PGP Enrollment Prompt appears over and over in Virtual Environments
search cancel

PGP Enrollment Prompt appears over and over in Virtual Environments

book

Article ID: 157763

calendar_today

Updated On:

Products

Encryption Management Server Desktop Email Encryption Drive Encryption Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Encryption Suite PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

When using PGP Encryption Desktop in Virtual Environments, such as VI / VDI environments, Dell Wyse vWorkspace, etc., where Roaming Profiles Persona Management is used instead of Windows Roaming.  Each login causes the PGP Encryption Desktop to prompt for enrollment and ask for LDAP credentials each login attempt.


 

Environment

- VI / VMware View Persona Management / Dell Wyse vWorkspace and PGP Encryption Desktop

*Potentially other virtualized environments that stores user profiles on a network share. 

Cause

Windows Roaming always loads the complete AppData\Roaming folder. Persona Management optimizes the login process by only loading specific parts.
 

Resolution

PGP Encryption Desktop uses a folder in %appdata%\Microsoft\Protect, which is unique to each user who logs in.  Upon login, a unique folder is generated based on the user's profile, and inside this folder are files used to protect encryption data if used.  Upon initial enrollment, PGP Encryption Desktop uses this folder to establish authentication to the PGP Encryption Management server with an enrollment cookie.  Each time the user logs in to the user profile, the enrollment cookie is authenticated, and communication with the Symantec Encryption Management Server is successful.  If this folder is re-created each time, the enrollment cookie is no longer linked and the enrollment prompt will then force the user to enroll before being able to successfully communicate with the server.

In order to prevent this re-enrollment behavior from happening, the %appdata%\Microsoft\protect folder must be persistent each time the user logs in. 

If the modified timestamp of the folder matches the time of when the user logged in to Windows, the folder is most likely not persistent. 

Alternatively, modify the Persona Management Group Policy to include the Microsoft\Protect folder from the user profile in addition to the PGP appdata folder to be loaded during login.

For more information, review the Microsoft documentation.
 

Also, if SED is taking a while to load in some Dell vWorkspace environments, see article 162217 for more details.

Additional Information

Powered by Wolken Software