Changing Your Windows Password with PGP Encryption Desktop Single Sign-On (PGP)
search cancel

Changing Your Windows Password with PGP Encryption Desktop Single Sign-On (PGP)

book

Article ID: 396186

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption Information Centric Encryption Mobile Encryption for iOS Policy Based Encryption Tape Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

This article will provide guidelines for how Windows passwords should be changed and when synchronization happens when a system is encrypted with PGP Encryption Desktop's Drive Encryption solution.

For password synchronization for Symantec Endpoint Encryption (SEE), see the following article:
181178 - Changing Your Windows Password with Symantec Endpoint Encryption Single Sign-On (SEE)

Resolution

In the event that you need to change your password, due to password rotation policies, or if you need to change the Windows account to a different password, consider the following scenarios:

 

Table of Contents

 

 

Scenario 1: Note for PGP 11.0.1 HF1 and above and Windows 11 24H2 and above


When the system is encrypted with PGP, there is a service that is monitoring these account changes, and this will automatically synchronize to the Drive encryption "preboot" screen. 
With Windows 11 and beyond, manual synchronization will be needed with the use of the "SyncSSO.exe" utility that is part of PGP 11.0.1 HF1 and above. 
This section will cover the steps for using the SyncSSO.exe utility to synchronize your password with Windows 11 24H2 and beyond.  See the steps below for this scenario. 

The PGP Encryption Desktop 11.0.1 Hotfix 1 and above for Windows includes the addition of the SyncSSO.exe file.
This utility allows you to synchronize your Single Sign-On (SSO) credentials between Windows and PGP Encryption Desktop.

Steps to manually sync the updated Windows passphrase with Bootguard:

    1. Log in to Windows using the new Windows passphrase associated to your drive encryption password.

    2. Navigate to C:\Program Files\PGP Corporation\PGP Desktop. Double-click the SyncSSO.exe file.

      Optionally: Press the "Windows" + "r" key on your keyboard and copy/paste the following into the field and press enter:

      C:\Program Files\PGP Corporation\PGP Desktop\SyncSSO.exe

    3. The following Window will appear:

Enter your current Drive Encryption Bootguard/Preboot password, and then enter your newly changed Windows account password twice. Both of these passphrases are validated within their respective environments for correctness.

    1. Click "Sync WDE Passphrase", and the following message will appear:

    1. This process updates the Preboot password with your current Windows password. You can now reboot and use the updated password.

 

Troubleshooting the SyncSSO.exe Utility:

Issue 1: The new passwords don't match:

Solution: Be sure to enter the same password in both fields.  Show the text if needed and reenter.


Issue 2: Your PGP WDE password did not appear to unlock any user accounts.

If you are trying to reset the password for a user and you are not currently logged in under their Windows account, it may not work.
Login to the user's Windows profile and try again. 

For example, if you have a user "User1", but you're logged in to "User2", this may not work.
Also, it's not needed to run-as admin, and this could cause this to fail as well.

Issue 3: Item Not Found
If you see this error, please reach out to Symantec Encryption Support for further guidance. 

 

 

 

Scenario 2: Note for PGP Encryption Desktop 11.0.1 and older on Windows 11 24H2 and above


Windows 11 24H2 have a feature that will disallow the automatic password synchronization feature for PGP Drive Encryption.  
To get the new mechanism for synchronization, either upgrade to PGP 11.0.1 HF1 or above, or SEE 12.0.1, or reach out to Symantec Encryption Support for further guidance. 


Scenario 3: Note for PGP Encryption Desktop and Windows 10 and older


The automatic passphrase synchronization continues to function and behave as it always has been. 

 

 

In order to boot a system, the proper password needs to be entered at the preboot screen, and if you change your password in a method that is outside of the monitoring of our process, you may need to take additional steps to update. 

To have your Windows password automatically synchronized with the preboot screen, you will want to change your password using the CTRL+ALT+DEL keystroke.  When you press CTRL+ALT+DEL, this password synchronization service will be fully engaged to ensure the new password is updated to the preboot screen.

 

 

Note on Drive Encryption Users and PGP Keys: When using Single Sign-On with the PGP Server, no PGP Keys are being used.  PGP Keys are used for encrypting individual files and folders, or File Share Encryption or Email Encryption.  If only Drive Encryption is used, the only time a PGP Key would be used for preboot authentication is if a PGP Key on a smartcard or hardware token is used.  If a smartcard or other hardware token is not used, the users are stored on the encryption itself with only the password being able to unlock.

If you have a "Password-Only" user, you do not synchronize a password to your Windows login.

If you have a "Single Sign-On" user, you will synchronize your password with your Windows login.  

Both Password-Only and Single Sign-On users will not have a PGP Key unless you incorporate the use of a smartcard or token. 

Additional Information

Powered by Wolken Software