Changing Your Windows Password with PGP Encryption Desktop (PGP) or Symantec Endpoint Encryption (SEE) Single Sign-On
search cancel

Changing Your Windows Password with PGP Encryption Desktop (PGP) or Symantec Endpoint Encryption (SEE) Single Sign-On

book

Article ID: 181178

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

This article will provide guidelines for how Windows passwords should be changed and when synchronization happens when a system is encrypted with either the PGP Desktop Drive Encryption solution, or Symantec Endpoint Encryption. 

Both of these applications operate in the same way as far as password changes on the Windows side.  

 

Note on Drive Encryption Users and PGP Keys: When using Single Sign-On with the PGP Server, no PGP Keys are being used.  PGP Keys are used for encrypting individual files and folders, or File Share Encryption or Email Encryption.  If only Drive Encryption is used, the only time a PGP Key would be used for preboot authentication is if a PGP Key on a smartcard or hardware token is used.  If a smartcard or other hardware token is not used, the users are stored on the encryption itself with only the password being able to unlock.

If you have a "Password-Only" user, you do not synchronize a password to your Windows login.

If you have a "Single Sign-On" user, you will synchronize your password with your Windows login.  

Both Password-Only and Single Sign-On users will not have a PGP Key unless you incorporate the use of a smartcard or token. 

 

Resolution

In the event that you need to change your password, due to password rotation policies, or you just need to change the Windows account to a different password, special care should be taken on your encrypted drive.

When the system is encrypted with either PGP or SEE, there is a service that is monitoring these account changes and this will automatically synchronize to the Drive encryption "preboot" screen.  In order to boot a system, the proper password needs to be entered at the preboot screen, and if you change your password in a method that is outside of the monitoring of our process, you may need to take additional steps to update. 

To have your Windows password automatically synchronized with the preboot screen, you will want to change your password using the CTRL+ALT+DEL keystroke.  When you press CTRL+ALT+DEL, this password synchronization service will be fully engaged to ensure the new password is updated to the preboot screen.

 

Table of Contents

 

 

 

User Experience (SEE 12.0.1 HF1 and above): Scenario 1 - Change password using CTRL + ALT + DEL




Symantec Endpoint Encryption 12.0.1 HF1 and above now use an automatic synchronization feature.
Once the user changes their Windows password, a prompt to synchronize your password will now appear.

For Example: The user presses CTRL+ALT+DEL to change the password.  This will pop up the notification automatically.

Step 1: The user changed their password with CTRL+ALT+DEL 

Step 2: Once the user logs in, they will receive the following prompt:

Important Note: Notice the red font above.  Be sure to enter the correct Windows password.  Too many incorrect entries can lock out the account!

If you receive the following message, this means either you entered the wrong credentials, or your account is actually locked out:

Step 3: One the proper credentials have been entered, you will see the following message:

Step 4: One the password has been entered, the notification will go away and the new password will be immediately synchronized to Windows.

 

 

 

User Experience (SEE 12.0.1 HF1 and above): Scenario 2 - Change password "Out of Band" (Not using CTRL + ALT + DEL)

 

For example: Changed password via a third-party application, such as Symantec VIP, SiteMinder, or other centralized credential manager
This will not pop up the notification automatically.

 

The user changed their password, but did not use CTRL+ALT+DEL to do it, such as via a custom web portal the enterprise may use, or OID such as SiteMinder that manages credentials.

Step 1: In this example, we will assume they changed the password via a Single Sign-On portal, such as SiteMinder.
Once the password has been changed, they can login to their Windows profile with the new password and the password synchronization notification will be displayed:

In addition to changing via Site Minder, if a user forgot their password and it was reset via their own Helpdesk, once they login to Windows, the same prompt will appear.

Step 2: The user enters their new password in the Password field, and clicks Save.  The following message will appear:

 

If the user enters the wrong password, the following message appears:

 

Re-enter the password, but be careful to not enter the wrong password again. Too many incorrect attempts could lock out your Windows account.

Important Note: If the Password notification did not pop up to synchronize your password, you can synchronize this manually.

To synchronize your password, move on the Step 3 below.


Step 3: From the Start menu, open the SEE Management Agent application and click on "Password Synchronization":

Step 4: Click Continue to update your password:

 

Once the proper password has been entered, click Save to finish the synchronization to preboot authentication.

Tips:

*The Management Agent can be used at any time to synchronize the password. 

*You do not need to run this as administrator, but you do need to be logged in as the user who is currently registered.

