1. Publish Certificate
Note: This is done as when the client enrolls it prompts to allow certificate. If we do not want any user inputs, we would want to publish the Symantec server certificate to all the domain clients before we create and deploy the package. Applying to the Default domain policy applies the certificate to all the clients. Doing this will make the clients aware of the Symantec server certificate and hence eliminate the need of prompting the user to allow the certificate. Below is the screen that the clients receive when they detect the Symantec encryption certificate.
2. Create customized Symantec encryption desktop package
On the server make sure the policy for the user has the setting
Automatically encrypt BootDisk at installation is checked.
The above policy is located under :
Consumer Policy, users policy name, Desktop, Encryption Desktop, Drive encryption
This would encrypt the disk after successful enrollment.
Download the 64 or 32 bit package with auto detect policy to your deployment server.
3. Deploy the package :
Deploy the msi package from your server with the following switches :
Note: You can use Orca (This feature is part of Windows development kit) to edit the MSI package and create a custom package with the needed switches. You can also refer to the article TECH190946
msiexec /i C:\pgpd.msi PGP_INSTALL_DISABLESSOENROLL=0 /norestart /q
Now when the users log into their PC, they won’t get to know the installation has begun. It will not restart the PC automatically as the “/norestart” switch will not allow the PGP automatic restart. Once the user restarts the PC and logs in again, then the second phase of the installation will continue (Enrollment) and in a minute or so the user will notice a notification in the system tray that the drive is being encrypted.
PGP Desktop Client 10.x
Symantec Encryption Server 3.x