This article describes how to disable the auto-login feature to Windows, but still allow Symantec Encryption Desktop to utilize the passphrase synchronization functionality.
Symantec Drive Encryption
Single Sign-On allows you to synchronize your Windows password with your Symantec Drive Encryption bootguard passphrase. Then, once entering the passphrase at BootGuard, you are logged into Windows automatically by the Single Sign-On feature.
The auto-login functionality of the Single Sign-On feature can be disabled by adding a registry entry to Windows. Use the following steps to disable the auto-login functionality:
- Open the Windows Registry Editor (Windows Key + R, type Regedit in the Run field, *or* Start, Search programs and files, type regedit and click OK).
- Browse to the following location:
- Right-click within the PGP folder and click New.
- Select String Value, and name the string
- Right click the string and select Modify.
- In the Value Data field, enter a value of 1 and click OK.
- Close the Windows Registry Editor.
Fast startup option preventing DISABLEWDESSO
Users of Windows 10 Version 1709 or higher will need to disable fast startup in Power Options in order to properly disable SSO at Windows login. To disable fast startup follow the steps below:
- Open Control Panel and navigate to System and Security
- Click Power Options.
- Click Choose what the power buttons do.
- Click Change settings that are currently unavailable if applicable
- Uncheck Turn on fast startup.
If you do not have this option, then hibernation is disabled and you should not be affected by the fast startup option.
Once all proper steps have been followed, and the system is rebooted, the user experience is as follows:
- User is presented with the Symantec Drive Encryption BootGuard Screen (Preboot).
- User enters the passphrase and presses enter to boot.
- Boot process will stop at the Windows Logon and the user must manually login.
- If user changes the passphrase via CTRL+ALT+DEL screen, the passsphrase will synchronize automatically to the Symantec Drive Encryption user. If CTRL+ALT+DEL is not used to change the passphrase, the user must reboot once and enter the original Whole Disk passphrase (or logoff, and log back in with the new Windows passphrase). Once the user logs in to Windows with the new password, this will then be synchronized with Symantec Drive Encryption, and the second Symantec Drive Encryption BootGuard screen will use the new passphrase.
Disable Auto Login and Passphrase Synchronization
If you wish to disable both auto login and the synchronization of the Windows passphrase with BootGuard you can install or upgrade Encryption Desktop using the
PGP_INSTALL_SSO=0 msiexec switch. See the article TECH249430 for details.