The following sections will provide information on how to get decryption operations to work, which include making changes to Outlook policies as well as PGP policies. 

Section 1 of 5: Security Exclusions for PGP Desktop

Symantec always recommends adding exclusions to your security applications to ensure our software and drivers will be able to launch properly. 
For information on which binaries to add, see the following article:
200696 - Symantec Encryption Services - Add Symantec Encryption programs to safe list or exclusions in security software

Section 2 of 5: Ensure you have the private key to decrypt

Also make sure that the keypair is available to decrypt to which the message was encrypted to.  If the email is not working automatically, you can use the Clipboard or Current Window features to decrypt manually to validate if the message decrypted. For more information on this, see the following article:
180267 - HOW TO: Encrypt/Decrypt Text Using the Current Window feature with Symantec Encryption Desktop (PGP Desktop) for Windows

If none of the above links have allowed PGP to decrypt, and you are sure no other security policies or applications are at play, proceed to the next steps:

Section 3 of 5: Applicable Outlook Security Policies

If the following Group Policies for Outlook are changed from the defaults, PGP Desktop cannot create and/or use the PST file that it needs.

Item 1 of 5 -  Prevent users from adding PSTs to Outlook profiles and/or prevent using Sharing-Exclusive PSTs

This policy is set to Not Configured by default. It can be set to:

• (default) PSTs can be added (disablepst in the registry has a value of 0)
• No new PSTs can be added (disablepst has a value of 1)
• Only Sharing-Exclusive PSTs can be added (disablepst has a value of 2)

It affects the following registry key. Note that the Office version number will change according to the version of Office you are using:

• Location: HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\outlook
• Value name: disablepst
• Value type: REG_DWORD
• Valid values: 0, 1, 2

Recommendation: Set the "disablepst" value to "0" to allow pst files.  If this is enabled, automatic decryption may not be possible.

Item 2 of 5 - Prevent users from adding new content to existing PST files

This policy is set to Not Configured by default. It can be set to Disabled (pstdisablegrow in the registry has a value of 0) or Enabled (pstdisablegrow has a value of 1).

It affects the following registry key. Note that the Office version number will change according to the version of Office you are using:

• Location: HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\outlook\pst
• Value name: pstdisablegrow
• Value type: REG_DWORD
• Valid values: 0, 1

Recommendation: Set the "pstdisablegrow" value to "0" to allow users to add new content to existing PST files.

Item 3 of 5 - Do not change Windows Group Policies

The simplest solution is to leave the above Windows Group Policies at their default values. 

In environments where GPO may block this, you may need to get an exception to allow these PST policies.

Important Note: Even if you are able to change these values in the registry because you are a local administrator on the machine, a GPO that enforces different settings will overwrite the changes you make to the registry settings.
Work with your security team to ensure you can allow these policies in order for the PGP Desktop client to decrypt emails properly. 

Item 4 of 5 - (Outlook setting)  Allow content to be added only to existing PSTs

This will prevent users adding new PST files to their Outlook profile but allow existing PST files to be used:

1. Set the Group Policy Prevent users from adding new content to existing PST files to Not Configured or Disabled.
2. Set the Group Policy Prevent users from adding PSTs to Outlook profiles and/or prevent using Sharing-Exclusive PSTs to Enabled or Only Sharing-Exclusive PSTs can be added.

Item 6 of 6. (PGP Setting) Register Encryption Desktop as Trusted

If your organization has enabled both Windows Group Policies, this option registers Encryption Desktop as a process that is trusted to create PST files and therefore the Windows Group Policies will not apply to Encryption Desktop.

