This article will provide guidelines for how Windows passwords should be changed and when synchronization happens when a system is encrypted with either the PGP Desktop Drive Encryption solution, or Symantec Endpoint Encryption.
Both of these applications operate in the same way as far as password changes on the Windows side.
Note on Drive Encryption Users and PGP Keys: When using Single Sign-On with the PGP Server, no PGP Keys are being used. PGP Keys are used for encrypting individual files and folders, or File Share Encryption or Email Encryption. If you are using Drive Encryption only, the only time an actual PGP Key would be used for preboot authentication is if yo put the PGP Key on a smartcard or hardware token. If you do not use a smartcard or other hardware token, the users are stored on the encryption itself with only the password being able to unlock.
If you have a "Password-Only" user, you do not synchronize a password to your Windows login.
If you have a "Single Sign-On" user, you will synchronize your password with your Windows login.
Both Password-Only and Single Sign-On users will not have a PGP Key unless you incorporate the use of a smartcard or token.
In the event that you need to change your password, due to password rotation policies, or you just need to change the Windows account to a different password, special care should be taken on your encrypted drive.
When the system is encrypted with either PGP or SEE, there is a service that is monitoring these account changes and this will automatically synchronize to the Drive encryption "preboot" screen. In order to boot a system, the proper password needs to be entered at the preboot screen, and if you change your password in a method that is outside of the monitoring of our process, you may need to take additional steps to update.
To have your Windows password automatically synchronized with the preboot screen, you will want to change your password using the CTRL+ALT+DEL keystroke. When you press CTRL+ALT+DEL, this password synchronization service will be fully engaged to ensure the new password is updated to the preboot screen.
User Experience: Scenario 1 - User logs in to the Windows account and is asked to change the password immediately
Step 1: The user logs in to Windows.
Step 2: The user is asked to change their password as part of the login process.
Step 3: The user changes their password.
Step 4: The user is logged in to their Windows profile with the new password.
Step 5: The password is then automatically synchronized to the preboot screen and the next time the user reboots, the new password can be used at the PGP or SEE preboot screen.
User Experience: Scenario 2 - User is already logged in to Windows with the old password and needs to change to a new password
Step 1: The user is already logged in Windows.
Step 2: The user presses CTRL+ALT+DEL to bring up the page to change the password.
Step 3: The user is prompted to enter the old password, followed by the new:
Step 4: The user will confirm the new password and is successful:
Step 5: At this time, have the user reboot the system. The new password will work at the PGP or SEE preboot screen.
If these steps have not been followed, it is possible the old password will need to be entered at the preboot screen. Look at Scenario 2 if this may apply.
User Experience: Scenario 3: The user changed the password via a third-party application, such as Symantec VIP or other centralized credential manager
Step 1: The user is required to change the password via a centralized credential manager, such as VIP so these steps are taken (Steps may differ from credential manager to credential manager).
As an example, if Symantec VIP is used to update the Windows password to the domain controller, then the PGP or SEE password monitor will not be able to update the password automatically to the preboot screen.
Step 2: Have the user logout of their Windows profile (It is not enough to simply lock the machine and unlock with the new password).
Step 3: Have the user log back in to the Windows profile with the new password.
Step 4: When the user logs in, this will then automatically synchronize the password to the PGP or SEE preboot screen.
Step 5: Have the user reboot the system and enter the new password at the preboot screen to confirm this process was successful.
You may also change your password when prompted by Windows that your password will expire during the a Windows Login operation.
Reminder: If you change your password in any other manner, such as via Domain Controller, the Windows Control Panel, via the system administrator, or from another third-party solution, your next login attempt on the Symantec Drive Encryption Preboot screen will not be synchronized. See Scenario 3 for help with this.
For information on how to Troubleshoot Symantec Encryption Desktop (PGP Desktop) SSO, see the following article:
For information on how to Troubleshoot Symantec Endpoint Encryption 11 Single Sign-On or user registration issues, see the following article:
163588 - Troubleshooting: User Registration and Single Sign-on with Symantec Endpoint Encryption
Symantec Encryption Desktop (PGP Desktop) Only:
If you are changing your password outside of the CTRL+ALT+DEL scenario such as third-party applications, the passphrase filter will not update the password. If this is the case, a utility SyncSSO.exe can be requested by Support, which will allow the passwords to be immediately synchronized. When the utility is ran, the user enters the current password, and then enters the new password and clicks "OK". The next reboot, the passphrase will be synchronized. For more information on this utility, contact Symantec Encryption Support.
If you would like a "SyncSSO.exe" utility for Symantec Endpoint Encryption (SEE) as stated above, reach out to Symantec Encryption Support for further guidance.