Unable to upload a whole disk recovery token to Symantec Encryption Management server
|Article:TECH149228|||||Created: 2008-11-13|||||Updated: 2013-12-05|||||Article URL http://www.symantec.com/docs/TECH149228|
During enrollment of a Symantec Encryption Desktop client (previously PGP Desktop) with Symantec Encryption Management Server (previously PGP Universal Server), when entering a passphrase to encrypt the disk, an error occurs and the Whole Disk Recovery Token (WDRT) is not uploaded to the server.
One of the following errors may be displayed in the Symantec Encryption Desktop/PGP Desktop client:
- The administrative server is not available for storing the administrative recovery token. Disk encryption cannot continue
- You do not have privilege to upload a Whole Disk Recovery Token to the server
Microsoft Windows XP
Microsoft Windows 7
Symantec Encryption Desktop (formerly PGP Desktop)
Symantec Encryption Management Server (formerly PGP Universal Server)
This is caused by an invalid or duplicate MACHINEGUID or Disk ID value stored in the Windows registry for the client. This issue can also be caused by having a matching existing entry of a WDRT on the server from a prior enrollment due to deleted missing machine/device information.
A duplicate MACHINEGUID can occur when using a computer image with Encryption Desktop\PGP Desktop pre-installed and enrolled on the image.
It is highly recommended to determine which problem is occurring to find the proper solution as this condition could lead to problems with Whole Disk Recovery Tokens not being sent to the server.
Before proceeding with any of these steps, it's important to do root-cause analysis and find which scenario is being experienced.
Verify the MACHINEGUID or Disk ID that exists in the registry is not a duplicate:
WARNING: Please do not modify PGP registry entries manually. Doing so can cause invalid data to be sent to the Symantec Encryption Management Server causing database inconsistencies that could lead to loss of WDRT integrity. The information included here is for reference only:
1. Open The Windows Registry Editor and browse to the PGP folder.
Windows 32-bit operating systems:
Windows 64-bit operating systems:
2. Check the MACHINEGUID value and compare it to other computers in the environment to see if they all have the same matching MACHINEGUID value.
3. Verify the Disk ID is not a duplicate by running the following commands at a Windows Command Prompt (Start > Run > CMD)
4. Change to the Program Files directory for Symantec Encryption Desktop:
cd c:\Program Files\PGP Corporation\PGP Desktop (32-bit)
cd c:\Program Files (x86)\PGP Corporation\PGP Desktop (64-bit)
5. Type pgpwde --list-users --disk 0 (replace disk 0 with the corresponding disk number if verifying a disk drive that is not the primary bootable disk)
6. Compare the output of that Disk ID with the one from the other computers having problems to see if there are duplicate values. It is also important that the Disk ID value for the --list-user output, matches the value for MACHINEGUID in the registry of the host machine for disk 0 (boot disk). If these two values do not match for the primary machine being reviewed, please see steps in Solution 1 to resolve the issue.
NOTE: If external hard disks are being used, it is possible for these external drives to have different Disk ID values than the MACHINEGUID value--this is normal. The condition only applies if the boot disk (Disk 0) does not match that of the MACHINEGUID value.
WARNING: PGP Desktop and/or Symantec Encryption Desktop does not currently support having two computers with the same MACHINEGUID value. Having the encryption client installed on corporate images can causes this condition.
See the following articles for more information:
If more than one computer has the same MACHINEGUID value (from the registry), Disk ID value, or if the MACHINEGUID value and Disk ID values do not match, remediation should be done for all systems affected by using following these steps:
- Decrypt the drive (if already encrypted).
- Uninstall Symantec Encryption Desktop (or PGP Desktop).
- Reboot the computer.
- Reinstall Symantec Encryption Desktop.
- Make sure that you reboot the computer when prompted.
- After the reinstalling, exit PGP Services by right-clicking on the PGP Tray icon and selecting Exit PGP Services.
- Browse to the users %appdata%\PGP Corporation folder and delete the PGPprefs.xml and PGPpolicy.xml files.
- Re-start PGP Services by clicking Start > All Programs > Startup > PGP Tray. The Enrollment Assistant begins to enroll the user.
- When attempting to re-encrypt the drive, you should no longer see the error.
A WDRT already exists for that client because the user and/or computer was possibly deleted from the server and you have already checked the MACHINEGUID value in the Windows registry. The computer has a unique MACHINEGUID identifier that does not match any other devices in your environment.
This issue was fixed in PGP Universal Server 3.2 which allows more than one Whole Disk Recovery Token to be stored on the server. Verify that you don't have a duplicate MACHINEGUID as described in scenario 1 and then upgrade your environment to the latest version of Symantec Encryption Management Server and Symantec Encryption Desktop.
To see the most recent version of Symantec Encryption Desktop, please see article TECH187067.
Article URL http://www.symantec.com/docs/TECH149228