HOWTO: Configure Invisible Silent Enrollment (aka Super Silent Enrollment)
Symantec Encryption Desktop (previously PGP Desktop) Invisible Silent Enrollment eliminates the typical enrollment screens users would see during the enrollment process with the Symantec Encryption Management Server (previously PGP Universal Server). Once a user logs in to the system, no screens are displayed and all the enrollment processes are handled in the background such as user creation, drive encryption, sending of recovery tokens to Symantec Encryption Management Server (SEMS).
Note: Certain features, such as Smartcards/Tokens/PIV cards, Key Reconstruction for Keys or Local Self Recovery for Whole Disk can trigger additional screens for the user.
- Invisible Silent Enrollment applies only to LDAP Enrollment with a Symantec Encryption Management Server.
- LDAP Enrollment must be used. Email Enrollment does not work with Invisible Silent Enrollment.
- Invisible Silent Enrollment has also been informally referred to as Super Silent Enrollment.
- Invisible Silent Enrollment is only supported on Windows operating systems.
- LDAP enrollment must be enabled on SEMS.
- Silent Enrollment must be checked for the Consumer Policy.
- Requires SKM Key Mode to be selected in the policy.
- Microsoft Active Directory Domain must be used because a call to a Microsoft specific NetGetAnyDCName is made in order to manage authentication of the user on the Domain Controller.
- A Domain User account must be used to enroll.
- A Domain Controller must be available for the Domain User authentication. If the Domain Controller is not available when the user logs in, Invisible Silent Enrollment will fail silently. If the system is not joined to a domain, this will also cause Invisible Silent Enrollment to fail, because it is not able to complete the calls it makes to find a Domain Controller.
- The PGPSTAMP must be set to use a host name and not an IP address.
Note: The PGPSTAMP is located in the following locations:
For Microsoft Windows 32-bit systems: HKLM\Software\PGP Corporation\PGP
For Microsoft Windows 64-bit systems: HKLM\Software\Wow6432Node\PGP Corporation\PGP
- The PGPSTAMP is built in to the Customized PGP Desktop client when downloaded from SEMS. Upon creating this customized client, ensure the proper FQDN of the server is displayed - this is important.
Important: Use "Auto Detect" when downloading the Symantec Encryption Desktop customized option instead of Preset Policy. The use of Preset Policy was only intended for non-LDAP enrollment scenarios.
- The PGP Organization Key must match the domain name of the FQDN for SEMS in the PGPSTAMP.
If using keys.example.com for the PGPSTAMP, but NOT example.com for the domain of the Organization Key, this will cause enrollment to fail.
If using keys.example.net for the PGPSTAMP, and example.com for the Organization Key, this will cause enrollment to fail.
If the PGPSTAMP lists keys.example.com, and the Organization Key is only for example.net, this will fail.
If the PGPSTAMP lists the IP address of SEMS, this will cause enrollment to fail.
If using keys.example.com for the domain, and example.com for the Organization Key, this will allow enrollment to complete successfully.
- The PGPDesktop.msi installer file must be installed to using the following msi switch:
msiexec /i C:\PGPDesktop.msi PGP_INSTALL_DISABLESSOENROLL=0
- MSI editors, such as Orca can also be used to ensure the option is included during the install. For information on modifying the PGP msi with Orca, scroll to the bottom of this article.
About Forcing Separate LDAP Authentication
Note: Symantec Encryption Desktop will still use the Windows credentials automatically; the LDAP credentials are only used for authentication with SEMS. When using PGP_SILENT_FORCE_LDAP=1, the PGPsso.dat file is still created whenever PGP_INSTALL_DISABLESSOENROLL is set to "0", however, the file is not used.
Troubleshooting Invisible Silent Enrollment Failures
Invisible Silent Enrollment was only intended to be used during the logon process. If re-enrollment is needed, remove the
%appdata%\PGP Corporation\PGP\PGPprefs.xml and
PGPpolicy.xml files. Then logoff the system, and log back on. This will trigger re-enrollment of the system.
