Symantec Endpoint Encryption Windows Password Reset Utility
search cancel

Symantec Endpoint Encryption Windows Password Reset Utility

book

Article ID: 254842

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

Symantec Endpoint Encryption will encrypt boot drives so that when the system is encrypted, for a system to reboot the user must enter their passphrase at the Preboot screen.  

Once the user's credentials have been authenticated the system will boot up to Windows.

In the event that a user forgets their passphrase, there are several methods to recover including the following:

*SEE Client Administrators can enter their credentials to boot the system.
*A SEE Recovery Key can be entered at the preboot to allow the system to boot.
*The user can enter their recovery answers to boot the system.

This article will go over the latter option when a user has created their own recovery questions.  In this event, the user can reset their own Windows password.

Resolution

The Symantec Endpoint Encryption Windows Password Reset snap-in enables you to create a Windows Password Reset Utility installation package.

When you install the Windows Password Reset Utility on a Drive Encryption client computer, the utility extends the functionality of the Drive Encryption Self-Recovery feature to enable users to reset their Windows password by themselves.

Using the Windows Password Reset Utility can help reduce support calls to the local help desk when users forget their Windows password, but special care and consideration should be taken as this extends password reset functionality.

 

 

Scenario: User forgets their passphrase and is using the Windows Password Reset Utility

 

When a user has forgotten their passphrase, at the preboot screen they choose the option to perform Self Recovery.  Once completed, they can reset their own Windows password as well.



Admin Experience:

Before this functionality can be used, you would need to install the Windows Password Recovery Utility on the SEE Management Server.

This is included in the SEE Management Server Installer Suite (It would be recommended to close out of any Windows for the SEE Management Server before install):

Once the application has been installed, you will see it appear on the bottom of the SEE Management Server "Manager" called "Symantec Endpoint Encryption Windows Password Reset":

Enter the SEE Management Server password and click next.

The following two options are available:

 

Once this has been completed, you will click "Finish" and an installation MSI package will be created:

To deploy this to a Windows system, first install the SEE Drive Encryption client.  Then install this SEE Windows Password Reset Utility.

Once both of these client installers are installed on the system, the Password Reset will be able to insert itself into the Windows password process for the local system.

This means that if a user forgets their Windows password, as long as they can enter their recovery questions at the Preboot Screen, then they can reset their Windows password without having to call Help Desk.

 

 

End User Experience

Once a user's machine is encrypted, they will be prompted to enter their Self-Recovery Questions:

The above provides the end user with a brief overview of the wizard.  Click Continue to move on to step 2.


The end user's Username should automatically be populated:

The end user will enter their password to Windows and click "Continue"
Note: Windows ARSO must be disabled for this to work.  If it's enabled, disable it, and reboot the system and try again.

On Step 3 of 4 the user will enter their answer to the questions they are prompted for:



Note: It is very important the questions and answers listed here are secure and information only the end user knows.
If you know the answers to these questions, it is possible to reset the Windows password.

Once these questions and answers are filled, the user will click "Save".  Once saved, the following screen will appear:

The end user will click Finish to complete this process for the Self-Recovery Questions.

 

Now if the user ever forgets their passphrase, they can use these same questions to reset their password not only at preboot, but the Windows password as well.

 

At the Preboot Screen, the following is displayed:

If the user has forgotten their passphrase, they will press "F4" to be brought to the following page to start the process.
The user will arrow down to "Self Recovery" and press enter:

The following screen will then appear where they will enter their username:

The following screen will appear for he first Question of three in this example.  The user answers the question and will press enter:

The next question and answer will then be entered:

The final question and answer is confirmed and the user presses enter:

Once all of the questions and answers are confirmed, the machine will boot to the Windows login screen.

Instead of the user entering their Windows Username and password, the following prompt appears that will allow them to reset their Windows password:

One the new password is entered, the user will then be logged in to Windows:

 

This new password will then be used for Windows and the Preboot screen.

 

 

 

Troubleshooting Q&A

Question 1: If the machine is not able to communicate with the domain network, does the Windows Password Reset Utility work?

Answer: If the machine is not on the network, the user will be logged in to Windows automatically. 
Depending on the Domain policy, the user may need to press CTRL+ALT+DEL to be able to login and may not automatically login even if off network.
Once the system is back on the network and the user logs in, this will 

Question 2: Can I enable or disable the Windows Password Reset functionality?
Answer: There are two methods you can use to disable this functionality:

Method 1: You can disable this via policy temporarily:

Method 2: You can completely uninstall this utility from the machine to disable this functionality. 

 

 

 

Additional Information