This article describes how to change an embedded policy PGP Desktop client to be managed by a PGP Universal Server without decrypting and uninstalling PGP Desktop.
For more information on the Embedded Policy client, and how to use it, see article TECH148945.
(This scenario assumes you are using LDAP Directory Synchronization for user enrollment.)
PGP Desktop clients with an embedded policy never receive any updated policy information from the PGP Universal management server, even if the policy is updated on the server side. Policy information normally downloaded during installation is instead embedded in the installer itself. If a PGP Whole Disk Encryption deployment never connects to the PGP Universal Server, you cannot use Whole Disk Recovery Tokens or get policy changes/updates.
An embedded policy client can be changed to a managed client of the PGP Universal Server by editing the registry and re-enrolling the user without decrypting and uninstalling PGP Desktop. During enrollment the PGP Desktop client will generate a Whole Disk Recovery Token (WDRT) for a PGP Whole Disk Encrypted systems (if your client policy is set to do so).
You can find the PGP Universal Server registry PGPSTAMP setting in the following registry container:
32-bit systems: HKEY_LOCAL_MACHINE\Software\PGP Corporation\PGP
64-bit systems: HKEY_LOCAL_MACHINE\Software\Wow6432Node\PGP Corporation\PGP
Example of PGPSTAMP value for a client with a preset policy:
Example of PGPSTAMP value for a managed client entry:
Note: The mail server entry may also use a wildcard character * for the mail server entry. This allows users to bind automatically to all mail servers.
Note that the important difference between the two examples is the "&group=xxxxxx" section. To convert to a managed client intead of an embedded policy, this group section must be removed from the registry entry. (In the above example, to convert the preset policy client to a managed client reporting to the keys.example.com server, you would change 'ovid=keys.example.com&mail=*&group=b659cfb8-7f66-42d9-91a4-4c143b2cf72f&admin=1' to 'ovid=keys.example.com&mail=*&admin=1' .)
If needed, you can confirm the value of the desired PGP Universal Server registry PGPSTAMP setting on another managed client computer by looking at it's PGPSTAMP registry entry. Then copy the text to use on the new managed client.
Warning: Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. For more information on backing up the registry see the following article on the Microsoft support site:
How to back up and restore the registry
Sequence of steps to update an embedded client to a managed client and force re-enrollment:
Note: If using an different version of PGP Desktop than the corresponding version of the server e.g 10.2/3.2, you should send an updated Whole Disk Recovery Token (WDRT) to the server using the PGP command line utility on the client instead.