WDE-ADMIN group in your environment, another option is to use the following command:

    pgpwde --new-wdrt --disk 0 --user "UserName" --passphrase" UserPassphrase"

     
  5. Close the command prompt.

Windows Vista & Windows 7

 

  1. Click Start.
  2. In the Start Search field, type cmd and press Enter.
  3. Click cmd from the displayed Programs list.
  4. At the command prompt, change to the PGP Desktop directory.

    cd\
    cd program files\pgp corporation\pgp desktop

  5. Type pgpwde --new-wdrt --disk 0 --aa

    Note: Using the --aa option requires the command be run by a member of WDE-ADMIN group in Active Directory.

    If not using a WDE-ADMIN group in your environment, another option is to use the following command:

    pgpwde --new-wdrt --disk 0 --user "UserName" --passphrase" UserPassphrase"

     
  6. Close the command prompt.
Tip: When forcing re-enrollment of clients, do not delete user accounts on the PGP Universal Server.


 



Legacy ID



1369


Article URL http://www.symantec.com/docs/TECH149402


Terms of use for this information are found in Legal Notices