Disabling PGP Desktop functionality using msiexec switches (Symantec Encryption Desktop)
Article ID: 171110
Updated On:
Products
Issue/Introduction
The only way you can disable licensed functionality in an unmanaged Encryption Desktop client is to install it or upgrade it using appropriate msiexec switches.
Encryption Desktop clients that are managed by Encryption Management Server will be members of a particular consumer policy. You can enable or disable nearly all functionality by modifying the relevant consumer policy.
There are reasons, however, why you should consider using msiexec switches to disable functionality for managed Encryption Desktop clients:
- You will never use drive encryption and wish to ensure that the encryption driver is not installed. Only drive encryption uses single sign on so it is logical to disable single sign on too.
- You will never need to integrate mail encryption with SMTP, POP3 or IMAP.
- You will never use File Share Encryption and wish to ensure the file sharing driver is not installed.
If you disable a component using a msiexec switch, the only way of enabling it is to upgrade every client machine to a newer release and enable the component using the same msiexec switch. This is obviously a time consuming task and if the clients are already on the latest release you will need to completely uninstall Encryption Desktop and install it again. To uninstall, you will first need to decrypt the drives which is really not a good use of time.
Environment
Symantec Encryption Desktop 10.4.2 and above.
Resolution
The following Scenarios are available for the installation process:
Table of Contents
- Scenario 1: Disable only the Drive Encryption and single sign-on components
- Scenario 2: Disable only the Virtual Disk Component
- Scenario 3: Disable Drive Encryption including SSO functionality, Virtual Disk and POP/IMAP Email Encryption
- Scenario 4: Disable File Share Encryption
- Scenario 5: Disable All Email Encryption
- Scenario 6: Disable all components except for File Share Encryption
- Scenario 7: Disable all components except for Email Encryption
- Scenario 8: Disable All components except for Drive Encryption (Leave Drive Encryption enabled)
- Scenario 9: Disable ALL components
- Scenario 10: Enable Invisible Silent Enrollment
- Scenario 11: Enabling components after they have been disabled
- Scenario 12: How the Symantec Encryption Desktop installer file can be used
- Scenario 13: Install all components, but leave the Outlook Plug-ins Disabled
- Scenario 14: Install all components, but for Drive Encryption, disable Single Sign-On functionality
Scenario 1: Disable only the Drive Encryption and single sign-on components
Still Enabled: File Share Encryption, Email Encryption, File Encryption, Virtual Disk, and Plugins.
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_WDE=0 PGP_INSTALL_SSO=0
The above parameters will do the following:
- Disable drive encryption.
- Ensure that the PGPwded.sys drive encryption driver is not loaded by Windows. This is a low level driver and if it is not required then it is advisable not to load it into Windows. Note that Encryption Desktop prior to 10.3.2 MP2 will still load the driver.
- Prevent the client computer name being registered with Encryption Management Server. Please see article 171276 for further information.
- Ensure that the PGPwdefs.sys file system filter driver is not loaded by Windows. Note that Encryption Desktop prior to 10.3.2 MP2 will still load the driver.
- Disable single sign-on. Note that single sign-on is only applicable when drive encryption is used.
- Ensure that the password filter DLL PGPpwflt is not added to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\HwOrder registry keys.
The LSP parameter determines whether changes to the Layered Service Provider are made. This needs to be enabled only for SMTP, POP3 and IMAP email. This feature cannot be disabled using Consumer Policy yet very few organizations will need it. The command to disable it is:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_LSP=0
Note: In some releases of Encryption Desktop, the above switch will not disable LSP. See article 191174 for details.
Scenario 2: Disable only the Virtual Disk Component
Still Enabled: Drive Encryption with all functionality, File Share Encryption, Email Encryption, File Encryption, and Plugins.
Virtual Disks are rarely used. An unmanaged client will have virtual disks enabled even if it is not licensed for drive encryption which may confuse users.
To disable this functionality with msiexec the command is as follows. This will also ensure that the PGPdisk.sys driver is not loaded by Windows:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_VDISK=0
Scenario 3: Disable Drive Encryption including SSO functionality, Virtual Disk and POP/IMAP Email Encryption
Still Enabled: File Share Encryption, Email Encryption, File Encryption, and Plugins.
Combining the above switches this, therefore, would be appropriate for installing clients that are never expected to use drive encryption, single-sign on, virtual disks or SMTP/POP3 email:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_WDE=0 PGP_INSTALL_SSO=0 PGP_INSTALL_VDISK=0 PGP_INSTALL_LSP=0
Scenario 4: Disable File Share Encryption
Still Enabled: Drive Encryption with all functionality, Email Encryption, File Encryption, and Plugins.
Another feature that some customers wish to disable is File Share encryption. The command to do this is as follows. This will also ensure that the file sharing driver PGPfsd.sys is not loaded by Windows:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_NETSHARE=0
Scenario 5: Disable All Email Encryption
Still Enabled: All other components.
