This article details general troubleshooting steps when using the Single Sign-On (SSO) feature of Symantec Drive Encryption.
In order for the Windows password to synchronize with Symantec Drive Encryption automatically, use CTRL+ALT+DEL. If you change the passphrase outside of CTRL+ALT+DEL, it will be necessary to use the old passphrase at preboot one time, and upon logging in with the new passphrase, synchronization will occur. For more information on how to change the passphrase, see the following article:
Symantec Endpoint Encryption 11 synchronization issues are typically encountered during user registration. For information on how to troubleshoot user registration issues for SEE 11, see the following article:
SSO issues can be caused by the following:
You can verify that you are using an SSO user account for authentication by checking the registry where the MSI options supplied at installation. Information on this topic can be reviewed in the following article:
When validating the registry options make sure that the PGP_INSTALL_SSO option is set to 1 indicating that the driver is installed.
See the following example:
Also you will notice the user in the Symantec Drive Encryption user list under PGP Disk > Encrypt a disk or partition after selecting the boot drive.
The Single Sign-On (SSO) feature allows you to use your existing Windows passphrase for authentication to your Symantec Encrypted drive and automatically log you into Windows.
The Single Sign-On feature utilizes one of the methods Microsoft Windows provides for customizing the Windows login experience. Drive Encryption uses your configured authentication information to dynamically create specific registry entries when you attempt to log in.
Use the following steps to troubleshoot Single Sign-On:
Validate that the user is a SSO user using the pgpwde command line tool.
pgpwde --list-users --disk 0
If systems installed with Symantec Drive Encryption have recently performed a major upgrade of Windows 10, the password filter can sometimes get unregistered causing passphrase synchronization to fail. To avoid this issue, a post upgrade script can be used so that after Windows has successfully been upgraded, the password filter can be re-registered. The following articles can help with Automatic Windows Upgrades:
In some cases, other third party Network provider connections may interfere with the Single Sign-On feature. Try moving the PGP Network Provider connection above other third-party connections in the Network Provider Order. Use the steps below for your operating system.
Windows Vista & Windows 7 & Windows 8 & Windows 10
An alternative method is to check the values contained in the
ProviderOrder key in these registry locations:
A typical value for
ProviderOrder on a freshly installed machine is as follows. If there are additional entries made by third party applications, it may be worthwhile moving
PGPwflt so it is listed before such third party entries:
Note: The Provider Order can also be updated on multiple computers by creating a script which updates a PGP Windows Registry value. To use a script to update the value, modify the PGP_SET_HWORDER value from 0 to 1. The PGP_SET_HWORDER value is located in HKEY_LOCAL_MACHINE\SOFTWARE\PGP Corporation\PGP folder (32-bit systems) and KEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PGP Corporation\PGP folder (64-bit systems).
The PGP WDE Single Sign-On feature can be affected by a Logon setting within a group policy for the computer. Check if enabling the Always wait for the network at computer startup and logon setting in the Logon folder of the Group Policy corrects any SSO issues.
Interactive logon: Do not require CTRL+ALT+DEL
Check if any security settings requiring the user to press CTRL+ALT+DEL before logging on to the system affect the Single Sign-On feature.
Symantec Encryption has a utility that will allow you to synchronize your password to preboot immediately, even if CTRL+ALT+DEL was not used to change the passphrase. When the utility is ran, the user enters the current password, and then enters the new password and clicks "OK". The next reboot, the passphrase will be synchronized. For more information on this utility, contact Symantec Support. This utility exists for both Windows 7 and Windows 10.
In some cases, the Single Sign-On password may not synchronize properly due to an incompatibility with certain versions of the Intel PROSet/Wireless software. For Dell computers using version 11.5 of the Intel PROSet/Wireless software, this issue is solved by upgrading the software to version 12 or higher or by uninstalling the software.
If a USB thumb drive or SD card is inserted, a conflict may occur if the USB or SD disk is detected as Disk 0 on the system. Confirm the Windows system disk is Disk 0 in Disk Management. If the USB or SD disk displays as Disk 0, remove the disk, reboot the computer, and then change the Windows password.
If the SSO feature fails after changing your Windows password, check the permissions for the PGPWDE01 file located in the root of the C: drive. The Authenticated Users group needs to have Modify permissions for the PGPWDE01 file. If necessary, modify the permissions for the file, logging off and logging back on to Windows will cause the PGP Tray to update the PGPWDE01 file. This may not be possible to view certain permission from the file properties window on more recent versions of the product. File compression on these files could also cause similar issues where we are unable to write back to the file due to known driver limitations.
To check the PGPWDE01 permissions
For more information on troubleshooting Single Sign-On when Microsoft Accounts are in use, see the following article: