When a system image (also known as golden image, master image or base image) of an operating environment is created after the MACHINEGUID
registry entry is populated, machines built using that system image will send the same MACHINEGUID
to Encryption Management Server.
The MACHINEGUID
is the unique identifier for each client machine. Therefore if there are duplicate MACHINEGUID
entries, machine entries in the Encryption Management Server database will be constantly overwritten. This includes the Whole Disk Recovery Token (WDRT).
This document is intended for local administrators who create system images and deploy them on client computers. This document helps the administrator understand how to change the MACHINEGUID
on a client computer with the PGPwdeupdatemachineUUID.exe utility if multiple computers in the environment have the same MACHINEGUID
. The utility gives each machine a unique MACHINEGUID
.
With Encryption Desktop 10.3.1 or earlier, the MACHINEGUID
gets generated during the installation of the software. Therefore, when an administrator deploys a system image of an operating environment with Encryption Desktop 10.3.1 or earlier to a large number of computers in a managed environment, the same MACHINEGUID
gets copied to multiple computers. This duplicate MACHINEGUID
value can also occur if improperly creating a .msi transform file (.mst file), which includes the registry value of MACHINEGUID
. See article TECH194265 for more details on the MACHINEGUID
value.
When you run the PGPwdeupdatemachineUUID.exe command-line utility, it generates a new MACHINEGUID
on a client computer. The new MACHINEGUID
is then sent to Encryption Management Server to create a unique entry for the computer.
There are four versions of the PGPwdeupdatemachineUUID utility. It is essential that the correct version is used:
To run the utility locally via the command line
MACHINEGUID
on the client system, run the command with the following parameter:PGPwdeupdatemachineUUID.exe –v
PGPwdeupdatemachineUUID.exe –help
After running the utility, open Encryption Desktop to enable PGP Tray. Enabling PGP Tray sends the new MACHINEGUID
to Encryption Management Server.
You can also run the utility remotely by using tools such as PsExec, or other third-party utilities. When using the tool in this way, ensure the user running this command has administrative privileges. Before deploying this utility to affected systems, Symantec recommends testing a sample of affected systems to ensure the MACHINEGUID
and Disk UUID are updated. See TECH194265 for more details on the duplicate MACHINEGUID
issue.
On the client computer, ensure that the registry location has the same MACHINEGUID
that is available on Encryption Management Server. See TECH149261 for more information on how to create system images for client computers with Symantec Drive Encryption.
To obtain the PGPwdeupdatemachineUUID.exe utility for the applicable versions, as well as a full consultation in resolving this issue, including cleaning up data on the Symantec Encryption Management Server, contact Symantec Support. Running this tool by itself is not enough to completely resolve this issue.
Note that with Encryption Desktop 10.3.2 and above, the following error may occur when running the utility from a folder other than C:\Program Files\PGP Corporation\PGP Desktop or C:\Program Files (x86)\PGP Corporation\PGP Desktop
:
Operation failed. PGP error : -11996
Operation failed: Failed to update PGP metadata. Internal Error code -11980
Returning Error Code : 5
To avoid this error, run the utility from within the PGP Desktop
folder.
NOTE: A walk through of using the PGPwdeupdatemachineUUID.exe as well as troubleshooting steps is attached to this article.