Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MattDunn
Advisor

Preboot Password Change Question

I'm trying to figure something out - maybe someone understands this better and can explain?

I have the full Endpoint client installed, including FDE with preboot auth, and VPN.

I currently have the Endpoint policy password sync set as "bi-directional".

I have two scenarios.  The first one sets the scene.  The second one is my actual problem now.

Scenario 1 - User wants to change their password.

  • On the Preboot screen - click "Change Password"
  • Change the password.  Old password, New password, etc.
  • Boot in to Windows.  Ctrl+alt+del.  You still need your OLD password.  It doesn't sync.

Presumably because it's a domain user, and while I am sat at home the laptop can't talk to the Domain Controller to do the password update.  Kinda makes sense.

So....

  • VPN client - enable Secure Domain Logon.
  • Reboot.
  • Try again - Preboot password change....

This time when it boots into Windows the VPN login pops up first.  Perfect! 😍   Log in to VPN, then it carries on into Windows (SSO) and the users' domain password is also updated in the background.  Perfect!  And I prove this by locking or logging out of Windows, then it needs the new password to get back in.  Great.  All good.

Fast forward to the next scenario...

Scenario 2:  User forgets their password.

This time we need to use Remote Help, challenge/response to issue a password reset.  This bit works fine until it boots into Windows.

Now in Windows, Secure Domain Logon does NOT trigger.  It just sits at the Windows Ctrl+alt+del login screen wanting the OLD (forgotten) password.  So we still can't log in to Windows.

Is there a reason why SDL works for a normal password change, but not for a challenge/response password change?

Am I just missing something really obvious?  (probably!).

How do other people deal with challenge/response password changes for updating domain computers while they are off the LAN?  How do I log in to Windows in this offline scenario if password sync doesn't update the Windows password and I've forgotten my old password?

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

I just went through a variant of the second issue myself in the process of changing my password.
I believe what I did as a user was not try and change my password from Pre-boot but use one-time login, which got me into Windows.
Then when I logged into Windows and started up the VPN, I changed my password, which synced the pre-boot password almost immediately.
This is without SDL though.

0 Kudos
MattDunn
Advisor

Thanks Dameon.  I'll do some testing with one-time login instead.  I guess the same problem stands once in Windows though.  If the user has forgotten their password, they can't enter the current password during the password change.

Maybe the answer  is one-time login, SSO in to Windows, then get the domain admin to change the password at that level, so that when the user has connected to VPN and does the password change, they have a known current password to do the change with?  That may well be affected by the other issue I saw in a recent post about VPN disconnecting when you lock the screen?  A bug in E84.20 I believe?  I'll do some testing and see how I get on 🙂 ....  

0 Kudos
PhoneBoy
Admin
Admin

That's basically what happened in my case: someone changed my password to a known value that was resynced to my system once I got reconnected to the VPN. 

0 Kudos
MattDunn
Advisor

Hmm, when I log in to preboot normally, it goes straight in to Windows using SSO.  Great.

But when I do the Remote Help "One Time Login" option at preboot, it then gets to Windows and sits waiting for me to log in - no SSO.  So assuming I've forgotten my password I'm now stuck once again.

Maybe I'll log it with TAC and see what they say...

0 Kudos
PhoneBoy
Admin
Admin

It's possible I got that wrong and did the other option instead...which now that I think about it, might make more sense.

0 Kudos