Video Screencast Help

Best practices for PGP WDE process?

Created: 08 Mar 2011 | 4 comments

Hey guys, I was just trying to get some user community feedback on how best to setup new users in PGP WDE.  We have the latest version of PGP Desktop and are only really taking advantage of the WDE piece of our Universal Server (we don't use the email stuff and aren't doing anything crazy with encrypting/blocking external drives).

It's really our process of setting up new users that I'm kind of uncertain about.  Right now, we install PGP Desktop 10 on a new machine prior to deployment, then send the end-user instructions on how to create a passphrase and private key.  This works for the most part, but we have to do constant checks against the Universal Server to see if the user actually did it.  Does anyone else who uses WDE have a more efficient setup?

We've turned off the automated password recovery option, so if someone forgets their passphrase we send them a recovery token and then have them create a new passphrase at login.  We were thinking maybe we could encrypt the drives beforehand - from the new user's login - then when deploying it send them the recovery token and just tell them a new passphrase would need to be created.  My problem with that is that if the user canceled the "new passphrase" screen that pops up, we'd have to send them a token again.

Any ideas?  Thanks!

Comments 4 CommentsJump to latest comment

Battou's picture

You're missing out a lot of cool PGP US features:

  • Use Active Directory synchronization with auto-enrollement. This way, you can sort users by, say, AD user groups into PGP groups/policies.
  • Use the Customized PGP Desktop setup from your PGP US to automatically connect your users to your server
  • Use Consumer Policies to create the user's keys (I'd suggest GKM, but that ofc depends) and set your desired and enforced PGP Desktop settings

Our environment looks like this:
We install the customized setup on a computer. The user logs on and is immediatly prompted by the autoenrollement windows of PGP Desktop. There he must provide his windows password and... that's that, no more user interaction.
In the background, the PGP US creates key pairs according to consumer policy, for example 2048bit RSA in GKM and never expire. PGP Desktop then downloads the consumer policy and enforces it, that would include WDE options like automatically encrypt boot drive, prevent from decrypting, add WDE administrator passphrase. This way, the boot drive is encrypted according to your settings and the next time the user boots his machine he's greeted by your custom BootGuard skin ;-)

You might want to think about having the users set up the security questions, althoug that's somewhat... American and most of our users find it, for some reason, a huge pain in the uknowwhat.

seansean's picture

Hey Battou, thanks for the response!  We are doing some of that, but the third bullet point we're only half-doing it seems.  If an end-user logs into an unencrypted machine right now, they'll be prompted with a domain credentials PGP screen and then that'll auto-enroll them on the US.  They just have to run through the passphrase setup.  We do push a custom MSI install of PGP Desktop that has our specific settings in it.

When you're referring to the WDE Administrator Passphrase, is that something we can use an initial time, and then once the user enrolls and creates their own passphrase, they can get past BootGuard with their new phrase?  It sounds like your environment users single-sign on (maybe?) so that once they login and provide a Windows password, the encryption process starts afterward.  I think we researched that piece a little bit and it ended up not meshing well with some of our remote employees and their VPN access.  It seems like we could encrypt the drive using the WDE admin passphrase, deploy it to the end-user during a new hire orientation meeting, login for them, then have them walk through the steps to create their own WDE passphrase that'll allow them to login at the BootGuard screen.  Am I understanding that right or no? 

 

Catanzaro121's picture

Do I need to decrypt my entire hard drive, uninstall the PGP Program before I restore my computer to its original settings? Also what happended to the Chat Support for Bronze Maintenance for Windows. It has dissappeared.

Once I uninstall the program and restore my computer, where do I go to reinstall the PGP Whole Disk encryption. I own a license from January 4, 2011 until January 3, 2012.

 

Which version do I install? Can I have the short cut for the website? Thank you.

 

Dominic Todarello

908 581 9647

dtodarello@sopherfinancial.com

Tom Mc's picture

You would likely get better help by using the Create Content link to have this in your own thread.

I believe that Bronze Support no longer has Chat Support. 

This link should help you with seeing what software download is available for your license:

https://customercare.symantec.com/app/answers/deta...

You will probably want to use the latest version that your license includes eligibility for.

I don't know how you plan to restore your Dell original settings, but you will want to decrypt first if this is something major such as a from a recovery partition or recovery disks.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &