HOWTO: Configure Invisible Silent Enrollment (aka Super Silent Enrollment)
Symantec Encryption Desktop (previously PGP Desktop) Invisible Silent Enrollment eliminates the typical enrollment screens users would see during the enrollment process with the Symantec Encryption Management Server (previously PGP Universal Server). Once a user logs in to the system, no screens are displayed and all the enrollment processes are handled in the background such as user creation, drive encryption, sending of recovery tokens to Symantec Encryption Management Server (SEMS).
Note: Certain features, such as Smartcards/Tokens/PIV cards, Key Reconstruction for Keys or Local Self Recovery for Whole Disk can trigger additional screens for the user.
Note: The PGPSTAMP is located in the following locations:
For Microsoft Windows 32-bit systems: HKLM\Software\PGP Corporation\PGP
For Microsoft Windows 64-bit systems: HKLM\Software\Wow6432Node\PGP Corporation\PGP
About Forcing Separate LDAP Authentication
Note: Symantec Encryption Desktop will still use the Windows credentials automatically; the LDAP credentials are only used for authentication with SEMS. When using PGP_SILENT_FORCE_LDAP=1, the PGPsso.dat file is still created whenever PGP_INSTALL_DISABLESSOENROLL is set to "0", however, the file is not used.
Troubleshooting Invisible Silent Enrollment Failures
Invisible Silent Enrollment was only intended to be used during the logon process. If re-enrollment is needed, remove the
%appdata%\PGP Corporation\PGP\PGPprefs.xml and
PGPpolicy.xml files. Then logoff the system, and log back on. This will trigger re-enrollment of the system.
If the user is not able to authenticate with SEMS correctly, nothing will happen to notify the user. Consult the
PGPssoLog.txt file to look for information on why the failure may be occurring. The
PGPssoLog.txt file is located in the Windows Temp directory - typically
C:\Windows\Temp) and examine the log to identify the problem.
The following msi switches will cause Invisible Silent Enrollment to fail:
Editing PGPDesktop.msi with Orca
Orca can also be used to modify the installer itself to include this option.
With PGP Desktop 10.2, to modify the correct setting, open the PGPDesktop.msi file with Orca, then under the Tables Column in Orca, click on Property. In the right-pane, find the "PGP_INSTALL_DISABLESSOENROLL" value, and set to "0". Default Value should be "-1".
Save the changes to the .msi file and test the installer.