Changing Windows Password and Login Behavior Change with Symantec Encryption Desktop 10.2 MP5 and above Using Single Sign-On Functionality

book

Article ID: 156697

calendar_today

Updated On:

Products

Drive Encryption

Issue/Introduction

Since installing Symantec Encryption Desktop (formerly known as PGP Whole Disk Encryption) 10.2 MP5 and above (includes all Symantec Encryption Desktop 10.3.x clients), it is now necessary to select a user icon in order to login to Windows after a system has been locked, hibernated or to change a Windows passphrase.

 

Cause

Symantec Drive Encryption (formerly known as PGP Whole Disk Encryption or PGP WDE) incorporates a Single Sign-On (SSO) feature into the product such that only one login is necessary to boot up and login to Windows once the system is encrypt with Symantec Drive Encryption.

Once a system is encrypted with Symantec Drive Encryption, a Pre-Boot environment is added called BootGuard (Symantec Drive Encryption preboot screen) where a user's Windows passphrase needs to be entered.  Once the passphrase is successfully entered at BootGuard, the system will then boot up and load the operating system. It will automatically login to the users Windows profile.

If a non-SSO user is used, then it is necessary to authenticate with the passphrase at BootGuard. At the Windows Logon Screen the user needs to enter the credentials to log into Windows.

Symantec Encryption Desktop 10.2 MP5 and above change the behavior slightly--when using the SSO functionality and the system is locked or if a user changes his/her passphrase (using the ctrl+alt+del keystroke) or if the system comes out of hibernation. The Symantec Drive Encryption SSO functionality integrates into the CredentialProvider code of the Windows login process.

Due to this integration into Credential Provider, the new behavior requires the user to click on the user icon before it is possible to enter the Windows passphrase to unlock the machine. This may pose an inconvenience for the user.

 

Resolution

An easier method to unlock the machine with this new behavior is to simply press the space bar on the keyboard, which will allow the user to then enter his/her passphrase without the need of using the mouse to click the user icon.
When a user uses the ctrl+alt+del  keystroke to change his/her passphrase, instead of being prompted for the passphrase of the user, it will now list the icons of the users. In order to change the passphrase of this user, the user must select the username to which they want to change the passphrase, and then the normal routine follows to change the Windows passphrase.
This behavior is by design and is a result of using a more robust architecture sanctioned by Microsoft to incorporate Symantec Drive Encryption SSO into the auto-logon process of Windows.

A Feature Request was submitted to revert the behavior prior to when this change was made.  Support has worked directly with Product Management and has determined this feature will not be included at this time.  Please subscribe to this article for any updates.  To be added to this Feature Request, please contact support who will track specific customer requests therein.