HOW TO: Disable the PGP Single Sign-On auto-login feature for Symantec Encryption Desktop

book

Article ID: 180167

calendar_today

Updated On:

Products

Drive Encryption

Issue/Introduction

 

Resolution

This article describes how to disable the auto-login feature to Windows, but still allow Symantec Encryption Desktop to utilize the passphrase synchronization functionality.

Symantec Drive Encryption

Single Sign-On allows you to synchronize your Windows password with your Symantec Drive Encryption bootguard passphrase. Then, once entering the passphrase at BootGuard, you are logged into Windows automatically by the Single Sign-On feature.

The auto-login functionality of the Single Sign-On feature can be disabled by adding a registry entry to Windows. Use the following steps to disable the auto-login functionality:

  1. Open the Windows Registry Editor (Windows Key + R, type Regedit in the Run field, *or* Start, Search programs and files, type regedit and click OK).
  2. Browse to the following location: HKEY_LOCAL_MACHINE\SOFTWARE\PGP Corporation\PGP
  3. Right-click within the PGP folder and click New.
  4. Select String Value, and name the string DISABLEWDESSO
  5. Right click the string and select Modify.
  6. In the Value Data field, enter a value of 1 and click OK.
  7. Close the Windows Registry Editor.

Fast startup option preventing DISABLEWDESSO

Users of Windows 10 Version 1709 or higher will need to disable fast startup in Power Options in order to properly disable SSO at Windows login. To disable fast startup follow the steps below:

  1. Open Control Panel and navigate to System and Security
  2. Click Power Options.
  3. Click Choose what the power buttons do.
  4. Click Change settings that are currently unavailable if applicable
  5. Uncheck Turn on fast startup.

If you do not have this option, then hibernation is disabled and you should not be affected by the fast startup option.

Once all proper steps have been followed, and the system is rebooted, the user experience is as follows:

  1. User is presented with the Symantec Drive Encryption BootGuard Screen (Preboot).
  2. User enters the passphrase and presses enter to boot.
  3. Boot process will stop at the Windows Logon and the user must manually login.
  4. If user changes the passphrase via CTRL+ALT+DEL screen, the passsphrase will synchronize automatically to the Symantec Drive Encryption user.  If CTRL+ALT+DEL is not used to change the passphrase, the user must reboot once and enter the original Whole Disk passphrase (or logoff, and log back in with the new Windows passphrase).  Once the user logs in to Windows with the new password, this will then be synchronized with Symantec Drive Encryption, and the second Symantec Drive Encryption BootGuard screen will use the new passphrase.

Disable Auto Login and Passphrase Synchronization

If you wish to disable both auto login and the synchronization of the Windows passphrase with BootGuard you can install or upgrade Encryption Desktop using the PGP_INSTALL_SSO=0 msiexec switch. See the article TECH249430 for details.