When a user changes the Active Directory (AD) password in Windows, it fails to update the preboot cache for the AD password. This occurs because Windows is blocked from writing to the preboot as a security measure. The preboot area is locked from writing and encrypted to keep a malicious program from exploiting the preboot for its means.
Trend Micro has a SyncPassword tool that is able to update the preboot cache with the new AD password. The tool is located in C:\Program Files\Trend Micro\Full Disk Encryption\SyncPassword.exe.
If a user changes a domain password in Windows, there are two (2) methods to get the password updated on the Full Disk Encryption (FDE) client preboot.
Option A. Connect to the Policy Server during preboot
When the machine has a working network connection to the Policy Server and Active Directory during preboot, the user can authenticate at the FDE preboot using the new domain password. Once the authentication has succesfully completed, the preboot will be updated with the new password.
In the endpoint's next reboot even with no network connection, the user can use the new domain password to login because the cached password is already updated with the new one.
Option B. Use the SyncPassword Tool
When the machine has no network connection to Policy Server (e.g. laptops outside the network using VPN client in Windows) during preboot, the user may not be able to immediately use the new domain password in preboot. Since VPN is not supported on preboot, the new password will not be updated after changing the domain password. The PAF/cached password can only be updated when the preboot can connect to the Policy Server and pass the preboot authentication or when using the SyncPassword Tool.
To use the SyncPassword Tool:
- Locate the SyncPassword tool in C:\Program Files\Trend Micro\Full Disk Encryption.
- Double-click the file SyncPassword.exe to run the tool.
- Type the username in the User Name field.
- Identify the password.
- For a user in a domain group, the password would be the current Domain Password set in Active Directory.
- For a user in a non-domain or non-token authentication group, the password would be the Fixed Password set in the Policy Server.
- Enter the user's password in the Password field.
- Click Continue.
- Click OK when "Password Sync is Completed" message appears.
If the issue persists, collect the following logs and submit to Trend Micro Technical Support
- Collect the preboot.zip log under C:\Program Files\Trend Micro\Full Disk Encryption\log\
- If the machine has a working connection to the Policy Server, get the policy server log with Diagnostic Monitor while replicating the logon event.