Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

PGP Desktop Enrollment is unsual

Created: 09 Sep 2013 • Updated: 24 Sep 2013 | 8 comments
chikarizee's picture
This issue has been solved. See solution.

Hi all, my situation is like this. when the pgp desktop prompt out, we will log in the password and next. After that, we select either we are a new user or not. Then next until we insert the next log in for single side on. However, after i click next on the new user prompt, it will straight away finish. Then i notice the file call pgp shredder will appear on the desktop which usually not.

Operating Systems:

Comments 8 CommentsJump to latest comment

Alex_CST's picture

The PGP Shredder icon is usually an indicator that the user has enrolled with the Universal Server - I assume you have one?

It looks like you have silent enrollment enabled

Please mark posts as solutions if they solve your problem!

chikarizee's picture

i did not understand much on the server side as i only deploy for end user, mean manually push the software. from log i see it stated that 

"Certificate enrollment has failed with error : PGPError #-10970(-10970)

Requested policy does not match returned group policy

Mismatch group policy is usually caused by previous enrollment with different group policy"

do you mind to share if you have facing this kind of issue before. tq

Alex_CST's picture

You need to select the "auto detect policy" when creating the installer :

Please mark posts as solutions if they solve your problem!

chikarizee's picture

ok noted. right now i on the site to deploy the pgp wde client, then how should i advise the pic so that the id will be not facing the problem or i need to generate new installer? the situation is like we having 6 different installer as divided to 6 different region. central having no problem with the id. it only occured when we start deploy on region. One more thing is basically the id is having problem, is the id is just add to AD.

Alex_CST's picture

Using the "Preset" policy option is for implementations that are not going to be using LDAP to enroll.

If you are managing all 6 regions from 1 universal server, they should only ever need the same installer if you're doing LDAP enrollment.  You separate them out via the policy on the universal server, not the installer itself.

Please mark posts as solutions if they solve your problem!

chikarizee's picture

i think i get what your mean now. however, the person who manage the server said that he already add the problem id user into the same group policy. its usually happen to user who has just been added. at the first place, i thought maybe this problem is related to the installer. mean that i need to generate new installer for id that has been just added.

Alex_CST's picture

It looks like the server admin is taking the wrong approach to distributing the installers.  As I said, if all these "regions" are all controlled by the same Universal Server, there needs to be only 1 installer, with the auto-detect policy configured.

But if that isn't possible can you post the PGPLog which is inside %appdata%\PGP Corporation\PGP

Please mark posts as solutions if they solve your problem!

chikarizee's picture

hi. somehow we already manage to found out the solution.


When installing for client using each region PGP-Client (eg: Northern PGP-Client), some user will have the error where the group policy is different with the server. When viewing the logs, is shows that the client policy is different from the server. Thus, the PGP unable to start at all.


When login to the PGP Server, under consumer and find the particular username with problem, notice that he/she was not added to the WDE-(Region) policy. By manually add he/she into the group policy/group region, and reinstall the client, the PGP able to start.


This only occur to certain users where the PGP-Server does not synchronize with the Domain Server. This might be the issue of the time delay between the two servers retrieving the information. 

It look like maybe there is problem on synchronization as it usually occur to new user.