Critical Data Integrity Issues Encountered if Deploying Images with Symantec Drive Encryption (formerly known as PGP Whole Disk Encryption) included as an installed application. Whole Disk Recovery Tokens presented to the Symantec Encryption Management Server (formerly known as PGP Universal Server) may not be valid for users because the Disk ID is the same for multiple users when the systems are completely different. Disk IDs should be unique for each disk that is encrypted with Symantec Drive Encryption.
During the installation of Symantec Drive Encryption 10.3.1 or before, a unique value known as MACHINEGUID is configured. This value is in turn used to set the Device ID in the Drive Encryption BootGuard File System (BGFS). Once a system has been encrypted, it is not possible to change the Device ID in the BGFS as it is then a hard-coded entry.
The location of the MACHINEGUID value will vary depending on 32 or 64-bit systems for Symantec Drive Encryption 10.3.1 or before:
NOTE: This MACHINEGUID entry is no longer available in Symantec Drive Encryption 10.3.2 and will not be visible in this location as a different mechanism is in place to set the Disk UUID or Device ID value.
The MACHINEGUID entry in the registry contains a unique UUID that is linked to the Disk or Device ID for Symantec Drive Encryption.
This MACHINEGUID entry uses the following convention for its value data:
Upon starting the Symantec Drive Encryption process on a machine, the value for MACHINEGUID is then linked to the Disk UUID and Group UUID on the system. These values are the same for fixed primary disks and are then linked to a value sent to the Symantec Encryption Management Server to be associated to a Whole Disk Recovery Token. The Whole Disk Recovery Tokens can be used to unlock only specific devices linked at time of encryption. All versions of Symantec Drive Encryption behave in this way, although version 10.3.2 obtains the Disk UUID value differently than previous versions.
If the MACHINEGUID entry is the same for each machine and the system is deployed to a user and allowed to encrypt, the MACHINEGUID value will then be associated to multiple users and machines, and the Symantec Encryption Management Server will contain the same Whole Disk Recovery Token for that specific Device ID. It will then be unlikely to unlock a system if the user forgets his/her passphrase, because the Whole Disk Recovery Token will not match the correct device for the user.
If another user has been deployed with the same image, and the same MACHINEGUID is present, upon encryption, the same Disk UUID will be used to identify the disk and this new user’s Recovery Token will replace that of the previous user. The recovery token may work for the second user, but not the first.
To find out which Disk UUID and Group UUID are associated to a user, run the following command on an already encrypted machine:
C:\Program Files <x86>\PGP Corporation\PGP Desktop>pgpwde --list-user --disk 0
Compare this value to the known MACHINEGUID value that was deployed on the images causing this issue. It is also good to find multiple affected systems and run this same command to determine who is affected and has the same MACHINEGUID or Disk UUID values.
If it is identified that the users are affected, Symantec Support has a tool called PGPwdeupdatemachineUUID.exe that can be provided to help resolve the duplicate MACHINEGUID values on versions 10.1.x, 10.2.x, 10.3.0, 10.3.1, and 10.3.2. If you encounter this issue with duplicate MACHINEGUID values and not running any of the versions listed, contact Symantec Support as there may not be a tool available to resolve this issue easily and a full decryption\uninstall\reinstall operation may be necessary.
If an affected user has multiple systems or devices associated to the end user's account, check to make sure the other system or device is not also affected by this duplicate MACHINEGUID value. If so, follow the process outlined by support using the tool previously mentioned.
In addition to having duplicate MACHINEGUID values, or Disk UUID values set for each device, users on Symantec Encryption Management Server will have all other users who have the same MACHINEGUID value added as an "Authorized User" under the account on Symantec Encryption Management Server. This does not mean they are actual users on the drive itself, but they show up as a user, when in fact this is not correct. This is a side effect of having the same MACHINEGUID or Disk UUID value on their system. The Symantec Encryption Management Server interprets this as a user being on the same machine, when in fact this is not the case. This will need to be resolved as well and will require a consultation with Symantec Support to fix.
Scenario for Symantec Drive Encryption 10.1.x, 10.2.x, 10.3.0, 10.3.1, and 10.3.2
1. Identify which machines have duplicate MACHINEGUID or Disk UUID values.
2. Obtain the PGPwdeupdatemachineUUID.exe utility from Symantec Support and use it to generate new and unique Disk UUID values which will then send correct Drive Encryption Data to the server, including valid WDRTs. For more information on PGPwdeupdatemachineUUID.exe, please see KB TECH214370.
3. Determine which invalid devices are associated to the users account on Symantec Encryption Management Server and remove them, leaving only the most recent device for the affected systems. This is necessary, because Symantec Encryption Management Server will not automatically delete devices, even if they have not been used for some time.
Scenario for Symantec Drive Encryption for versions not listed above:
Consult with Support on how best to resolve the issue. It may require a full decrypt\uninstall\reinstall and reencrypt of each affected system.
Do not remove the MACHINEGUID in the registry on systems with Symantec Drive Encryption 10.3.1 or previous. This can cause logging errors and unexpected behavior in the software. Please see TECH203267 for more information.
Important Consideration: Symantec Drive Encryption 10.3.2 and above now fully support being included in Base Images and will not run into this issue, however if this is encountered on versions 10.1.x through 10.3.1, upgrading to Symantec Drive Encryption 10.3.2 or later will not fix the issue with duplicate MACHINEGUID values. First fix the duplicate MACHINEGUID values before considering upgrading to Symantec Drive Encryption 10.3.2 or later.
Enterprise environments commonly use images (System Images, Golden Images, Base Images, Corporate Images, etc.) in order to configure machines to a pristine, working state. Sometimes Symantec Drive Encryption is included as part of the image as an installed application so that installation of the encryption client will not be necessary later. Doing so is currently supported with Symantec Drive Encryption 10.3.2 and later, however all previous versions are susceptible to duplicate MACHINEGUID values causing invalid\incorrect Drive Encryption data being sent to the server.
WARNING: Deploying Symantec Drive Encryption 10.3.1 or earlier as an installed application is strictly unsupported. Please see the following KB for more information on these details: TECH149261. Only Symantec Drive Encryption 10.3.2 can be used to be included as an installed application in a system image.