If an Encryption Management Server Organization Key is renewed rather than replaced, clients running Drive Encryption or Email Encryption do not download the renewed Organization Key.
The keyring on the clients will show an expired Organization Key.
When an Organization Key is renewed, the public Organization Key is not added to the orgKeyBlock section of the PGPprefs.xml policy file on the clients.
Encryption Management Server 3.3 and above.
This issue is resolved in Encryption Management Server 3.3.2 MP12. Beginning with this release, if the Organization Key is renewed, it is added to the orgKeyBlock section of the policy preferences on the server and from there to the PGPprefs.xml policy file on the clients.
However, in some environments there is no orgKeyBlock setting in the server policy. To check, do the following: