File Share Encryption

I am working in an environment with Windows 7 computers bound to an Active Directory domain.  We've been using PGP since 2008 and everyone who set their PGP passphrase back then still has that same passphrase no matter how many times they've reset their Active Directory password.  Is there a setting I'm missing that disables this synchronization?  If not, is there a way to force synchronization?

Thanks!

Hi AdvancedServices,

In the Consumer Policy, you can check the configuration. Go to Consumers > Consumer Policy > select the policy > Desktop... (button) > Disk Encryption (tab) > Symantec Drive Encryption (section) > [Allow/Deny/Force encryption of disks to existing Windows Single Sign-On password. This is applied during the user enrollment.

This may be caused by several factors, including to have been intentionally disabled/not installed. Please check Troubleshooting: Symantec Drive Encryption Single Sign-On (some newer machines need to update the Intel Rapid Storage Technology RAID Driver).

Rgs,

dcats

Thank you for the suggestion, our server is currently set to "Allow".  Let me give you some more information that might help:

• When we use Whole Disk Encryption we enter our Active Directory passwords and enable SSO, this process works.  Upon reboot, BootGuard accepts our AD passwords and logs us into Windows.
• When I create an Encrypted Zip or Encrypted Virtual Disk it allows me to add myself as an authorized user without error.  Whoever, when I try to decrypt the zip or virtual disk it says my passphrase is incorrect.
• When I try to "Update Policy" in Symantec Encryption Desktop it asks for my passphrase and when I enter my AD password it says it is incorrect.
• I have had several different AD passwords since my key was originally created 7+ years ago.
• When anyone tries to "Create My PGP Questions" to hopefully enable key reconstruction Symantec Encryption Desktop stops responding.

So all this seems to me like Symantec isn't syncing with AD for passwords.

Hi AdvancedServices,

The only passphrase that can be synchronized with the AD password is the Bootguard passphrase.

After this, either you have SKM (server key mode) or any other key mode with a defined passphrase, but this is not synchronized with AD.

SKM are handled by the server and you should not be prompted for the passphrase because you won't know it.

For the other key modes (CKM, GKM, SCKM), possibly in the first time you enroled you typed the same password as the AD, but that will not change automatically.

I guess that the Update Policy is trying to use/update your private key and is a client key mode, so you need to type it manually. For the passphrase recovery to work, the server needs to have the recovery block associated with the key. If that block is not there it will not be possible to reset the passphrase, if it is there you might be facing some bug in an older version. Perhaps it would be a good idea to contact Support.

Rgs,

dcats

Hi,

It is the user change their window password but the PGP SSO password not up to date? if so you may missed out the setting for Directory Synchronization Settings. 

log into your PGP server and navigate to page as below

Consumers > Directory Synchronization >  Settings

make sure you have a valid service account to reach the LDAP server.

verify it by test connection.