If your user has forgotten or incorrectly entered their Full Disk Encryption password too many times, you will need to recover their login using the Enterprise Server. To do this you will need to perform the following steps:
- From the Enterprise Server, you will need to find the user's workstation by either clicking Workstations or the team within which the user's machine is located in the navigation tree.
- Click on the workstation in the right hand window to highlight it.
- Click the Details button.
- When the workstation card appears, select the FDE Logins tab, select the appropriate FDE user account then click the Recover button.
- You will be presented with the following window
- On the users workstation get the user to select option 2 - Lost details from the menu, input their username in the window as shown below.
- Once user is correctly recognised, Index number will appear which hints what recovery password needs to be entered (example shown below where index is 00000000).
- Ask the user what Index number is displayed, if it is different to the value for Recovery Index shown in the Enterprise Server, use the arrow buttons to change the selection to the matching index. Once you have confirmed the user you are communicating with is the correct user, read the Recovery Password to them so they can enter it in the password entry. Note, the recovery password is also displayed in phonetics to eradicate any misinterpretation of the characters.
- As soon as the user has input the recovery password which you have given them, they will then be informed of how many recovery uses they have remaining.
- They will need to press Enter. Which will then boot their machine and give them access to their machine.
Important: The password Policy enforced in the Recovery screen may differ to your current Group Policy. This is because the Policy is tied to the User's FDE Login at the time it was added to the Workstation.
- If the login is an SSO login, Windows will start without requiring the user enters a new password. The act of the user entering their Windows password and logging into their Windows profile will automatically resynchronise their FDE and Windows passwords.
- Reboot to check that the SSO password has successfully processed the re-sync.
- Once the user has booted into Windows, from the Enterprise Server, click the Update Recovery button (shown below) to send a new recovery password to the machine for use in the future.
KB397 - User is still in recovery mode
Keywords: Locked out user disabled FDE access denied lost password reset fde