I'm having a issue with users Windows password not syncing with encryption pre-boot. The user will log into windows press ctrl+alt+del to change their password. Now for some reason the users still have to use their old password to logon to preboot, One user we tested with 2 week later he had to use his old password to sign into Pre-boot. When the user changed his password there was no change password event. After 2 week the user selected the change password at the pre-boot and changed his password.
Any thing I might be missing.
If SSO and password synchronization are properly configured in the policy and the users are in sync, when doing the password change on the local system with CTRL+ALT+DEL, it should be able to capture that change at that time, assuming that user is the logged on preboot user. Assuming all of that is the case but the password is not changing, I would look to whether there are any other third-party credential provider filters in place that may be preventing the MDE credential provider from "seeing" the password change.
I know the client are user a 3 party as well that is configure on the machine to change their password if the forgot it.
I know automatic booting is also enabled for when the do some software upgrades or OS upgrades not sure for how many reboots it has been set.
So if the user changed his password in the time that pre-boot was not off, the password sync will not happen?
If preboot is enabled and the user in Windows is the same user that is logged in as the preboot user it should be able to change. If, however, there is no logged in user because automatic booting was used, the password change will not happen for the MDE user account.
I believe this users pre-boot was disable for a month to allow them to work from home while waiting for their vpn access and to allow the to change their password to something more complex.The machine was used daily by the same user and the password was changed before pre-boot was enabled again. Now if automatic booting is the issue for not updating the password, should the user not receive a message in windows that the password is out of sync as set in the policy?
The message comes from a functionality that is configurable that checks to see if the MDE password matches or not. Generally in this situation I wouldn't expect that it would give a pop up for that while automatic booting since there is no user logged into preboot but variables like the token state, could potentially impact that behavior. Is the user seeing this pop up at this point?
If preboot is back to an enabled state, the most efficient way to get it back "in line" would probably be to issue a token reset from the DE: Users query, sync up the system and have the user reboot as soon as the reset has come through. Then they can log in, basically the same way as if they were a new user and get it synchronized. I would advise to make sure that it is done quickly and in coordination with the user so that the system does not get left with a user in a default state.
No for the past 2 week the user used his old password at preboot and the new password in windows. But there was no pop-up in the 2 week that he was using it. Some of the users already updated their details by using the change password at pre-boot or by doing a self recovery. The rest that is out of sync data will be reset and have to re-register.