*If you changed your password with SEE 12.0.0 or below and upgraded to SEE 12.0.1 HF1 at the same time, you may need to use this manual sync method.

*User registration will also be done using this new notification method.  For more information on user registration, see the following article:

163588 - Troubleshooting User Registration and Single Sign-on with Symantec Endpoint Encryption

 

If you are running into a scenario not discussed above, reach out to Symantec Encryption Support for further guidance.

 

 

 

 

The following Scenarios are related to SEE 12.0.0 and older versions.  If you are using SEE 12.0.1 HF1 or above, refer to the first scenarios of this article.



User Experience (SEE 12.0.0 and older): Scenario 3 User logs in to the Windows account and is asked to change the password immediately

 

Logging in to Windows should automatically synchronize.  If synchronization does not work, you may need to upgrade to SEE 12.0.1 HF1.
See scenarios 1 and 2 for that process flow.

Step 1: The user logs in to Windows.

Step 2: The user is asked to change their password as part of the login process.

Step 3: The user changes their password.

Step 4: The user is logged in to their Windows profile with the new password.

Step 5: The password is then automatically synchronized to the preboot screen and the next time the user reboots, the new password can be used at the PGP or SEE preboot screen.

 

User Experience (SEE 12.0.0 and older): Scenario 4: The user changed the password "Out of Band" 

User Experience (SEE 12.0.0 and older): Scenario 4: The user changed the password "Out of Band" 

User Experience (SEE 12.0.0 and older): Scenario 4: The user changed the password "Out of Band" 

 


Step 1: The user is already logged in Windows.

Step 2: The user presses CTRL+ALT+DEL to bring up the page to change the password.



Step 3: The user is prompted to enter the old password, followed by the new:

Step 4: The user will confirm the new password and is successful:

Step 5: At this time, have the user reboot the system.  The new password will work at the PGP or SEE preboot screen.

If these steps have not been followed, it is possible the old password will need to be entered at the preboot screen.  Look at Scenario 2 if this may apply.

 

 

User Experience (SEE 12.0.0 and older): Scenario 4: The user changed the password "Out of Band"

 

Important Note: If you have SEE 12.0.1 HF1 or above, refer to Scenario 2 above.

For example: Changed password via a third-party application, such as Symantec VIP, SiteMinder, or other centralized credential manager
Logging in to Windows should automatically synchronize.  If synchronization does not work, you may need to upgrade to SEE 12.0.1 HF1.
See scenarios 1 and 2 for that process flow. 

Step 1: The user is required to change the password via a centralized credential manager, such as VIP so these steps are taken (Steps may differ from credential manager to credential manager).

As an example, if Symantec VIP is used to update the Windows password to the domain controller, then the PGP or SEE password monitor will not be able to update the password automatically to the preboot screen.

Step 2: Have the user logout of their Windows profile (It is not enough to simply lock the machine and unlock with the new password).

Step 3: Have the user log back in to the Windows profile with the new password.

Step 4: When the user logs in, this will then automatically synchronize the password to the PGP or SEE preboot screen.

Step 5: Have the user reboot the system and enter the new password at the preboot screen to confirm this process was successful. 

You may also change your password when prompted by Windows that your password will expire during the a Windows Login operation.

 

Reminder: If you change your password in any other manner, such as via Domain Controller, the Windows Control Panel, via the system administrator, or from another third-party solution, your next login attempt on the Symantec Drive Encryption Preboot screen will not be synchronized.  See Scenario 3 for help with this.


For information on how to Troubleshoot Symantec Encryption Desktop (PGP Desktop) SSO, see the following article:

153490 - Troubleshooting: Symantec Drive Encryption Single Sign-On (PGP Desktop)


For information on how to Troubleshoot Symantec Endpoint Encryption 11 Single Sign-On or user registration issues, see the following article:

163588 - Troubleshooting: User Registration and Single Sign-on with Symantec Endpoint Encryption

 

 

PGP Encryption Desktop Only (Symantec Encryption Desktop)


If you are changing your password outside of the CTRL+ALT+DEL scenario such as third-party applications, the passphrase filter will not update the password.  If this is the case, a utility SyncSSO.exe can be requested by Support, which will allow the passwords to be immediately synchronized.  When the utility is ran, the user enters the current password, and then enters the new password and clicks "OK".  The next reboot, the passphrase will be synchronized.  For more information on this utility, contact Symantec Encryption Support.

 If you would like a "SyncSSO.exe" utility for Symantec Endpoint Encryption (SEE) as stated above, reach out to Symantec Encryption Support for further guidance. 

Additional Information

Powered by Wolken Software