By default, keys managed by the PGP Encryption Server (SKM mode keys) are valid for two weeks.
The day prior to expiration they are renewed for another two weeks as long as the end user has interacted with PGP Encryption Server.

The two-week interval is typically sufficient as long as users are interacting with the server frequently.  In Drive Encryption only deployments, PGP keys are not typically used and therefore the key renewal settings may impact these types of users. Because the PGP Keys are not used, users may not "check in" with the server within this two-week requirement.
When this happens, they keys go into a sort of "pending" state where the user's accounts may appear as "Grayed out".  Once the user checks in, the account should no longer be grayed out.
Even if the account is grayed out, it doesn't mean the user's account is broken, this is just the key renewal status.

Users who use PGP Email encryption or PGP Zip file encryption may need to provide their public key to third parties. Providing a key to a third party that is valid only for a maximum of two weeks is not practical and therefore the default renewal settings should be changed from the default settings.  This can also prevent users from being grayed out.

If the third party also uses a PGP Server, they can configure their server to lookup your organization's keys on your PGP Server automatically. In this scenario, the validity period of your keys is handled automatically and so key searches will usually always get the most current version. 

To change the Key Renewal settings in the Consumer Policy that applies to the user, go to the Generation tab of the Keys section of each consumer policy. The default settings are:

• Auto Renew Keys Every: 2 weeks
• Stop Renewing After: 3 months of inactivity

If, for example, the Auto Renew value is set to 2 months, the keys for users in the policy will be valid for two months at a time.
Note that if the Auto Renew value is set to Never renew the keys will be given an expiry date of "Never" and this will not change, even if the policy is changed later.
There may be scenarios where "Never" is appropriate, but in most cases, an expiration date is typically used. 

The "Stop Renewing After" setting determines when keys should stop being renewed after the key has expired.

For example, if Stop Renewing After is set to 3 months and a user in the policy has not interacted with PGP Server in the previous three months then the user's key will not be renewed.
This also means that when the user checks in with the server, a new PGP Key will be created, and the old key will still be expired.

The expired key can still be used to decrypt content, it just cannot be used for encryption. 

Note that a setting of Never stop renewing means that keys will always be renewed, even if the user is inactive.  This setting is not recommended to keep keys rotated based on activity.

Deciding which settings to use depends on the policies of your organization but if users may need to send their public keys to third parties manually, or if the scenario is a Drive-Encryption only scenario, we recommend setting Auto Renew to 6 months.

Important Note 1: The Stop Renewing After value needs to be greater than the Auto renew Keys Every value, so the expiration date is not outlived. In this scenario, it would be 1 year.  

This means that keys will remain active for 6 months, and then after 6 months, the key expires.  IF the user checks in with the PGP server within 1 year after it was expired, the key can be renewed automatically.  Otherwise, the key will expire and a new key will be generated once the user becomes active again.

When deciding on appropriate settings, note that an expired key can be used to decrypt data but cannot be used to encrypt data.  Therefore if a user leaves the organization it is good housekeeping to allow their key to expire automatically after a period of time so that it cannot be used for data encryption.

Important Note 2: Even if a key has expired, it is still possible to decrypt the content as long as the keypair is available.  Only if a key is deleted or no longer available, is it impossible to then decrypt the content.