Video Screencast Help

SSO and AD synchronization

Created: 26 Aug 2014 | 9 comments

So I have an issue with users changing Active directory passwords outside of the normal process and PGP desktop is not syncing the AD password unless the user logs out of the PC. This approach seems flawed to me as users usually shut down their PC's and they dont typically log off, thus they dont know the password has not synced and they begin locking themselves out.

Is there a way to force Encryption Desktop to sync the password through the command line? I found an article on the website that allows me to change the password through the command line using PGPwde.exe however I dont want the password changed, I just want it to sync with the current AD password.

Operating Systems:
Discussion Filed Under:

Comments 9 CommentsJump to latest comment

Chetan Savade's picture


We always recommend to change the password using Ctrl + Alt + Del 

If you change your password in any other manner—via Domain Controller, the Windows Control Panel, via the system administrator, or from another system—your next login attempt on the PGP BootGuard screen will fail. You must then supply your old Windows password. Successful login on the PGP BootGuard screen using your old Windows password then brings up the Windows Login username/password screen. You must then log in successfully using your new Windows password, at which time PGP WDE will synchronize with the new password.

You will have to educate the users if possible.

Refer these articles:

Changing Your Windows Password with PGP WDE With Single Sign-On

How to change/update the SSO passphrase over the PGP WDE command line, if it has not synched with the PGP Bootguard.


Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Abaddon1979's picture

I understand that and had stated so in my post. That is what I am trying to get around because the current setup provides poor value for customers and significantly increases support costs for our organization.

From what you are saying the password never syncs by itself and requires input from the user? I had been in talks with tech support before on this issue and they had informed me the password will sync when the user logs off and does not require the user to log back in to sync.

Please also verify that there is no other way of syncing besides these two options.

Chetan Savade's picture

Yes, inputs are required from the user & I haven't seen any other way to achieve it. Bootguard comes before network driver loads.

You can raise the product enhancement request here:

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Mike Ankeny's picture

Per your original query, there is no PGPwde command that will force a sync, it can only change the passphrase.

Synchronization of passphrases will only reliably occur when the user logs into the system using the new passphrase.  When a user changes their Windows password using the ctrl+alt+delete method, Windows effectively logs them back into the system with those new credentials immediately after the change, which syncs the PGP passphrase with the Windows password.  That is what makes this the preferred method.

The synchronization process hooks into that login process.  It will not reliably (if ever) occur with any other method of credential change.  I would suggest either having the users use the ctrl+alt+delete method for changing passphrases, educate them on having to log in through Bootguard once using their old passphrase, or add a logout/login to your current process for changing the Windows password.  Any of these will require some user education, so the second option is most likely the simplest.

Alex_CST's picture

I suggest reducing the heartbeat interval to a much shorter timeframe.  If you have a small number of clients, there will be no real network impact. 

Please mark posts as solutions if they solve your problem!

nbuengr2's picture

Hi All

Let me up this topic since we've got same problem.

As per understanding (correct me if im wrong)... The step on how to change password is use CTRL+ALT+DEL then change password. So basically, using the old password to log in, then the user needs to log off so that the new password will sync right?

Please correct me if im wrong.. need ASAP reply on this.


Mike Ankeny's picture

When using the CTRL+ALT+DEL method to change the password for Windows, a PGP SSO account will automatically update the password at that time.

Using any other method, they will need to log into Bootguard once with their old passphrase, which takes them to Windows login.  When they log into Windows, it should sync the PGP passphrase with the Windows password.

nbuengr2's picture

Hi Mike,

I followed the procedure in changing password using CTRL+ALT+DEL, still windows dosen't sync with PGP, I've tried logging off and log back in, restart the system(requires the old passphrase). When I restart the system, it proceeds to the windows log in, but it shows PGP SSO then below that is switch user, so I logged in using my account (new).

In my policy side, encryption of disks to existing Windows Single Sign-On password is set to ALLOW then I change it to FORCE.

I've tried locating the PGPWDE01 cant find under C:\ (followed the instructions here

any thoughts?