This article describes how to change an embedded policy PGP Desktop client to be managed by a PGP Universal Server without decrypting and uninstalling PGP Desktop.

For more information on the Embedded Policy client, and how to use it, see article TECH148945.

(This scenario assumes you are using LDAP Directory Synchronization for user enrollment.)

PGP Desktop clients with an embedded policy never receive any updated policy information from the PGP Universal management server, even if the policy is updated on the server side. Policy information normally downloaded during installation is instead embedded in the installer itself. If a PGP Whole Disk Encryption deployment never connects to the PGP Universal Server, you cannot use Whole Disk Recovery Tokens or get policy changes/updates.

An embedded policy client can be changed to a managed client of the PGP Universal Server by editing the registry and re-enrolling the user without decrypting and uninstalling PGP Desktop. During enrollment the PGP Desktop client will generate a Whole Disk Recovery Token (WDRT) for a PGP Whole Disk Encrypted systems (if your client policy is set to do so).

You can find the PGP Universal Server registry PGPSTAMP setting in the following registry container:

32-bit systems: HKEY_LOCAL_MACHINE\Software\PGP Corporation\PGP
64-bit systems: HKEY_LOCAL_MACHINE\Software\Wow6432Node\PGP Corporation\PGP

Example of PGPSTAMP value for a client with a preset policy:

ovid=keys.example.com&mail=*&group=b659cfb8-7f66-42d9-91a4-4c143b2cf72f&admin=1
 

Example of PGPSTAMP value for a managed client entry:

ovid=keys.example.com&mail=notesmail.example.01&admin=1.

 

Note: The mail server entry may also use a wildcard character * for the mail server entry. This allows users to bind automatically to all mail servers.

Note that the important difference between the two examples is the "&group=xxxxxx" section.   To convert to a managed client intead of an embedded policy, this group section must be removed from the registry entry.  (In the above example, to convert the preset policy client to a managed client reporting to the keys.example.com server, you would change 'ovid=keys.example.com&mail=*&group=b659cfb8-7f66-42d9-91a4-4c143b2cf72f&admin=1' to 'ovid=keys.example.com&mail=*&admin=1' .)

If needed, you can confirm the value of the desired PGP Universal Server registry PGPSTAMP setting on another managed client computer by looking at it's PGPSTAMP registry entry. Then copy the text to use on the new managed client. 

Warning: Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. For more information on backing up the registry see the following article on the Microsoft support site:

How to back up and restore the registry

Sequence of steps to update an embedded client to a managed client and force re-enrollment:
 

1. Click the PGP Tray icon in the Windows System tray then click Exit PGP Services.
2. Browse to the following container in the registry and adjust the PGPSTAMP as needed to remove the "group" information (see above for details):
   
   32-bit systems: HKEY_LOCAL_MACHINE\Software\PGP Corporation\PGP
   64-bit systems: HKEY_LOCAL_MACHINE\Software\Wow6432Node\PGP Corporation\PGP

3. Browse to the PGP folder in Application Data folder for the user account:
   
   Windows XP: C:\Documents and Settings\%username%\Application Data\PGP Corporation\PGP
   Windows Vista/7: C:\Users\%username%\AppData\Roaming\PGP Corporation\PGP
    
4. Delete the PGPpolicy.xml and PGPprefs.xml files.
5. Browse to the PGP folder in Application Data folder for All users:
   
   Windows XP: C:\Documents and Settings\All Users\Application Data\PGP Corporation\PGP
   Windows Vista/7: C:\ProgramData\PGP Corporation\PGP
    
6. Delete the PGPadmin file, if it exists.
7. Click Start > All Programs > Startup > PGPtray.exe. The PGP Enroll Assistant is displayed.
8. Enroll with the PGP Universal Server to update the user as managed PGP Desktop client.

Note: If using an different version of PGP Desktop than the corresponding version of the server e.g 10.2/3.2, you should send an updated Whole Disk Recovery Token (WDRT) to the server using the PGP command line utility on the client instead.