Skip to main content

Windows: Encrypt with Lockers

PEM Agent Lockers run as a Windows Service. This provides an unattended automatic startup and protection after the application is installed and configured. If the file system can be mounted by a client that can run the PEM Agent, a locker can be used to automatically protect the data on the volume. Lockers can be run by admin and non-admin users.

Locker Service Configuration On Windows Device Joined to the Domain

  1. After installing the PEM Agent client onto the system, open the PEM Agent Options, and click the Lockers tab.


  2. Click Configure Service. A dialog will open that requires the current logged-in user to enter their password. After supplying the password, click OK.

  3. Creating a Windows Service requires Administrator Privileges. Click Yes on this screen.

  4. In the PEM Agent Options, you will see the PEM Agent Service was created and shows the current status:


Locker Service Configuration On Windows Device Not Joined to the Domain

A Windows device not joined to the domain can still be used with the PEM Agent Lockers. There are a few different setup constraints that this setup relies on, so it is important to follow these instructions when using Lockers on a machine that is not joined to the domain.

  1. Find the PEM Agent icon in the task tray, and select Login:

    Since this machine is not using Active Directory credentials to log in with Windows, the PEM Agent needs a user to manually log in to store the PEM Agent credentials on the machine in the secured Credential Manager.

  2. After seeing the log in prompt, enter your email address or if no email in your lab exists, enter the User Principal Name (UPN). A familiar Windows authentication window will open to have you authenticate with your Active Directory credentials again.

  3. (Optional) After successfully logging in, we can verify that the PEM Agent Credentials used to access the PEM Agent have been successfully stored to your local system account in Credential Manager. Open the Control Panel, then open Credential Manager to confirm the PEM Agent Credentials existence.

    Now my local system account has credentials, I can manually copy the PEM Agent metadata folder into the PEM Agent Service directory. This still will enable the PEM Agent Service to login. To Log in, the service needs the Metadata, and the stored Credentials. Open the %localappdata%\PKWARE folder. 

  4. Make a new folder called SmartcryptService. Then copy the .meta folder into the SmartcryptService folder.

  5. Open the Task Manager on the machine and load the Services tab. Confirm that you see an entry called SmartcryptService. After finding it in the list of services, Right-click and select Open Services.

  6. In Windows Services Snap-in that opens, find SmartcryptService, right-click the service and select Properties.

  7. In the SmartcryptService, we need to set up login credentials for authentication with PEM Agent. There are also different startup options for Windows Services. In the General tab, define the Startup type value. Selecting Automatic will enable the Service automatically when the machine is powered on. Manual will require you the user to start / stop the service manually, so it is recommended to select Automatic.

    we need to make sure that the Windows Service authenticates with the PEM Agent as the appropriate local user. In the Log On tab, enter the credential used to log in with Windows on the device. Since you have stored the PEM Agent Credentials for this local system user account, and moved the metadata into the correct directory, the PK Protect Service will be able to authenticate the local account with a PEM Agent Account.

    If you haven't set up the Locker in PEM Administrator yet, you might want to check out
    Creating a PK Protect Locker, as a Locker needs to be defined in the Manager before it works on the client.

Adding a Locker Service on Windows

If you desire to have more than one PEM Agent user to have a protected folder on a device, you need a separate Locker Service running on that device. To manually create the Windows Service:

In an elevated Command Prompt (cmd), run the following command to create a new Windows Service called "Locker Service For User A" :

sc create "Locker Service For User A" binpath= "C:\Program Files (x86)\PKWARE\Smartcrypt\SmartcryptService.exe """Locker Service For User A""""

If you see this error, you are not elevated to Administrator Command Prompt.

[SC] OpenSCManager FAILED 5:

Access is denied.

After creating a new service, you will need to configure it in the Windows Services Manager, just like in the example at the top of this page.

Deleting a Locker Service On Windows

In an elevated Command Prompt (cmd), run the following command to delete the existing Windows Service called "Locker Service For User A".

sc delete "Locker Service For User A"

If you see this error, you are not elevated to Administrator Command Prompt.

[SC] OpenSCManager FAILED 5:

Access is denied.

More information on Windows Services can be found here:

More information on creating a PEM Agent Locker in the PEM Administrator can be found here: Creating a PK Protect Locker

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.