If the user is not able to authenticate with SEMS correctly, nothing will happen to notify the user. Consult the
PGPssoLog.txt file to look for information on why the failure may be occurring. The
PGPssoLog.txt file is located in the Windows Temp directory - typically
C:\Windows\Temp) and examine the log to identify the problem.
The following msi switches will cause Invisible Silent Enrollment to fail:
- PGP_NO_USERNAME=1 - This value creates the value DisableUsernamePrepopulation=1 in HKLM/Software/PGP Corporation/PGP or for 64-bit systems, HKLM\Software\Wow6432Node\PGP Corporation\PGP. Having this value prevents a username from being pre-populated in the enrollment field, and thus causes Invisible Silent Enrollment to fail.
- PGP_INSTALL_SSO=0 - This disables the credential manager and the password will not be captured.
- PGP_SILENT_FORCE_LDAP=1 - This option forces the enrollment prompt to appear reversing the effect of PGP_INSTALL_DISABLESSOENROLL set to "0"
- PGP_INSTALL_WDE=0 - This option also disables the password filter to allow enrollment to get the login passphrase, the result is a normal silent enrollment which prompts for user credentials
If using Smartcards/Tokens/PIV Cards are used for Whole Disk or other PGP features, users will be prompted to enter PINs where applicable. Although this will not necessarily cause enrollment to fail, this is by design. Since drives are encrypted to the keys on the Smartcards/Tokens/PIV Cards, the PIN is what is used to authenticate/decrypt.
Organization Keys and how it relates to Invisible Silent Enrollment:
The Organization Key is used to properly enroll with Invisible Silent Enrollment. If there are problems with the Organization Key included on the client, Invisible Silent Enrollment could fail.
Check %allusersprofile%\PGP Corporation\PGP for the PGPtrustedcerts.asc file or the orgkey.asc file. If the orgkey.asc file is not present, Invisible Silent Enrollment will fail. If the Organization Key is included in the PGPtrustedcerts.asc file, then this is sufficient for Invisible Silent Enrollment to complete successfully.
Caution: If the orgkey.asc file contains an expired Organization Key, the Invisible Silent Enrollment will fail. This orgkey.asc file is created upon creation of the Customized Installer MSI for Symantec Encryption Desktop. Organizations typically have a 1-year expiration period by default, which means once deployed, the Invisible Silent Enrollment process will work for one year. After this year has gone by, the key will then be considered expired, and a new orgkey.asc file will need to be overwritten to continue using this functionality.
If manually deploying this new orgkey.asc file is not desired, download the Organization Key Pair, import into a Symantec Encryption Desktop standalone client (Not a managed client), and change the expiration data to the desired duration (Never expire is also an option to use if needed). Once the expiration date has been changed in Symantec Encryption Desktop, export the keypair and import into Symantec Encryption Management Server to overwrite the existing key (using the same key). Then create a new customized install and install on a new system. The orgkey.asc file will now have the expiration date use in the previous steps***
- If the Organization Certificate has expired, this can also cause Invisible Silent Enrollment to fail. For more information on this, see article TECH193704.
***WARNING: Before modifying the Organization Key, export a keypair so a backup is available. Then create a backup of the server (take a snapshot in VMware if possible). Overwriting the Organization Key pair incorrectly can cause significant issues with
Symantec Encryption Management Server. If in doubt, contact Symantec Support.
- If the Drive Encryption policy on SEMS is set to Deny SSO, the user will be displayed an error dialog during disk encryption. Make sure the consumer policy either allows or requires SSO.
Editing PGPDesktop.msi with Orca
Orca can also be used to modify the installer itself to include this option.
With PGP Desktop 10.2, to modify the correct setting, open the PGPDesktop.msi file with Orca, then under the Tables Column in Orca, click on Property. In the right-pane, find the "PGP_INSTALL_DISABLESSOENROLL" value, and set to "0". Default Value should be "-1".
Save the changes to the .msi file and test the installer.