What is the behavior of a client using Authenti-Check and SSO off the network to reset a password? What is the behavior of a client using OTP and SSO off the network to reset password?
Once authenticated with either method, the behavior is identical.
These answers pertain only when SSO is enabled, and includes with and without local accounts. If SSO is enabled and the password-recovery process ends successfully, then the correct Authenti-Check answers have been entered, or the OTP response key has been entered correctly, and has been given to Windows. The Symantec Endpoint Encryption-Full Disk password does not need to be reset, since it is synchronized completely to your Windows Password.
If this is a computer that is routinely off of the Domain, it is expected that the user will have a local account with administrator rights to the computer (or access to one).
At this time, set the Windows Password by following the steps below: