Silent enrollment and AD passwords
We are currently running the Universal server version 3.2.1 (Build 4869). I do have the Silent enrollment for PGP desktop clients enabled and everything works fine with it. The users get the PGP desktop client installed; they reboot the computer and sign in. Once they sign into AD they are presented with the PGP enrollment screen where they type in their windows user name and AD password. Once this is done a Guarded Key pair (GKM) is created.
My concern now is that we have a password policy in place where the users need to change their AD passwords every 60days. My question is, if we are using the GKM managed keys, will the new AD passwords be automatically synchronized with the clients local key pair and the copy on the Universal server as well? If not, is there a way to configure this so that minimal manual key management is required by the user? Our goal is to have the passwords with AD and PGP synchronized at all times so that people don’t have to manage multiple passwords. Can someone give me details about this?
I also recently read that you can place a MSI switch for the client installs “msiexec /i C:\pgpdesktop.msi PGP_INSTALL_DISABLESSOENROLL=0” This allows for a totally silent install, meaning the users will not even receive the PGP enrolment screen I’m assuming. Is the key pair created based of the AD logon data then? Anyone have more details regarding this switch?