In our environment, we require the use of SmartCard's to sign in to Windows devices. We have the following configured:
- Silent Enrollment
- DISABLEWDESSO is set to 1
- PGP_INSTALL_SSO is set to 1 (the default)
This allows Symantec Encryption Desktop to sync the WDE passphrase with the user's AD account. PGP_INSTALL_SSO is left enabled so that the AD password remains sync'd with the WDE passphrase when the user changes their password. DISABLEWDESSO is set to 1 in the registry so that the device does not automatically sign the user into Windows after they enter their passphrase on the SED boot screen.
All of this works fine. However, we have an in-house tool that lets us see the # of bad passwords attempts for our AD accounts. What I have discovered is this:
- If I disable the SmartCard enforcement and sign-in to Windows using my AD credentials directly, everything is fine. The bad password count for the AD account remains 0 (as expected).
- When SmartCard's are enforced and I sign-in to Windows using my SmartCard PIN, SED triggers 2 failed attempts on my AD account to the domain controller.
In most cases, the account does not get locked because it's only 2 bad attempts. We set our accounts to lock after 3 failed attempts. This means if I fail any other authentication with my AD account after signing in to the workstation, my account gets locked. Also, if I reboot shortly after signing in and then sign in again, it will send another 2 failed attempts to the domain controller and immediately lock the account.
The only way I found to stop this, is to decrypt the drive and reinstall SED with PGP_INSTALL_SSO set to 0 via command line install or editing the MSI file with ORCA. However, this breaks the AD password WDE sync which I don't want to do.
This happens in Windows 7 and Windows 10.