First add the following key to the registry. Note that the Office version number will change according to the version of Office you are using:

• Location: HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\outlook\pst
• Value name: PSTDisableGrowAllowAuthenticodeOverrides
• Value type: REG_DWORD
• Value: 1

Then add a policy preference to the user's Encryption Management Server policy. To add the policy preference, login to the administration console and then:

1. Click on Consumers / Consumer Policy.
2. Click on the name of the policy you wish to edit.
3. In the General section, click on the Edit button.
4. Click on the Edit Preferences button.
5. Set the following preference and then click the Save button:

• Pref name: mailEnablePSTAuthentication
• Type: Boolean
• Value: true

Once the clients have downloaded the modified policy, the %LOCALAPPDATA%\PGP Corporation\PGP\Outlook_U.pst file will be created and users will be able to decrypt messages.

Section 4 of 5. Use IStorage instead of PST files

If your organization has enabled both Windows Group Policies, you can add a policy preference to the user's Symantec Encryption Management Server (PGP Server) policy which will cause Outlook to use IStorage instead of PSTs. However, there are a number of disadvantages to using IStorage:

• It is relatively slow, especially for large and complex messages or ones containing many recipients. It may not be able to handle mails with complex OLE objects.
• It cannot handle more than several hundred recipients.
• It does not support unicode natively and has issues with some character sets.
• It does not have built in synchronization between plain text and rich text (HTML, RTF). Therefore some searching will not work.

To add the policy preference, login to the administration console and then:

1. Click on Consumers / Consumer Policy.
2. Click on the name of the policy you wish to edit.
3. In the General section, click on the Edit button.
4. Click on the Edit Preferences button.
5. Set the following preference and then click the Save button:

• Pref name: mailDisablePSTCacheStore
• Type: Boolean
• Value: true

Once the clients have downloaded the modified policy they will be able to automatically decrypt PGP/MIME format messages in Outlook but note that they will still not be able to decrypt PGP-EML format messages.

Section 5 of 5. Information for Standalone PGP Desktop Clients

If you are using a PGP Desktop client that is not controlled by a PGP Server, then this section will apply, otherwise see the above sections for managed PGP Desktop clients.

We will be setting the values "mailEnablePSTAuthentication" and "mailDisablePSTCacheStore" to true in the PGPprefs.xml file with the following steps:

Step 1: You will need to kill the PGP services before you make these changes.  Click the PGP padlock icon by the time and then click "Exit PGP Services".

Also close Outlook so it is no longer running.

Step2: We set this value to true for both entries in the PGPPrefs.xml file.  To find this file, open Windows Explorer (Windows Key + e) and in the address bar, type the following:

"%appdata%

This will open a location similar to the following:

C:\Users\username-here\AppData\Roaming.

Navigate to C:\Users\username-here\AppData\Roaming\PGP Corporation\PGP

Step 3: Right-click and edit the "PGPprefs.xml" file with Notepad++, or Wordpad.  Do not not notepad.exe to edit this file.

Step 4: Do a search for mailDisablePSTCacheStore and set the value underneath to "true" (instead of false) like this:

<key>mailDisablePSTCacheStore</key>
      <true></true>

You will find this value this twice in this file, so make sure you do both.

Step 5: Next, do a search for mailEnablePSTAuthentication and set the value to "true" (instead of false) like this:

  <key>mailEnablePSTAuthentication</key>
    <true></true>

Again, this is to be set for both sets.

After you have made these changes (4 locations in total in the PGPPrefs.xml file), save the file and close the PGPprefs.xml file.

Step 6: Open the Windows Registry.  You may want to make a backup of this before making the changes. 

Navigate to the following location:

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\outlook\pst\
On the right side, double click on pstdisablegrow and change the value to "0" (may have been set to 1).

Step 7: In the same location (HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\outlook\pst\)
On the right side, double click on PSTDisableGrowAllowAuthenticodeOverrides and set the value data to 0 (It was set to 1).

Once you have made these changes, the policies should look like the following:

Once we did this, and re-launched Outlook, the decryption was working just fine.

Once you have made these changes, launch Outlook.  If you already had Outlook running, close and re-launch.

The emails should now be decrypting properly.  If not, there may be some other GPO settings that control the PSTs and you may need to work with your security team to allow for PST creation and growth.

If you have tried all of the above, contact Symantec Encryption Support for further guidance.