You wish to change the key mode of an Encryption Management Server internal user from SKM to GKM (or CKM). This may be required if, for example, a user is using Encryption Management Server as a mail encryption gateway but now requires Encryption Desktop for end-to-end email encryption.
Symantec recommends that Encryption Desktop clients use SKM key mode unless there is a very specific reason not to. However, if your organization standardized on GKM mode some years ago you may decide to continue using it. Please see article TECH149029 for more information about key modes.
After you move the user to an Encryption Management Server group that uses only GKM key mode, Encryption Desktop notifies the user that their key mode has changed and prompts them to create a passphrase. After the user enters a passphrase, Encryption Desktop notifies them that their key mode could not be changed.
Encryption Desktop displays the following message to the user:
Unable to change Key Mode. Contact your security administrator.
The Encryption Desktop log contains the following entry:
09:23:24 PGP Error Key Mode change has failed with an error: insufficient privileges (-11972)
This is by design. SKM mode keys are managed by Encryption Management Server.
One solution is to provide the user with a new GKM mode key:
%appdata%\PGP Corporation"
and starting PGP Tray.Alternatively, you can give the user's new group permission to convert their SKM mode key to GKM mode: