search cancel

Disabling Encryption Desktop functionality using msiexec switches

book

Article ID: 171110

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server

Issue/Introduction

The only way you can disable licensed functionality in an unmanaged Encryption Desktop client is to install it or upgrade it using appropriate msiexec switches.

Encryption Desktop clients that are managed by Encryption Management Server will be members of a particular consumer policy. You can enable or disable nearly all functionality by modifying the relevant consumer policy.

There are reasons, however, why you should consider using msiexec switches to disable functionality for managed Encryption Desktop clients:

  • You will never use drive encryption and wish to ensure that the encryption driver is not installed. Only drive encryption uses single sign on so it is logical to disable single sign on too.
  • You will never need to integrate mail encryption with SMTP, POP3 or IMAP.
  • You will never use File Share Encryption and wish to ensure the file sharing driver is not installed.

 

If you disable a component using an msiexec switch, the only way of enabling it is to upgrade every client machine to a newer release and enable the component using the same msiexec switch. This is obviously a time consuming task and if the clients are already on the latest release you will need to completely uninstall Encryption Desktop and install it again. To uninstall, you will first need to decrypt the drives which is really not a good use of time.

Environment

Symantec Encryption Desktop 10.4.2 and above.

Resolution

The following Scenarios are available for the installation process:

 

 

Scenario 1: Disable only the Drive Encryption and single sign-on components 

Still Enabled: File Share Encryption, Email Encryption, File Encryption, Virtual Disk, and Plugins.

msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_WDE=0 PGP_INSTALL_SSO=0

The above parameters will do the following:

  • Disable drive encryption.
  • Ensure that the PGPwded.sys drive encryption driver is not loaded by Windows. This is a low level driver and if it is not required then it is advisable not to load it into Windows. Note that Encryption Desktop prior to 10.3.2 MP2 will still load the driver.
  • Prevent the client computer name being registered with Encryption Management Server. Please see article 171276 for further information.
  • Ensure that the PGPwdefs.sys file system filter driver is not loaded by Windows. Note that Encryption Desktop prior to 10.3.2 MP2 will still load the driver.
  • Disable single sign-on. Note that single sign-on is only applicable when drive encryption is used.
  • Ensure that the password filter DLL PGPpwflt is not added to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\HwOrder registry keys.

The LSP parameter determines whether changes to the Layered Service Provider are made. This needs to be enabled only for SMTP, POP3 and IMAP email. This feature cannot be disabled using Consumer Policy yet very few organizations will need it. The command to disable it is:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_LSP=0

Note: In some releases of Encryption Desktop, the above switch will not disable LSP. See article 191174 for details.


Scenario 2: Disable only the Virtual Disk Component

Still Enabled: Drive Encryption with all functionality, File Share Encryption, Email Encryption, File Encryption, and Plugins.
Virtual Disks are rarely used. An unmanaged client will have virtual disks enabled even if it is not licensed for drive encryption which may confuse users.

To disable this functionality with msiexec the command is as follows. This will also ensure that the PGPdisk.sys driver is not loaded by Windows:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_VDISK=0

 


Scenario 3: Disable Drive Encryption including SSO functionality, Virtual Disk and POP/IMAP Email Encryption

Still Enabled: File Share Encryption, Email Encryption, File Encryption, and Plugins.

Combining the above switches this, therefore, would be appropriate for installing clients that are never expected to use drive encryption, single-sign on, virtual disks or SMTP/POP3 email:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_WDE=0 PGP_INSTALL_SSO=0 PGP_INSTALL_VDISK=0 PGP_INSTALL_LSP=0



Scenario 4: Disable File Share Encryption

Still Enabled: Drive Encryption with all functionality, Email Encryption, File Encryption, and Plugins.
Another feature that some customers wish to disable is File Share encryption. The command to do this is as follows. This will also ensure that the file sharing driver PGPfsd.sys is not loaded by Windows:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_NETSHARE=0


Scenario 5: Disable All Email Encryption

Still Enabled: All other components.

msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_MAPI=0 PGP_INSTALL_MAPI_PLUGIN=0 PGP_INSTALL_NOTES=0 PGP_INSTALL_LSP=0 PGP_INSTALL_GROUPWISE=0 