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_MAPI=0 PGP_INSTALL_MAPI_PLUGIN=0 PGP_INSTALL_NOTES=0 PGP_INSTALL_LSP=0 PGP_INSTALL_GROUPWISE=0
Scenario 6: Disable all components except for File Share Encryption
To disable all components with Symantec Encryption Desktop, but leave File Share Encryption run the following command:
Still Enabled: File Share Encryption
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_WDE=0 PGP_INSTALL_SSO=0 PGP_INSTALL_MAPI=0 PGP_INSTALL_NOTES=0 PGP_INSTALL_LSP=0 PGP_INSTALL_GROUPWISE=0 PGP_INSTALL_MAPI_PLUGIN=0 PGP_INSTALL_VDISK=0
Scenario 7: Disable all components except for Email Encryption
Still Enabled: Email Encryption, File Share Encryption, Virtual Disk
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_WDE=0 PGP_INSTALL_SSO=0 PGP_INSTALL_NETSHARE=0
Scenario 8: Disable All components except for Drive Encryption (Leave Drive Encryption enabled)
Still Enabled: Drive Encryption with all functionality
To disable ALL components except for Drive Encryption, run the following command:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_MAPI=0 PGP_INSTALL_NOTES=0 PGP_INSTALL_LSP=0 PGP_INSTALL_NETSHARE=0 PGP_INSTALL_GROUPWISE=0 PGP_INSTALL_MAPI_PLUGIN=0 PGP_INSTALL_VDISK=0
Scenario 9: Disable ALL components
To disable ALL components with Symantec Encryption Desktop, run the following command:
Still Enabled: General Symantec Encryption Desktop program, like PGP Zip and PGP Keys.
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_WDE=0 PGP_INSTALL_SSO=0 PGP_INSTALL_MAPI=0 PGP_INSTALL_NOTES=0 PGP_INSTALL_LSP=0 PGP_INSTALL_NETSHARE=0 PGP_INSTALL_GROUPWISE=0 PGP_INSTALL_MAPI_PLUGIN=0 PGP_INSTALL_VDISK=0
Scenario 10: Enable Invisible Silent Enrollment
Still Enabled: All components
To use invisible silent enrollment, you must use this msiexec switch. However, never combine this with the PGP_SILENT_FORCE_LDAP=1 swtich or they will conflict with each other:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_DISABLESSOENROL=0
See also the following article for more information:
181069 - HOWTO: Configure Invisible Silent Enrollment for Symantec Encryption Desktop Clients
Scenario 11: Enabling components after they have been disabled
To enable a feature that was previously disabled with an msiexec switch, you need to install a newer release with the opposite switch. For example, to enable drive encryption and single sign-on:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_WDE=1 PGP_INSTALL_SSO=1
Scenario 12: How the Symantec Encryption Desktop installer file can be used
Encryption Desktop standalone is presented as an executable *.exe file. Article 154873 explains how to extract the *.msi file from the *.exe file.
These msiexec switches can also be used:
- /quiet - Quiet mode, do not display progress.
- /passive - Unattended mode, display progress without user interaction.
While the /norestart switch can be used to prevent an automatic reboot following the installation, Encryption Desktop will not function properly without this reboot so use it with caution.
Note that once an msiexec switch has been used, there is no need to use it again on subsequent upgrades. The upgrade will retain the existing settings.
The complete list of switches is as follows:
|
Component
|
Description
|
Default Value
|
Default State
|
|
MAPI
|
MAPI messaging proxy used in Outlook.
|
1
|
Enabled
|
|
NOTES
|
Lotus Notes message proxying.
|
1
|
Enabled
|
|
LSP
|
POP, SMTP and IMAP proxying. Cannot be controlled by Consumer Policy.
|
1
|
Enabled
|
|
SSO
|
Drive encryption Single Sign-On.
|
1
|
Enabled
|
|
WDE
|
Drive encryption.
|
1
|
Enabled
|
|
NETSHARE
|
File Share encryption.
|
1
|
Enabled
|
|
GROUPWISE
|
Novell Groupwise messaging proxy.
|
0
|
Disabled
|
|
MEMLOCK
|
The memory locking feature (which keeps sensitive data from leaving volatile memory). Disabling the memory lock means you can disable all kernel-level items, if desired. Do not disable this unless you have a very specific reason.
|
1
|
Enabled
|
|
VDISK
|
Virtual Disk feature. Controlled by Consumer Policy.
|
1
|
Enabled
|
|
MAPI_PLUGIN
|
Encrypt and Sign buttons in Outlook. Controlled by Consumer Policy.
|
1
|
Enabled
|
|
DISABLESSOENROLL
|
Disable invisible silent enrollment. Set this to 0 to enable invisible silent enrollment.
|
1
|
Disabled
|
|
SET_HWORDER
|
When enabled, puts PGPpwflt at the top of the network provider order. Do not enable this unless you have a very specific reason.
|
0
|
Disabled
|
|
SILENT_FORCE_LDAP
|
Allows the disk to be encrypted to a local Windows password but enrollment to occur using LDAP credentials which are different to the local Windows ones.
|
0
|
Disabled
|
Scenario 13: Install all components, but leave the Outlook Plug-ins Disabled
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_MAPI_PLUGIN=0
Scenario 14: Install all components, but for Drive Encryption, disable Single Sign-On functionality
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_SSO=0
This will allow Drive Encryption to be enabled, but once it is, the Single Sign-On functionality will be disabled. For more information on PGP Drive Encryption SSO Functionality, see the following articles:
262549 - PGP Desktop Drive Encryption and Single Sign-On (Symantec Encryption Desktop)
Feedback
