Troubleshooting User Registration and Single Sign-on with Symantec Endpoint Encryption (SEE)
Article ID: 163588
Updated On:
Products
Issue/Introduction
If you have an encrypted system with Symantec Endpoint Encryption (SEE), right after reboot, it'll start encrypting the system even without registering users.
In fact, you can install SEE, reboot and leave the system at the Windows Login screen without logging in and the system will start encrypting!
When you reboot the system where SEE has encrypted the entire system, but no users have yet logged in and automatically registered, there will be an automatic user that skips the preboot screen.
Although the system skips the preboot screen, the system is, in fact, encrypted fully.
Once the first user registers, the preboot screen will then be engaged at every subsequent reboot.
This entire process all happens behind the scenes and when the user logs in, within 15 minutes the user should be registered and ready to go.
SEE 12.0.1 HF1 and above now pop up a user registration screen in which they enter their credentials. This article will go over these scenarios as well as troubleshooting scenarios.
Environment
Unable to register users with Symantec Endpoint Encryption 11.x with error: Stale User Cache Detected
Resolution
Starting with SEE 12.0.1 HF1, user registration happens automatically via a new user registration screen.
If you are on SEE 12.0.0 or older, this happens behind the scenes.
With Windows 11 24H2 it may be necessary to install SEE 12.0.1 HF2 to get the automatic registration screen to succeed.
In some rare instances there have been reports where users are unable be automatically registered after Symantec Endpoint Encryption 11.x was installed or Single Sign-On will not automatically login to Windows.
Find below several scenarios with potential solutions to resolve Single Sign-On issues.
Scenario 1: The system is encrypted, and no users are registered, but the preboot screen show up
Note: This applies only to SEE 12.0.1 HF1 and above.
Normally if no users are registered, the system can be encrypted, but the preboot screen will be skipped until the first user is registered.
If an administrator has worked on the system, the admin itself could have been registered.
To resolve this, have the end user login to their windows profile, and within 15 minutes the user will be automatically registered.
Starting with SEE 12.0.1 HF1, user registration should happen immediately upon logging in to the system.
The user will see the following screen:
Once the user enters the credentials, they will either get a message stating the password was wrong, or that it was successful.
Be careful to enter the proper password. Too many incorrect entries can lock the user account:
Result 1: Incorrect password (User Registration not successful):
Result 2: Correct password. User Registration successful:
Once the user is successfully registered, they can authenticate the preboot screen.
For information on how to change your password with Symantec Endpoint Encryption 11 and Symantec Encryption Desktop, see the following article:
For information on how to Troubleshoot PGP Encryption Desktop (Symantec Encryption Desktop) Single Sign-on issues, see the following article:
153490 - Troubleshooting PGP Encryption Desktop Single Sign-On (Symantec Encryption Desktop)
Scenario 2: User is not automatically registered on SEE 12.0.0 and older.
Symptom 1: If you are on Windows 11 24H2, it may be necessary to upgrade your SEE Client to 12.0.1 HF1 or above to resolve this.
Symptom 2: User registration logs list errors such as the following eedservice log of Techlogs:
[ERROR][4156][0x1938][SEDE][SYSTEM][Error when registering user: DE Error : -12368 ]
...
02/29/16 15:58:38][WARNING][5012][0x105C][SEDE][USERNAME][User Cache is not current][CDEALHelperImpl.cpp:284]
[02/29/16 15:58:38][ERROR][5012][0x105C][SEDE][USERNAME][(SilentEnrollmentTask::Initialize) : Stale User Cache detected. User may not be registered properly.][UserTask.cpp:141]
[02/29/16 15:58:38][ERROR][5012][0x105C][SEDE][USERNAME][(GetLoggedInUser) : GetLoggedInCachedUser() failed Error(-11984)][DERegistrationHelper.cpp:682]
Symptom 3: Machine is encrypted with Bitlocker.
Check if the machine is already encrypted with Bitlocker.
If the machine has been encrypted with Microsoft Bitlocker Encryption, Drive Encryption cannot start, and subsequently user registration cannot happen automatically. For more information on this, see the following article:
162094 - Drive Encryption does not start automatically: DE Error -12368
Symptom 4: For SEE 12.0.0 and older, the provider order may not be invoked properly.