Scenario 6: Disable all components except for File Share Encryption

To disable all components with Symantec Encryption Desktop, but leave File Share Encryption run the following command:
Still Enabled: File Share Encryption
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_WDE=0 PGP_INSTALL_SSO=0 PGP_INSTALL_MAPI=0 PGP_INSTALL_NOTES=0 PGP_INSTALL_LSP=0 PGP_INSTALL_GROUPWISE=0 PGP_INSTALL_MAPI_PLUGIN=0  PGP_INSTALL_VDISK=0

 


Scenario 7: Disable all components except for Email Encryption 

Still Enabled: Email Encryption, File Share Encryption, Virtual Disk
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_WDE=0 PGP_INSTALL_SSO=0 PGP_INSTALL_NETSHARE=0 


Scenario 8: Disable All components except for Drive Encryption (Leave Drive Encryption enabled)

Still Enabled: Drive Encryption with all functionality
To disable ALL components except for Drive Encryption, run the following command:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_MAPI=0 PGP_INSTALL_NOTES=0 PGP_INSTALL_LSP=0 PGP_INSTALL_NETSHARE=0 PGP_INSTALL_GROUPWISE=0 PGP_INSTALL_MAPI_PLUGIN=0 PGP_INSTALL_VDISK=0




Scenario 9: Disable ALL components 

To disable ALL components with Symantec Encryption Desktop, run the following command:
Still Enabled: General Symantec Encryption Desktop program, like PGP Zip and PGP Keys.
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_WDE=0 PGP_INSTALL_SSO=0 PGP_INSTALL_MAPI=0 PGP_INSTALL_NOTES=0 PGP_INSTALL_LSP=0 PGP_INSTALL_NETSHARE=0 PGP_INSTALL_GROUPWISE=0 PGP_INSTALL_MAPI_PLUGIN=0  PGP_INSTALL_VDISK=0


Scenario 10: Enable Invisible Silent Enrollment

Still Enabled: All components
To use invisible silent enrollment, you must use this msiexec switch. However, never combine this with the PGP_SILENT_FORCE_LDAP=1 swtich or they will conflict with each other:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_DISABLESSOENROL=0

See also the following article for more information:
181069 - HOWTO: Configure Invisible Silent Enrollment for Symantec Encryption Desktop Clients


Scenario 11: Enabling components after they have been disabled

To enable a feature that was previously disabled with an msiexec switch, you need to install a newer release with the opposite switch. For example, to enable drive encryption and single sign-on:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_WDE=1 PGP_INSTALL_SSO=1

 


Scenario 12: How the Symantec Encryption Desktop installer file can be used

Encryption Desktop standalone is presented as an executable *.exe file. Article 154873 explains how to extract the *.msi file from the *.exe file.

These msiexec switches can also be used:

  • /quiet - Quiet mode, do not display progress.
  • /passive - Unattended mode, display progress without user interaction.

While the /norestart switch can be used to prevent an automatic reboot following the installation, Encryption Desktop will not function properly without this reboot so use it with caution.

Note that once an msiexec switch has been used, there is no need to use it again on subsequent upgrades. The upgrade will retain the existing settings.

The complete list of switches is as follows:

Component
Description
Default Value
Default State
MAPI
MAPI messaging proxy used in Outlook.
1
Enabled
NOTES
Lotus Notes message proxying.
1
Enabled
LSP
POP, SMTP and IMAP proxying. Cannot be controlled by Consumer Policy.
1
Enabled
SSO
Drive encryption Single Sign-On.
1
Enabled
WDE
Drive encryption.
1
Enabled
NETSHARE
File Share encryption.
1
Enabled
GROUPWISE
Novell Groupwise messaging proxy.
0
Disabled
MEMLOCK
The memory locking feature (which keeps sensitive data from leaving volatile memory). Disabling the memory lock means you can disable all kernel-level items, if desired. Do not disable this unless you have a very specific reason.
1
Enabled
VDISK
Virtual Disk feature. Controlled by Consumer Policy.
1
Enabled
MAPI_PLUGIN
Encrypt and Sign buttons in Outlook. Controlled by Consumer Policy.
1
Enabled
DISABLESSOENROLL
Disable invisible silent enrollment. Set this to 0 to enable invisible silent enrollment.
1
Disabled
SET_HWORDER
When enabled, puts PGPpwflt at the top of the network provider order. Do not enable this unless you have a very specific reason.
0
Disabled
SILENT_FORCE_LDAP
Allows the disk to be encrypted to a local Windows password but enrollment to occur using LDAP credentials which are different to the local Windows ones.
0
Disabled