Video Screencast Help

No BootGuard please

Created: 18 Sep 2013 | 7 comments

I'm using PGP Universal  Server 3.2.1 and PGPDesktop 10.2.1_MP3

Is it possible to encrypt a drive without having a BootGuard/Passphrase screen???

We have about 200 machines that need the hard drive encrypted, but do not want the user to have to enter a passphrase at the BootGuard screen...

Is this possilbe, if so, how?


Operating Systems:

Comments 7 CommentsJump to latest comment

Arif.Khan's picture


Following Knowledge base will help you adding boot guard bypass. However if you have PGP-SSO (single sign on) enabled on drive encryption it will not be functional post adding boot guard bypass

Alex_CST's picture

That completely negates the point of having it encrypted in the first place.  If you put in place bypasses to go past the authentication, and the user gets their laptop stolen or left on a train, all the thief has to do is turn the machine on, it would bypass and they're into the system.

I would highly recommend not doing this.  If you want to make it easier, look at implementing smart cards to authenticate.

Also - they have to enter their domain credentials to log into the system anyway, why not just implement single sign on?  They only enter the details in once then.

Please mark posts as solutions if they solve your problem!

DannyPG's picture

To keep this simple I know the risk of no BootGuard... So no lectures please...

I need the computer to boot from OFF to the Windows login prompt - with no BootGuard/Passphrase inbetween... All the time, not just once...

Now - is there a way to encrypt the computer in such a manner. If so what 'switches and knobs' do I turn on the PGP server to allow this...

vaibhav_jain1's picture

Hi DannyPG,

Its mentioned above:

You can use Bypass option to bypass the BG. You would directly be taken to the Winlogon as you want.

Hope this helps. let me know if you face any issues.

DannyPG's picture

But doesn't the Bypass option only work for a single reboot?

I need it to work all of the time...


Alex_CST's picture

Hi Danny,

No there isn't.  You can implement smart cards and token authentications, but having a device encrypted then bypassing the very login that is the barrier to accessing the disk servces no purpose.

Please mark posts as solutions if they solve your problem!

DLFFB's picture


Not sure if you got your situation resolved, but we recently had the same needs and this is how we accomplished, in case it helps anyone else.
It is understood to be poor practice, but many of us have situations where it's needed. I'd rather have the machine encrypted and BootGuard bypass than no encryption at all.

These two articles helped us: (linked above) (look for PDF PGP_Whole_Disk_Encryption_Authenticated_Restart_Bypass )

The maximum number of bypasses (restarts of the machines) is 1,000,000. If you have machines that could ever reach that number of restarts, you can always re-run the bypass command to reset.

You have to set the preference in the Universal Server (first article). This is the upper limit that any client can ever be set to.
Then run the following command on your client (from my testing, you have to wait for the disk to finish encryption before this works).
"C:\Program Files (x86)\PGP Corporation\PGP Desktop\pgpwde.exe" --add-bypass --disk 0 --count 1000000 --admin-passphrase xxxxxx

or if using the WDE-ADMIN group
"C:\Program Files (x86)\PGP Corporation\PGP Desktop\pgpwde.exe" --add-bypass --disk 0 --count 1000000 --aa

Obviously change the --count xxx to reflect your needs

On power up/restart, you'll see a brief flash of the BootGuard screen and then push forward to the Windows login GINA.