One particular user, who is remote for a few weeks, is not able to get past pba without recovery.
Drive Encryption 7.1.1
Chain of events:
User changes password with ctrl-alt-delete.
Password change detected and logged in epo.
Person goes home.
Person forgets password.
I recover to get past preboot, have them log into a local account, start vpn and fast switch and log in with a temporary password I set for them.
Ctrl-alt-delete again to change password
NO 'Password change' logged in epo. User cannot successfully preboot.
So, if I am reading all the forums right - preboot *should* update de password on a) failed SSO login or b) C-A-D password reset
a) Is not happening I assume because I am recovering and sso cannot be triggered
b) Is not happening because?
Collect/Send Props, Enforce policies, etc all seem to work. No apparent connectivity issues between vpn device and epo.
Yes, the eventual solution may be DE 7.1.3 but am hoping for a quicker fix.
This is the expected behavior. The user must be authenticated in PBA for a password sync to occur. This is documented in KB78474 - "Unable to authenticate at preboot after changing the password in Windows".
To workaround this behavior in the future, perform an administrative user recovery and reset the users token allowing them to reset their PBA password first and loading their user a PBA. Once in Windows, no any password change at Ctl + Alt + Del will by synchronized to the PBA user.
Yes, this is the same behavior with 7.1.3. You must have a user logged into PBA for the PCDC functionality to work. It verifies the users LastPassSet AD attribute against the token timestamp. Without a user loaded into PBA, there is no token timestamp to verify against.
However, once the user has authenticated at PBA, if the password is changed in a way in which MDE cannot capture such as within AD or on another system, the PCDC functionality will detect the password change and request the user lock and unlock their system to update their preboot users credentials.