When a system image (also known as golden image, master image or base image) of an operating environment is created after the MACHINEGUID
registry entry is populated, machines built using that system image will send the same MACHINEGUID
to the PGP Encryption Server (Symantec Encryption Management Server).
The MACHINEGUID
is the unique identifier for each client machine. Therefore if there are duplicate MACHINEGUID
entries, machine entries in the PGP Encryption Server database will be constantly overwritten. This includes the Whole Disk Recovery Token (WDRT).
This document is intended for local administrators who create system images and deploy them on client computers. This document helps the administrator understand how to change the MACHINEGUID
on a client computer with the PGPwdeupdatemachineUUID.exe utility if multiple computers in the environment have the same MACHINEGUID
. The utility gives each machine a unique MACHINEGUID
.
With Encryption Desktop 10.3.1 or earlier, the MACHINEGUID
gets generated during the installation of the software. Therefore, when an administrator deploys a system image of an operating environment with Encryption Desktop 10.3.1 or earlier to a large number of computers in a managed environment, the same MACHINEGUID
gets copied to multiple computers. This duplicate MACHINEGUID
value can also occur if improperly creating a .msi transform file (.mst file), which includes the registry value of MACHINEGUID
.
See the following article for more details:
When you run the PGPwdeupdatemachineUUID.exe command-line utility, it generates a new MACHINEGUID
on a client computer. The new MACHINEGUID
is then sent to the PGP Encryption Server (Symantec Encryption Management Server) to create a unique entry for the computer.
There are four versions of the PGPwdeupdatemachineUUID utility. It is essential that the correct version is used:
To run the utility locally via the command line
MACHINEGUID
on the client system, run the command with the following parameter:PGPwdeupdatemachineUUID.exe –v
PGPwdeupdatemachineUUID.exe –help
After running the utility, open Encryption Desktop to enable PGP Tray. Enabling PGP Tray sends the new MACHINEGUID
to the PGP Encryption Server.
You can also run the utility remotely by using tools such as PsExec, or other third-party utilities. When using the tool in this way, ensure the user running this command has administrative privileges. Before deploying this utility to affected systems, Symantec recommends testing a sample of affected systems to ensure the MACHINEGUID
and Disk UUID are updated.
See the following article for more information on how to properly include PGP Drive Encryption into the image:
156854 - Including PGP Drive Encryption and Deploying into Machine Images (Symantec Encryption Desktop Drive Encryption)
To obtain the PGPwdeupdatemachineUUID.exe utility for the applicable versions, as well as a full consultation in resolving this issue, including cleaning up data on the PGP Encryption Management Server, contact Symantec Encryption Support.