Disabling Encryption Desktop functionality using msiexec switches

book

Article ID: 171110

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server

Issue/Introduction

The only way you can disable licensed functionality in an unmanaged Encryption Desktop client is to install it or upgrade it using appropriate msiexec switches.

Encryption Desktop clients that are managed by Encryption Management Server will be members of a particular consumer policy. You can enable or disable nearly all functionality by modifying the relevant consumer policy.

There are reasons, however, why you should consider using msiexec switches to disable functionality for managed Encryption Desktop clients:

  • You will never use drive encryption and wish to ensure that the encryption driver is not installed. Only drive encryption uses single sign on so it is logical to disable single sign on too.
  • You will never need to integrate mail encryption with SMTP, POP3 or IMAP.
  • You will never use File Share Encryption and wish to ensure the file sharing driver is not installed.

If you disable a component using an msiexec switch, the only way of enabling it is to upgrade every client machine to a newer release and enable the component using the same msiexec switch. This is obviously a time consuming task and if the clients are already on the latest release you will need to completely uninstall Encryption Desktop and install it again. To uninstall, you will first need to decrypt the drives which is really not a good use of time.

Environment

Symantec Encryption Desktop 10.3.2 MP13 and above.

Resolution

The command to disable drive encryption and single sign-on is:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_WDE=0 PGP_INSTALL_SSO=0

The above parameters will do the following:

  • Disable drive encryption.
  • Ensure that the PGPwded.sys drive encryption driver is not loaded by Windows. This is a low level driver and if it is not required then it is advisable not to load it into Windows. Note that Encryption Desktop prior to 10.3.2 MP2 will still load the driver.
  • Prevent the client computer name being registered with Encryption Management Server. Please see article 171276 for further information.
  • Ensure that the PGPwdefs.sys file system filter driver is not loaded by Windows. Note that Encryption Desktop prior to 10.3.2 MP2 will still load the driver.
  • Disable single sign-on. Note that single sign-on is only applicable when drive encryption is used.
  • Ensure that the password filter DLL PGPpwflt is not added to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\HwOrder registry keys.

The LSP parameter determines whether changes to the Layered Service Provider are made. This needs to be enabled only for SMTP, POP3 and IMAP email. This feature cannot be disabled using Consumer Policy (please see article 153275 for how to disable it) yet very few organizations will need it. Please note that with some releases of Encryption Desktop, the PGPlsp.dll file is still installed. See article 191174 for details. The command to disable it is:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_LSP=0

Important note: Symantec Encryption Desktop versions 10.4.2 MP3 through 10.5 have an issue where installing with the LSP component disabled (PGP_INSTALL_LSP=0) is not getting disabled.  This issue is currently being reviewed and will be address in the next release.  See article 191174 for more details.  SED 10.4.2 MP2 does not encounter this issue.

 

Virtual Disks are rarely used. An unmanaged client will have virtual disks enabled even if it is not licensed for drive encryption which may confuse users. To disable this functionality with msiexec the command is as follows. This will also ensure that the PGPdisk.sys driver is not loaded by Windows:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_VDISK=0

Combining the above switches this, therefore, would be appropriate for installing clients that are never expected to use drive encryption, single-sign on, virtual disks or SMTP/POP3 email:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_WDE=0 PGP_INSTALL_SSO=0 PGP_INSTALL_VDISK=0 PGP_INSTALL_LSP=0

Another feature that some customers wish to disable is File Share encryption. The command to do this is as follows. This will also ensure that the file sharing driver PGPfsd.sys is not loaded by Windows:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_NETSHARE=0

To use invisible silent enrollment, you must use this msiexec switch. However, never combine this with the PGP_SILENT_FORCE_LDAP=1 swtich or they will conflict with each other:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_DISABLESSOENROL=0

To enable a feature that was previously disabled with an msiexec switch, you need to install a newer release with the opposite switch. For example, to enable drive encryption and single sign-on:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_WDE=1 PGP_INSTALL_SSO=1

To disable ALL components except for Drive Encryption, run the following command:
msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_MAPI=0 PGP_INSTALL_NOTES=0 PGP_INSTALL_LSP=0 PGP_INSTALL_NETSHARE=0 PGP_INSTALL_GROUPWISE=0 PGP_INSTALL_MAPI_PLUGIN=0 PGP_INSTALL_VDISK=0

Encryption Desktop standalone is presented as an executable *.exe file. Article 154873 explains how to extract the *.msi file from the *.exe file.

These msiexec switches can also be used:

  • /quiet - Quiet mode, do not display progress.
  • /passive - Unattended mode, display progress without user interaction.

While the /norestart switch can be used to prevent an automatic reboot following the installation, Encryption Desktop will not function properly without this reboot so use it with caution.

Note that once an msiexec switch has been used, there is no need to use it again on subsequent upgrades. The upgrade will retain the existing settings.

The complete list of switches is as follows:

Component
Description
Default Value
Default State
MAPI
MAPI messaging proxy used in Outlook.
1
Enabled
NOTES
Lotus Notes message proxying.
1
Enabled
LSP
POP, SMTP and IMAP proxying. Cannot be controlled by Consumer Policy.
1
Enabled
SSO
Drive encryption Single Sign-On.
1
Enabled
WDE
Drive encryption.
1
Enabled
NETSHARE
File Share encryption.
1
Enabled
GROUPWISE
Novell Groupwise messaging proxy.
0
Disabled
MEMLOCK
The memory locking feature (which keeps sensitive data from leaving volatile memory). Disabling the memory lock means you can disable all kernel-level items, if desired. Do not disable this unless you have a very specific reason.
1
Enabled
VDISK
Virtual Disk feature. Controlled by Consumer Policy.
1
Enabled
MAPI_PLUGIN
Encrypt and Sign buttons in Outlook. Controlled by Consumer Policy.
1
Enabled
DISABLESSOENROLL
Disable invisible silent enrollment. Set this to 0 to enable invisible silent enrollment.
1
Disabled
SET_HWORDER
When enabled, puts PGPpwflt at the top of the network provider order. Do not enable this unless you have a very specific reason.
0
Disabled
SILENT_FORCE_LDAP
Allows the disk to be encrypted to a local Windows password but enrollment to occur using LDAP credentials which are different to the local Windows ones.
0
Disabled