Check the following registry keys and note what is inside:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\HwOrder\ProviderOrder
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder
If any security software is protecting this entry point, or if a GPO is changing the Network Provider Order, the Endpoint Encryption Password Filter component (eedpasswordfilter) which would handle user registration, may not be inserted properly.
In one scenario, a GPO was changing the Network Provider Order:
Under: Policies\Administrative Templates\Desktop Settings
Change Network Provider Order
ProviderOrder = LanmanWorkstation,RDPNP,WebClient
Missing this eedpasswordfilter value prevents proper user registration. Disable that GPO setting and adding the eedpasswordfilter item back can resolve this issue.
TIP: Starting with Windows 10, you can now copy/paste a registry location in the address so you do not have to click your way down to the registry keys.
Symptomp 5: The ProviderOrder value started with a comma (",")
(i.e. ",LanManWorkstation,RDPNP,....."). These leading commas can prevent the user from being properly registered. Deleting the leading commas form both locations can resolve the issue.
If you are on Windows 11 24H2, it may be necessary to upgrade your SEE Client to 12.0.1 HF1 or above to resolve this.
Symptom 6: For SEE 12.0.0 and older, the Network Connections Configuration may not have proper priority
- At the Run field (Windows + R), type: control netconnections
- Once Network Connections appears, press the Alt key to display the drop-down menu.
- Click the Advanced menu and then select Advanced Settings.
- Click the Provider Order tab.
- Under Network Providers, select the eedPasswordFilter entry, and click the Up arrow to move the SEE connection above any other third-party connections in the list.
- Click OK to apply the changes and reboot.
Symptom 7: System has not been rebooted for extended periods of time
*Check System Event logs on system Symantec Endpoint Encryption 11.x was installed. In particular, is there an event being logged which indicates the system has gone down for a reboot?
"The kernel power manager has initiated a shutdown transition"
Installing the Symantec Endpoint Encryption before this security software can allow the proper installation to occur.
*Reboot the Machine again to see if this will allow proper user registration.
In order for proper user registration to occur, it is necessary that a system has had a successful reboot.
If a reboot may have been interrupted, reboot the system again to allow for proper user registration to occur.
*Uninstall and reinstall Symantec Endpoint Encryption may resolve this issue.
*Register the user manually:
eedAdminCli --register-user --disk X -u username-here -p userpassword-here -sso --domain domain-here --au adminusername-here --ap adminpassword-here
If all of the above has been checked, it may be needed to upgrade to SEE 12.0.1 HF1 or above.
Contact Symantec Encryption Support for Further Troubleshooting
If the above troubleshooting steps does not help, or if other solutions have been tested to work, reach out to Symantec Encryption Support for further guidance.
The following information will be useful in helping to diagnose further.
*Backup of the registry of affected systems to provide for analysis
*Information in the ProviderOrder entries above
*Check to make sure the latest version has been installed. To find out which the current version is, see the following article:
156303 - Symantec Encryption Products Current Version Available
*Review the techlogs to see if this similar event is occurring: eeduserXX.log
For information on Debug Techlogs for Symantec Drive Encryption clients see the following article:
161042 - Enabling Logging and Debug Logging in Endpoint Encryption 11.x
Etracks:
3721699
3879454
4022239
Additional Information
If you have some machines where the user profile has been removed from Windows, the registered account will continue to remain in SEE as a registered user. This means they will be able to authenticate at the preboot screen successfully, even though their Windows account has been removed. If they enter the credentials, then the automatic sign-on process will fail and will be left at the Windows login screen to login. You will see a "PGP SSO" prompt, at which point you will switch users and login with a valid account at the Windows login screen.
Once you login to the user profile, as long as the username and credentials are the same, things should work with the previously-registered user just fine and the user should be able to login.
If you login with any other accounts, they will be registered automatically as previously done.
If not, you can login as the user, and within 15 minute the passphrase should be synchronized. Reboot the system to ensure things are good. If that still isn't working, it may be necessary to delete the registered user, and then go through the process again of logging in, and waiting for the user to be registered automatically.
EPG-36756, EPG-36241
153490 - Troubleshooting PGP Encryption Desktop Single Sign-On (Symantec Drive Encryption)
Feedback
