Using Single Sign-On with Drive Encryption for Windows


Article ID: 180144


Updated On:


Drive Encryption




The Symantec Drive Encryption SSO Single Sign-On (SSO) feature allows you to use your existing Windows password to both authenticate to your encrypted drive and automatically log you into Windows.

This article describes:

  • Adding an SSO user to a disk.
  • Logging in with SSO.
  • Changing an SSO password.


Adding an SSO user to a disk

  1. Click the PGP Disk control box, then in the User Access section, select New Passphrase User.‚Äč
  2. Select Use Windows Password and click Next.
  3. Select Proceed with passphrase authentication only and click Next.  Note that the SSO feature is passphrase only. The SSO feature cannot be used with keys, smartcards or tokens.
  4. Your username and domain is pre-populated and the Enable Windows SSO option is enabled by default. Enter your Windows password.

    Drive Encryption verifies your domain username and password. Drive Encryption also checks your password to make sure that it contains only allowable characters. If your password contains any such characters, you are not allowed to continue.
  5. Click Finish and then OK.
  6. If the disk is already encrypted, you are added as a new SSO user and you can authenticate at BootGuard.
  7. If the disk has not been encrypted, select the partition to encrypt and click the Encrypt button.


Logging in with SSO

Once a disk has been encrypted, the BootGuard screen appears when the system starts up. If an SSO user authenticates at BootGuard with a valid Windows passphrase, Drive Encryption logs that user into Windows and provides access to those disk partitions encrypted with Drive Encryption.


Changing your SSO passphrase

To synchronize changes to your Windows password with Drive Encryption, you must change your Windows password using the Change a Password... feature in the Windows Security dialog box, which you access by pressing CTRL+ALT+DEL.

To change your passphrase: 

  1. Press CTRL+ALT+DEL.
  2. Click on Change a password.
  3. Enter your old password.
  4. Enter and confirm your new password.
  5. Click OK.

SSO automatically and transparently synchronizes with your new password. You can use the new password the next time you reboot.


Caution: If you change your password in any other manner - via Domain Controller, the Windows Control Panel, via the system administrator or from another system - your next login attempt at BootGuard will fail. You must then supply your old Windows password.

Successful login at the BootGuard screen using your old Windows password then brings up the Windows Login username/password screen. You must then log in successfully using your new Windows password, after which Drive Encryption will synchronize with the new password.