The only way you can disable licensed functionality in an unmanaged Encryption Desktop client is to install it or upgrade it using appropriate msiexec switches.
Encryption Desktop clients that are managed by Encryption Management Server will be members of a particular consumer policy. You can enable or disable nearly all functionality by modifying the relevant consumer policy.
There are reasons, however, why you should consider using msiexec switches to disable functionality for managed Encryption Desktop clients:
If you disable a component using an msiexec switch, the only way of enabling it is to upgrade every client machine to a newer release and enable the component using the same msiexec switch. This is obviously a time consuming task and if the clients are already on the latest release you will need to completely uninstall Encryption Desktop and install it again. To uninstall, you will first need to decrypt the drives which is really not a good use of time.
Symantec Encryption Desktop 10.3.2 MP13 and above.
The command to disable drive encryption and single sign-on is:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_WDE=0 PGP_INSTALL_SSO=0
The above parameters will do the following:
The LSP parameter determines whether changes to the Layered Service Provider are made. This needs to be enabled only for SMTP, POP3 and IMAP email. This feature cannot be disabled using Consumer Policy (please see article 153275 for how to disable it) yet very few organizations will need it. Please note that with some releases of Encryption Desktop, the PGPlsp.dll file is still installed. See article 191174 for details. The command to disable it is:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_LSP=0
Important note: Symantec Encryption Desktop versions 10.4.2 MP3 through 10.5 have an issue where installing with the LSP component disabled (PGP_INSTALL_LSP=0) is not getting disabled. This issue is currently being reviewed and will be address in the next release. See article 191174 for more details. SED 10.4.2 MP2 does not encounter this issue.
Virtual Disks are rarely used. An unmanaged client will have virtual disks enabled even if it is not licensed for drive encryption which may confuse users. To disable this functionality with msiexec the command is as follows. This will also ensure that the PGPdisk.sys driver is not loaded by Windows:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_VDISK=0
Combining the above switches this, therefore, would be appropriate for installing clients that are never expected to use drive encryption, single-sign on, virtual disks or SMTP/POP3 email:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_WDE=0 PGP_INSTALL_SSO=0 PGP_INSTALL_VDISK=0 PGP_INSTALL_LSP=0
Another feature that some customers wish to disable is File Share encryption. The command to do this is as follows. This will also ensure that the file sharing driver PGPfsd.sys is not loaded by Windows:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_NETSHARE=0
To use invisible silent enrollment, you must use this msiexec switch. However, never combine this with the PGP_SILENT_FORCE_LDAP=1 swtich or they will conflict with each other:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_DISABLESSOENROL=0
To enable a feature that was previously disabled with an msiexec switch, you need to install a newer release with the opposite switch. For example, to enable drive encryption and single sign-on:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_WDE=1 PGP_INSTALL_SSO=1
To disable ALL components except for Drive Encryption, run the following command:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_MAPI=0 PGP_INSTALL_NOTES=0 PGP_INSTALL_LSP=0 PGP_INSTALL_NETSHARE=0 PGP_INSTALL_GROUPWISE=0 PGP_INSTALL_MAPI_PLUGIN=0 PGP_INSTALL_VDISK=0
Encryption Desktop standalone is presented as an executable *.exe file. Article 154873 explains how to extract the *.msi file from the *.exe file.
These msiexec switches can also be used:
While the /norestart switch can be used to prevent an automatic reboot following the installation, Encryption Desktop will not function properly without this reboot so use it with caution.
Note that once an msiexec switch has been used, there is no need to use it again on subsequent upgrades. The upgrade will retain the existing settings.
The complete list of switches is as follows:
Component
|
Description
|
Default Value
|
Default State
|
MAPI
|
MAPI messaging proxy used in Outlook.
|
1
|
Enabled
|
NOTES
|
Lotus Notes message proxying.
|
1
|
Enabled
|
LSP
|
POP, SMTP and IMAP proxying. Cannot be controlled by Consumer Policy.
|
1
|
Enabled
|
SSO
|
Drive encryption Single Sign-On.
|
1
|
Enabled
|
WDE
|
Drive encryption.
|
1
|
Enabled
|
NETSHARE
|
File Share encryption.
|
1
|
Enabled
|
GROUPWISE
|
Novell Groupwise messaging proxy.
|
0
|
Disabled
|
MEMLOCK
|
The memory locking feature (which keeps sensitive data from leaving volatile memory). Disabling the memory lock means you can disable all kernel-level items, if desired. Do not disable this unless you have a very specific reason.
|
1
|
Enabled
|
VDISK
|
Virtual Disk feature. Controlled by Consumer Policy.
|
1
|
Enabled
|
MAPI_PLUGIN
|
Encrypt and Sign buttons in Outlook. Controlled by Consumer Policy.
|
1
|
Enabled
|
DISABLESSOENROLL
|
Disable invisible silent enrollment. Set this to 0 to enable invisible silent enrollment.
|
1
|
Disabled
|
SET_HWORDER
|
When enabled, puts PGPpwflt at the top of the network provider order. Do not enable this unless you have a very specific reason.
|
0
|
Disabled
|
SILENT_FORCE_LDAP
|
Allows the disk to be encrypted to a local Windows password but enrollment to occur using LDAP credentials which are different to the local Windows ones.
|
0
|
Disabled
|