Change the MACHINEGUID of an PGP Desktop (Symantec Encryption Desktop) client computer with the PGPwdeupdatemachineUUID utility
search cancel

Change the MACHINEGUID of an PGP Desktop (Symantec Encryption Desktop) client computer with the PGPwdeupdatemachineUUID utility

book

Article ID: 158884

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

When a system image (also known as golden image, master image or base image) of an operating environment is created after the MACHINEGUID registry entry is populated, machines built using that system image will send the same MACHINEGUID to the PGP Encryption Server (Symantec Encryption Management Server).

The MACHINEGUID is the unique identifier for each client machine. Therefore if there are duplicate MACHINEGUID entries, machine entries in the PGP Encryption Server database will be constantly overwritten. This includes the Whole Disk Recovery Token (WDRT).

This document is intended for local administrators who create system images and deploy them on client computers. This document helps the administrator understand how to change the MACHINEGUID on a client computer with the PGPwdeupdatemachineUUID.exe utility if multiple computers in the environment have the same MACHINEGUID. The utility gives each machine a unique MACHINEGUID.

Cause

With Encryption Desktop 10.3.1 or earlier, the MACHINEGUID gets generated during the installation of the software. Therefore, when an administrator deploys a system image of an operating environment with Encryption Desktop 10.3.1 or earlier to a large number of computers in a managed environment, the same MACHINEGUID gets copied to multiple computers.  This duplicate MACHINEGUID value can also occur if improperly creating a .msi transform file (.mst file), which includes the registry value of MACHINEGUID

See the following article for more details:

156854 - Including PGP Drive Encryption and Deploying into Machine Images (Symantec Encryption Desktop Drive Encryption)

Resolution

When you run the PGPwdeupdatemachineUUID.exe command-line utility, it generates a new MACHINEGUID on a client computer. The new MACHINEGUID is then sent to the PGP Encryption Server (Symantec Encryption Management Server) to create a unique entry for the computer.

There are four versions of the PGPwdeupdatemachineUUID utility. It is essential that the correct version is used:

  1. PGP Desktop 10.1.x clients.
  2. Encryption Desktop 10.2.x - 10.3.1 MP1.
  3. Encryption Desktop 10.3.2 - 10.3.2 MP11.
  4. Encryption Desktop 10.3.2 MP13 and above.

To run the utility locally via the command line

  1. Right-click the PGP Tray icon and select Exit PGP Services.
  2. Open a Windows command prompt.
  3. Run PGPwdeupdatemachineUUID.exe.
  4. To set a specific MACHINEGUID on the client system, run the command with the following parameter:
    PGPwdeupdatemachineUUID.exe –v
    (the -v option will provide verbose output)

    Note: The following command can be used to get help:
    PGPwdeupdatemachineUUID.exe –help

After running the utility, open Encryption Desktop to enable PGP Tray. Enabling PGP Tray sends the new MACHINEGUID to the PGP Encryption Server.

Remote Execution

You can also run the utility remotely by using tools such as PsExec, or other third-party utilities.  When using the tool in this way, ensure the user running this command has administrative privileges. Before deploying this utility to affected systems, Symantec recommends testing a sample of affected systems to ensure the MACHINEGUID and Disk UUID are updated.

See the following article for more information on how to properly include PGP Drive Encryption into the image:

156854 - Including PGP Drive Encryption and Deploying into Machine Images (Symantec Encryption Desktop Drive Encryption)

To obtain the PGPwdeupdatemachineUUID.exe utility for the applicable versions, as well as a full consultation in resolving this issue, including cleaning up data on the PGP Encryption Management Server, contact Symantec Encryption Support. 

 

 

Additional Information