If there is unusual behavior with Symantec Encryption Desktop (PGP Desktop) or the software is not working correctly, sometimes the easiest solution is to re-enroll the client to PGP Server.

Issues that re-enrollment can address:

• Key issues
• Decryption or encryption issues
• Forceful check in
• Unexplained behavior

The enrollment is the process of registering the PGP client with Symantec Encryption Management Server (PGP Server).  After a PGP client is registered with the PGP server, it receives policy updates from the server, updates logs to the server, and can lookup PGP keys on the server.

This article covers Windows clients. For Mac clients, see Re-enrolling Encryption Desktop for Mac OS X clients.

Symantec Encryption Desktop 10.5 and later.

For example, if you right click on the PGP Tray applet from the notification area of the Windows taskbar, choose Update Policy and get an error, even though you are connected to the internal network, it may help to re-enroll the client.

To re-enroll the Encryption Desktop client, follow these steps:

1. Close Outlook if it is open.
   
   
2. Right-click the PGP Tray icon in the notification area of the Windows taskbar, and select "Exit PGP Services." This will stop PGP Tray.
   
   If you don't see the "Exit PGP Services" option, it means that the Encryption Management Server administrator has disabled it in policy.
   
   In that case, you can open Task Manager and end any process starting with "PGP."
   
   
3. Right-click the Windows start button, choose "Run," and type "%appdata%" to access the "C:\Users\username\AppData\Roaming" folder.
   
   
4. Open the "PGP Corporation" folder and delete the "PGPprefs.xml" and "PGPpolicy.xml" files.
   
   
5. Open the PGP Desktop client. This will automatically start PGP Tray.
   Alternatively, navigate to the folder "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp" and open the shortcut named "PGPtray.exe."
   
   
6. The enrollment assistant will launch and ask for your Windows username and password.
   
   
7. When prompted, select the option indicating that you have existing keys, key modes, etc., and accept the default location of the keyring.
   
   Note: If you have forgotten your key passphrase, you can choose to create a new key. Using the SKM (Secure Key Mode) is recommended, as it allows the end user to securely store their key without the need to remember a passphrase.
   
   
8. These steps will help you re-enroll the Encryption Desktop client with ease.

Restricting Users from Enrolling to the PGP Encryption Server

The main reason for enrollment is to prove to the PGP Encryption Server that you are a valid user. 

LDAP Enrollment:
If you are unable to provide credentials that will authenticate you as a valid domain user the enrollment will fail.
If you would like to restrict users from enrolling, you can do so by specifying conditions in the Groups, such as the "Excluded Group".

Email Enrollment
If you would like to restrict users from enrolling, and you do not have LDAP Enrollment enabled, you can use dictionaries or using even a specific domain to match the Excluded Group.
Users matching the excluded group will not be able to enroll.

Only the managed domains listed on the PGP Encryption Server will be allowed to enroll. 
If you have a domain you wish to restrict, simply make sure it's not included in the Managed Domains list on the PGP Encryption Server.

Issues that can be assisted with Re-enrollment:
*Key issues
*Decryption/Encryption issues
*Forceful check-in
*Unexplained behavior
*Messaging enabled even though the policy shows disabled.