HOW TO: Update PGP Encryption Desktop for Windows in a managed environment (Symantec Encryption Desktop)
search cancel

HOW TO: Update PGP Encryption Desktop for Windows in a managed environment (Symantec Encryption Desktop)


Article ID: 153363


Updated On:


Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK


This article details how to update PGP Encryption Desktop (Symantec Encryption Desktop) in a managed environment (PGP Desktop policy is managed by a PGP Server) as well as "Standalone" environments where the PGP Desktop client does not talk to a PGP Encryption Server.




There are several methods for updating the PGP Desktop client to systems.  This will discuss several scenarios for doing so:


Scenario 1: Managed PGP Desktop Clients - Deploy client updates via Deployment Software, such as IT Management Suite (Recommended)

The PGP Desktop client is a typical MSI file so you can deploy it using all the supported msiexec installation options.  The only requirement is to ensure the systems are rebooted after update fairly soon after the installation is finished.  
It is okay to delay the reboots, and you can do a silent install where the users do not see the installation happening, but it's recommended to reboot the system as soon as possible after the new version is installed. 

TIP: It is recommended to deploy PGP Desktop clients via deployment software, such as IT Management Suite (Altiris) as this deployment solution can install with the proper administrative permissions.  For information on how to create a PGP client, see the following article:

180244 - HOW TO: Download Encryption Desktop Client Installers in Symantec Encryption Management Server



Scenario 2: Manually install the new version (Managed or Standalone)

In order to install the PGP Encryption Desktop Client on a system manually, you can download the MSI file from either the download portal, or the PGP Server. 

The download portal will download only the "Standalone" clients, and are ideal for standalone setups where the PGP Desktop client is not talking to a server for policy and licensing.

To install the update over a standalone client, simply download the MSI and install it over the top of the system.  Reboot when finished.


If you are downloading the PGP Desktop client update from the PGP Server, see the following article for how to properly download the client:

180244 - HOW TO: Download Encryption Desktop Client Installers in Symantec Encryption Management Server

Once the client is downloaded, deploy these MSI files to each system in the environment and reach out to Symantec Encryption Support if further guidance is needed.


Scenario 3: Managed PGP Desktop Clients - PGP Desktop talks to a PGP Server for Updates and Policy for automatic updates

If a new version of PGP Desktop is available, PGP Desktop can be updated manually or configured to automatically check for updates (Managed Client Only). 

If you are using PGP Whole Disk Encryption please note that the drive has to be either fully encrypted or fully decrypted. It is not possible update PGP Desktop if the drive is only partially encrypted. The installation will be interrupted.

You must have an administrative account on the PC to be able to download and install updates. If you don't have an administrative account the newer version will not be downloaded and will not be installed. 

To use this functionally, the PGP Server must have the "Notify users of software updates..." setting enabled in the consumer policies:


Automatic updates for PGP Desktop is enabled by default in the Consumer Policy of the PGP Server. If the PGP Server has a newer version of the PGP Desktop client, it'll make it available.  The Client will be prompted for the update and can then be installed.  This works only if the user has admin permissions. 

Caution: If you have previously installed PGP Encryption Desktop using any special msiexec installation options, we highly recommend not using this option as it will install the software with all components enabled.  For example, if you installed with Email Encryption disabled, and use the auto update, email encryption will be installed. 
We generally don't recommend this option because it requires end users to be administrators on their machines.  Additionally, when end users are prompted for the update, they can easily dismiss the install, which means they can stay on older versions indefinitely.  This option was designed for very small environments where end users have full control over their systems. For guidance, reach out to Symantec Encryption support.