What happens when the network password is changed for a user with an SSO FDE login?
Suppose a user has an FDE login on an encrypted workstation, which is using Single Sign-On (SSO). This will enable them to boot directly into Windows by entering their normal Windows login password into the FDE preboot login. In most cases this password would be their domain password, but this could equally be a local Windows account. The pre-boot FDE login username can be anything and is in no way related to their domain or Windows login username.
Normal use case
If this password is changed on the machine directly, then the FDE login password should automatically be updated. Therefore the pre-boot login password should automatically remain in sync with the network password.
However, there are cases where this could not happen. For example the password could be changed directly on the domain server, or the user could have multiple FDE logins and the network password could be changed on one machine which of course not affect any other machines.
Password out of sync
Changing the password on the server, or on another machine, can mean that the preboot FDE login can become out of sync with the Windows login. This will result in the failure of SSO to log into Windows.
Alternatively the user may simply forget their password and will be required to perform Full Disk Encryption password recovery.
In both cases it is likely the machine will simply boot to the Windows login screen and not progress.
If SSO fails, the user must manually log into Windows.
Once this is done, Windows will begin to load. Very soon you should see a dialog prompting to resynchronise the password.
This dialog will confirm:
The dialog will require the user to enter:
Please note this dialog is asking for the current FDE login password. That is the password that was just entered to boot the workstation, or the password that was chosen in the FDE recovery process. It is not asking for the Windows login password.
If you successfully enter the password you will see the following message.
If you do not see this message it is likely you entered the password incorrectly and the preboot password will not have been entered. Please reboot and try again but if you cannot login with the new password try the old password.