Support Center > Search Results > SecureKnowledge Details
How to wrap third party credential manager Technical Level
Symptoms
  • FDE is stuck in User Acquisition.
  • Auto login does not work.
  • Possible additional symptoms as seen on a machine, on which GlobalProtect 5.0.5 and FDE (E81.10) were installed:

    Windows Sign-in Screen is not displayed when locking your screen or rebooting the machine after FDE installed.

    Windows login screen is looping, and cannot sign-in to Windows anymore.
Cause

The FDE Credential Provider may conflict with 3rd party Credential Providers. A 3rd party Credential Provider could be in use if for example, you are using fingerprint logon, Smart Card logon or some other password synchronization, or an SSO solution that is installing a Credential Provider.

Note: Both Next Generation Credentials and 3rd party biometric credentials are not supported.


Solution

Configure FDE to use (wrap) a 3rd party provider, instead of the Microsoft password provider, with the fdecontrol program.

Configuration uses the fdecontrol program located in the Full Disk Encryption installation directory. The following fdecontrol options can be used to configure the FDE Credential Provider:

set-wrapped-provider <guid> [type] [filter] - Set the Credential Provider that is to be used by FDE for pwd sync/SSO via a provider GUID.

The type is optional - 'p' : password (default), 's' : SmartCard Filter option governs whether or not the wrapped provider should be filtered, '1' : Filter (default), '0' : No filter.

clear-wrapped-provider [type] - Clear the Credential Provider that is to be used by FDE for pwd sync/SSO via a provider GUID.

The type is optional - 'p' : password (default) 's' : SmartCard

list-installed-providers - List all installed Credential Providers, the FDE wrapped provider, and the provider used for last logon.

Example use:

  1. Start a command line (cmd) with administrative rights.
  2. Navigate to FDE folder: cd C:\Program Files (x86)\CheckPoint\Endpoint Security\Full Disk Encryption
  3. List the installed credential providers: fdecontrol list-installed-providers
  4. From the displayed list of providers choose the GUID of the provider to be used by FDE.

    fdecontrol set-wrapped-provider {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}

Also check the registry to confirm that it shows FDE as the credential provider, it should look like this:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\

If "LastLoggedOnProvider" is "{FDEF1242-8B8B-4D0E-AE73-257CEB8776A5}" the Check Point provider was used.

 

Interoperability must be tested on a case by case basis by performing the above steps.

 

The model implemented and described herein is likely to fail with Credential Provider types, other than the so called wrapping providers.

Also note that trying to wrap a Credential Provider may result in inability to login to Windows.

If failure to login occurs, the machine has to be rebooted into Windows Safe Mode, and the wrapping must be removed with the "clear-wrapped-provider" command, see below.

In Windows 10, the Safe Mode boot must be triggered by holding down the "Shift" button, while simultaneously selecting the "restart" option, and then selecting "Troubleshoot > Advanced Options > Startup Settings > Restart".

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment