If an Encryption Management Server Organization Key is renewed rather than replaced, clients running Drive Encryption or Email Encryption do not download the renewed Organization Key.

The keyring on the clients will show an expired Organization Key.

Encryption Management Server 3.3 and above.

When an Organization Key is renewed, the public Organization Key is not added to the orgKeyBlock section of the PGPprefs.xml policy file on the clients.

This issue is resolved in Encryption Management Server 3.3.2 MP12. Beginning with this release, if the Organization Key is renewed, it is added to the orgKeyBlock section of the policy preferences on the server and from there to the PGPprefs.xml policy file on the clients.

However, in some environments there is no orgKeyBlock setting in the server policy. To check, do the following:

1. From the administration console, click on the name of a Consumer Policy.
2. Click on the Edit button next to the General option.
3. Click on the Edit Preferences button.
4. Search for OrgKeyBlock in the list of policy preferences. It is usually easier to copy and paste the full list into Microsoft WordPad or similar and search from there.
5. If OrgKeyBlock does not exist, please contact Symantec Technical Support.