SafeGuard Enterprise: Password change scenarios

  • Article ID: 117256
  • Rating:
  • 11 customers rated this article 2.4 out of 6
  • Updated: 12 Feb 2016


The user is either prompted to enter their old password when they change their password, and/or they cannot log in to the computer using their new password.

First seen in
SafeGuard Management Center / Local Policy Editor
SafeGuard Easy
SafeGuard Device Encryption

Background information

SafeGuard Enterprise (SGN) creates a certificate and a .p12 for every user that is a "SafeGuard Enterprise POA user". Initially, certificates are created at the SGN backend i.e SafeGuard is installed on a client machine and it synchronises with the backend and starts the initial UMA process (where the user requests a certificate from the SGN server) with POA not being active.

Once the process has been completed and the POA becomes active, the user can authenticate at POA with their Windows password.

If a user wants to change their password, the correct way of doing this is:

POA | Options | Check 'Change password at next logon'
Ctr+Alt+Del | Change A Password... in Windows on their SafeGuard protected machine.

If the user is already an SGN User with an existing user certificate, the user certificate (.p12) will be re-encrypted with the new user password once changed on the client machine. 

If a password change is done when the SGN server is not available, the client prepares packages which will be sent to the server on next contact to update the users certificates in the SafeGuard database. Although the certificate is not yet uploaded, the user should be able to authenticate at POA using their new password because the certificate already existed on the client and was “only” re-encrypted with the new password.


There are various reasons why a user is prompted to enter their old password and/or cannot log into the computer using their new password. The old password prompt should only appear if the password is out of synchronisation. Provided a user is able to enter their old password once, the prompt should go away on subsequent boot-ups if they are added to the computer as SGN users and have a valid certificate stored in the Management Centre.



Below are some of the scenarios where an old password prompt may occur and/or a user is not able to log in via their new password. These occur on managed computers:

1. Password is changed in AD

If a password has been changed in AD, this will not have an effect on the client computer(s) which the user logs in to, until the computer is synchronised with the Management Centre.

Quite often passwords are changed directly in Active Directory, not locally on the SGN client computer. As a result the SGN Client keeps asking for an old password when the user is trying to log in to his/her Windows profile. If the user knows their old password, they can enter this and log into the computer, synchronise with the Management Centre and the password information on the computer is updated.

If the user does not remember their old password then please follow the instructions in KB article 112239: SafeGuard Enterprise: User is asked to provide their 'old password' during logon to Windows

2. User on multiple computers changes their password on one computer but still has to enter the old password on a different computer

Changing the password locally on a computer and synchronising with the Management Centre will update the password (that is required at POA) on the local computer, but it will not be updated on all the other clients until they have synchronized with the SafeGuard Enterprise Server.

To resolve this issue, the user can log on to the computer using their old password and synchronise with AD. Please refer to KB article 109038:SafeGuard Enterprise: Password handling when a user is using more than one computer

Alternatively, perform a Challenge Response and enter in the new password at Windows login, as described in the following documentation:

3. Change password on a non-SGN client computer

Changing the Windows password on a non-SGN client computer will not change the password associated to the user on an SGN computer. This is because the computer does not synchronise with the Management Centre to update the user information and generate a new p12 certificate.

The resolution for this is the same as Scenario 2. 

4. Corrupted Certificate

A user cannot pass POA authentication even though the password is correct. The user can verify the password, a Challenge Response is performed, and chooses the option to show password.

However, every time the user logs on to Windows, SGN asks for the old password, even if the password is typed exactly as displayed in the POA. It cannot unlock the certificate.

Please refer to Article 110638 on how to resolve this: Cannot log on to POA with SafeGuard Enterprise even though the password you are typing is correct

5. The user is not an SGN user or SGN owner on the computer

The user is not an SGN user or SGN owner on the computer. When they change their password, it does not synchronise with the Management Centre. Hence, password change will only be actioned on the same computer. When the user logs in to another computer where they are an SGN user/ owner, they will be prompted for their old password.

This is similar to Scenario 3, a Challenge Response will be required.

Additional Information

Flowcharts are provided in the 'Recovery in SGN' pdf guide. Click on a chart to enlarge it.

Password Recovery in SafeGuard Enterprise 5.5x and later 

Related KBA:

SafeGuard Enterprise: Recovery scenarios

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent