Video Screencast Help

Managed PGP Desktop Update

Created: 20 Mar 2012 | 6 comments

Hello! I have an updated PGP Universal Server 3.2.0.  I need to update managed PGP Desktops 10.1 to 10.2. But none of our AD users has local Administrator permissions on their computers. How can I update them without giving users any additional permissions. Thank you!

Comments 6 CommentsJump to latest comment

Daichi Terada's picture

Hi Magda,

Installation of PGP Desktop requires administrative privilege.

Thus, you need to install it using a management tool such as Symantec Altiris, Microsoft System Management Server, Microsoft Active Directory Group Policy if you don't want to give end users additional privilege.

The Installer package used by PGP Desktop is a Microsoft Windows Installer (MSI) package so it should be easy if you already have a management tool.


Daichi Terada, CISSP

Magda's picture

Hi Daichi,

I thought so and tried it.

But if I download MSI package from the updated PGP Universal Server 3.2.0 and install it on the computers with PGP Desktops 10.1, after the computer is restarted, PGP Wizard starts. It asks about the user's e-mail address and so on. (enrollment wizard). We have a lot of users and it's impossible to tune every computer manually after this installation. May I somehow prevent starting this wizard?

Thanks for your help!

Julian_M's picture

When Universal is updated, its also updated clients on it. If you policy allows this, users will be prompted to update to new PGP Desktop version, they click ok and installation is transparent, they should not need admin privileges and should not be asked to enroll again.

Go to server policy, look for "Notify users of software updates and automatically download" , in the General section.

When you consider the issue resolved, please click Mark As Solution on the post that best provided the solution.

Magda's picture

Hi, Julian,

As it's announced in Symantec's Knowledge base "Note: Installing the update requires users to have local Administrator permissions on the computer", "The user must have administrator rights on the computer, otherwise no prompts will appear indicating a new version is available"

I tried it myself and it's true. :)

As you wrote, in this case the installation is transparent and users are not asked to enroll again, but all this is impossible and even no prompts will appear indicating a new version is available, if users don't have admin privileges on their computers. 

How can I update managed PGP Desktops, when Universal is updated, without giving our AD users admin privileges, because it's impossible according to our security policy?


Julian_M's picture

You can deploy msi installation file using GPO, but installing this way requires uninstalling older version and decrypting drives...

I suggest this:
Enroll domain admin account to Universal, on each computer.

After server upgrade , you should be prompted to update PGP. Do it overnight since users are not logged.

PGP will be updated for every user in that computer.

When you consider the issue resolved, please click Mark As Solution on the post that best provided the solution.

Magda's picture

Thanks, Julian,

but I'd like to clarify your suggestion... I have 400 computers in 3 different buildings. Do I have to enroll domain admin account to Universal on each computer manually? If I understood correctly, it's almost impossible and takes a lot of time.

Perhaps, some other ideas... more centralized, please