Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Using the SyncPassword Tool to synchronize Active Directory password changes in preboot

    • Updated:
    • 12 Nov 2020
    • Product/Version:
    • Endpoint Encryption
    • Platform:
    • N/A
Summary

When a user changes the Active Directory (AD) password in Windows, it fails to update the preboot cache for the AD password. This occurs because Windows is blocked from writing to the preboot as a security measure. The preboot area is locked from writing and encrypted to keep a malicious program from exploiting the preboot for its means.

Trend Micro has a SyncPassword tool that is able to update the preboot cache with the new AD password. The tool is located in C:\Program Files\Trend Micro\Full Disk Encryption\SyncPassword.exe.

SyncPassword Tool

Details
Public

If a user changes a domain password in Windows, there are two (2) methods to get the password updated on the Full Disk Encryption (FDE) client preboot.

Option A. Connect to the Policy Server during preboot

When the machine has a working network connection to the Policy Server and Active Directory during preboot, the user can authenticate at the FDE preboot using the new domain password. Once the authentication has succesfully completed, the preboot will be updated with the new password.

In the endpoint's next reboot even with no network connection, the user can use the new domain password to login because the cached password is already updated with the new one.

Option B. Use the SyncPassword Tool

When the machine has no network connection to Policy Server (e.g. laptops outside the network using VPN client in Windows) during preboot, the user may not be able to immediately use the new domain password in preboot. Since VPN is not supported on preboot, the new password will not be updated after changing the domain password. The PAF/cached password can only be updated when the preboot can connect to the Policy Server and pass the preboot authentication or when using the SyncPassword Tool.

To use the SyncPassword Tool:

  1. Locate the SyncPassword tool in C:\Program Files\Trend Micro\Full Disk Encryption.
  2. Double-click the file SyncPassword.exe to run the tool.

    SyncPassword

  3. Type the username in the User Name field.
  4. Identify the password.
    • For a user in a domain group, the password would be the current Domain Password set in Active Directory.
    • For a user in a non-domain or non-token authentication group, the password would be the Fixed Password set in the Policy Server.
  5. Enter the user's password in the Password field.
  6. Click Continue.
  7. Click OK when "Password Sync is Completed" message appears.

If the issue persists, collect the following logs and submit to Trend Micro Technical Support

  1. Collect the preboot.zip log under C:\Program Files\Trend Micro\Full Disk Encryption\log\
  2. If the machine has a working connection to the Policy Server, get the policy server log with Diagnostic Monitor while replicating the logon event.
Premium
Internal
Partner
Rating:
Category:
Troubleshoot
Solution Id:
1095148
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.