If there is unusual behavior with PGP Encryption Desktop (Symantec Encryption Desktop) or the software is not working correctly, sometimes the easiest solution is to re-enroll the client to PGP  Encryption Server (PGP Encryption Server).

Issues that re-enrollment can address:

• Key issues
• Decryption or encryption issues
• Forceful check in
• Unexplained behavior

The enrollment is the process of registering the PGP client with PGP Encryption Server (PGP Server).  After a PGP client is registered with the PGP server, it receives policy updates from the server, updates logs to the server, and can lookup PGP keys on the server.

This article covers Windows clients. For Mac clients, see Re-enrolling Encryption Desktop for Mac OS X clients.

For example, if you right click on the PGP Tray applet from the notification area of the Windows taskbar, choose Update Policy and get an error, even though you are connected to the internal network, it may help to re-enroll the client.

To re-enroll the PGP Encryption Desktop client, follow these steps:

1. Close Outlook if it is open.
   
   
2. Right-click the PGP Tray icon in the notification area of the Windows taskbar, and select "Exit PGP Services." This will stop PGP Tray.
   
   If you don't see the "Exit PGP Services" option, it means that the PGP Encryption Server administrator has disabled it in policy.
   
   In that case, you can open Task Manager and end any process starting with "PGP."
   
   
3. Right-click the Windows start button, choose "Run," and type "%appdata%" to access the "C:\Users\username\AppData\Roaming" folder.
   
   
4. Open the "PGP Corporation" folder then navigate to "PGP" subfolder and delete the "PGPprefs.xml" and "PGPpolicy.xml" files.
   
   
5. Open the PGP Desktop client. This will automatically start PGP Tray.
   
   Alternatively, navigate to the folder "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp" and open the shortcut named "PGPtray.exe."
   
   
6. The enrollment assistant will launch and ask for your Windows username and password.
   
   
7. When prompted, select the option indicating that you have existing keys, key modes, etc., and accept the default location of the keyring.
   
   Note: If you have forgotten your key passphrase, you can choose to create a new key. Using the SKM (Secure Key Mode) is recommended, as it allows the end user to securely store their key without the need to remember a passphrase.
   
   
8. These steps will help you re-enroll the Encryption Desktop client with ease.

Restricting Users from Enrolling to the PGP Encryption Server:

The main reason for enrollment is to prove to the PGP Encryption Server that you are a valid user. 

LDAP Enrollment:
If you are unable to provide credentials that will authenticate you as a valid domain user the enrollment will fail.
If you would like to restrict users from enrolling, you can do so by specifying conditions in the Groups, such as the "Excluded Group".

Email Enrollment:
If you would like to restrict users from enrolling, and you do not have LDAP Enrollment enabled, you can use dictionaries or using even a specific domain to match the Excluded Group.
Users matching the excluded group will not be able to enroll.

Only the managed domains listed on the PGP Encryption Server will be allowed to enroll. 
If you have a domain you wish to restrict, simply make sure it's not included in the Managed Domains list on the PGP Encryption Server.

Dictionaries:
Dictionaries can also be used to restrict access, or even make sure users match a particular policy on the PGP Encryption Server.
If you create a dictionary on the PGP Encryption Server (Under Mail, Dictionaries), such as adding the user's email address.
If the user matches the dictionary, then the group that uses that dictionary will then be used. 

Step 1: Once you go into the Group itself, then click on Group Settings, and then under "Membership", you can check the box "Match Consumers by Domain, Dictionary".
Step 2: Next, click the Consumer is "in Dictionary", and then select the new dictionary you just created.
Step 3: You can then add users individually to this Dictionary to then have them group accordingly. 

When users enroll, they should then match the group associated to this dictionary and then receive the policy associated to the group.

153668 - Enroll PGP Encryption Desktop client using Directory Authentication with PGP Encryption Server (Symantec Encryption Management Server)

180181 - Re-enrolling PGP Encryption Desktop for Windows clients (Symantec Encryption Desktop)
181366 - Re-enrolling PGP Encryption Desktop for Linux Clients (Symantec Encryption Desktop)
155714 - Re-enrolling PGP Encryption Desktop for macOS X clients (Symantec Encryption Desktop)

217682 - Enrolling a user on multiple machines with PGP Encryption Desktop with SCKM Keymode (Symantec Encryption Desktop) 

153688 - Enable Silent Enrollment for PGP Encryption Desktop (Symantec Encryption Desktop)
181069 - Configure Invisible Silent Enrollment for PGP Encryption Desktop (Symantec Encryption Desktop Clients)

153437 - Using Email Enrollment for PGP Desktop Clients with the PGP Server (Symantec Encryption Management Server)
153324 - PGP Email Proxy Fails or Next Button Grayed out during Enrollment to PGP Encryption Server (Symantec Encryption Management Server)

156303 - Symantec Encryption Products Current Version Available

Issues that can be assisted with Re-enrollment:
*Key issues
*Decryption/Encryption issues
*Forceful check-in
*Unexplained behavior
*Messaging enabled even though the policy shows disabled.