If they change their password on their machine via Ctrl+Alt+Del it should sync the preboot password (well thats what my testing has proved)
You can also change the EEPC part of the password using the "change password" option when the machine is locked/or at PBA.
Thats what i have gathered so far from my limited usage.
It's uploaded at the next ASIC as long as a datachannel to EPO can be established.
I'd like to add one question to the password sync topic (I hope I won't hijack you thread). Is there a "best practice" to mitigate the risk of having default passwords (12345 or any other I'd define in the policy) all around the company? As far as I know the only possibility is to assign one user to one endpoint and I can be sure, the user will be forced to change the default password.
But in some scenarios I have to assign more users (eg. whole group) to the endpoint, but I can't be sure, everyone will change the default password. Some users could have it on the machine forever, which could be pretty serious weakness (please, don't take this as an offense, I'm trying to use the encryption in best way possible).
I guess the mitigation is that the password is reflected between machines, so you only have to change it on one - then it will get bounced around your environment to every other machine their account is allocated to?
Thank you. Now I see and it makes finally sense.