Re-enrolling PGP Desktop (Symantec Encryption Desktop) for Windows clients
search cancel

Re-enrolling PGP Desktop (Symantec Encryption Desktop) for Windows clients


Article ID: 180181


Updated On:


Drive Encryption Desktop Email Encryption File Share Encryption Encryption Management Server PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK PGP SDK Endpoint Encryption Gateway Email Encryption


If there is unusual behavior with PGP Encryption Desktop (Symantec Encryption Desktop) or the software is not working correctly, sometimes the easiest solution is to re-enroll the client to PGP  Encryption Server (PGP Encryption Server).

Issues that re-enrollment can address:

  • Key issues
  • Decryption or encryption issues
  • Forceful check in
  • Unexplained behavior

The enrollment is the process of registering the PGP client with PGP Encryption Server (PGP Server).  After a PGP client is registered with the PGP server, it receives policy updates from the server, updates logs to the server, and can lookup PGP keys on the server.

This article covers Windows clients. For Mac clients, see Re-enrolling Encryption Desktop for Mac OS X clients.


For example, if you right click on the PGP Tray applet from the notification area of the Windows taskbar, choose Update Policy and get an error, even though you are connected to the internal network, it may help to re-enroll the client.


To re-enroll the PGP Encryption Desktop client, follow these steps:

  1. Close Outlook if it is open.

  2. Right-click the PGP Tray icon in the notification area of the Windows taskbar, and select "Exit PGP Services." This will stop PGP Tray.

    If you don't see the "Exit PGP Services" option, it means that the PGP Encryption Server administrator has disabled it in policy.

    In that case, you can open Task Manager and end any process starting with "PGP."

  3. Right-click the Windows start button, choose "Run," and type "%appdata%" to access the "C:\Users\username\AppData\Roaming" folder.

  4. Open the "PGP Corporation" folder and delete the "PGPprefs.xml" and "PGPpolicy.xml" files.

  5. Open the PGP Desktop client. This will automatically start PGP Tray.

    Alternatively, navigate to the folder "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp" and open the shortcut named "PGPtray.exe."

  6. The enrollment assistant will launch and ask for your Windows username and password.

  7. When prompted, select the option indicating that you have existing keys, key modes, etc., and accept the default location of the keyring.

    Note: If you have forgotten your key passphrase, you can choose to create a new key. Using the SKM (Secure Key Mode) is recommended, as it allows the end user to securely store their key without the need to remember a passphrase.

  8. These steps will help you re-enroll the Encryption Desktop client with ease.


Restricting Users from Enrolling to the PGP Encryption Server:

The main reason for enrollment is to prove to the PGP Encryption Server that you are a valid user. 

LDAP Enrollment:
If you are unable to provide credentials that will authenticate you as a valid domain user the enrollment will fail.
If you would like to restrict users from enrolling, you can do so by specifying conditions in the Groups, such as the "Excluded Group".

Email Enrollment:
If you would like to restrict users from enrolling, and you do not have LDAP Enrollment enabled, you can use dictionaries or using even a specific domain to match the Excluded Group.
Users matching the excluded group will not be able to enroll.

Only the managed domains listed on the PGP Encryption Server will be allowed to enroll. 
If you have a domain you wish to restrict, simply make sure it's not included in the Managed Domains list on the PGP Encryption Server.


Dictionaries can also be used to restrict access, or even make sure users match a particular policy on the PGP Encryption Server.
If you create a dictionary on the PGP Encryption Server (Under Mail, Dictionaries), such as adding the user's email address.
If the user matches the dictionary, then the group that uses that dictionary will then be used. 

Step 1: Once you go into the Group itself, then click on Group Settings, and then under "Membership", you can check the box "Match Consumers by Domain, Dictionary".
Step 2: Next, click the Consumer is "in Dictionary", and then select the new dictionary you just created.
Step 3: You can then add users individually to this Dictionary to then have them group accordingly. 

When users enroll, they should then match the group associated to this dictionary and then receive the policy associated to the group.

Additional Information

Issues that can be assisted with Re-enrollment:
*Key issues
*Decryption/Encryption issues
*Forceful check-in
*Unexplained behavior
*Messaging enabled even though the policy shows disabled.