Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

Unmanaged WDE to Managed WDE (without decryption)

Created: 06 Mar 2013 • Updated: 15 Apr 2013 | 2 comments
VRSM's picture
This issue has been solved. See solution.
Hi all. 
 
I'd appreciate any ideas on the following scenario.
 
I'm dealing with some unmanaged encrypted disks, however now we're moving to a managed environment. The thing is that it'd be really good (in terms of time) to find a way to make managed encrypted disks those unmanaged encrypted disks without decryption.
 
I've done some tests and deployed the policies created in the Encryption server into the unmanaged disks, we didn't decrypt the disks (to save a lot of time). The policy establishes deployment of SKM + ADK + disk admin passphrase + SSO integration. The unmanaged disks have their own admin and user. Therefore, after installing the agent generated from the EncServer (without uninstalling the previous one) we can see in the Encryption Desktop all of these users "old" and "new". BUT the problem is that I cannot delete manually the old users, we cannot add manually new users and the worst we cannot decrypt the disk with any user, old or new.
 
I'm thinking as well that the policy from the Encryption server says to encrypt the Windows partition meanwhile the unmanaged deployment said to encrypt the whole disk, this might cause some "conflicts".
 
Any thoughts?
 
Any help would be very appreciated.
 
Cheers.
Operating Systems:

Comments 2 CommentsJump to latest comment

vaibhav_jain1's picture

Try changing the PGP Stamp.. In the Registry  PGPSTAMP to ovid=<IP Add of PGP UN>

This should make the clients managed.

WDE Admin passpharse will be updated, you should be able to add and delete users.

Let us know what happens

Mehmood's picture

You can move unmanaged clients to managed clients without decryption

Please refer to this article: http://www.symantec.com/docs/HOWTO79579

The the users that can be added must be members of your AD.

When you attemp to delete a user in PGP desktop, you'll be prompted for Password. Enter the enrolled user's PW it should work.

ADK can be used to decrypt the disks or files that were encrypted after the ADK was created.

Disk admin or WDE admin passphrase is only used to decrypt whole disk not files and can be used to log on to bootguard screen.

In your case in order to serve the pupose of ADK & disk admin passphrase you must decrypt all the disks & encryprt again once they become managed devices.

SOLUTION