Authenticating using a rekeyed or replaced smart card
From time to time, your token administrator may rekey or replace your smart card. Situations can include:
- New certificates are issued to the original smart card, when certificates have expired or been revoked.
- New certificates are issued on a new smart card, when the card has expired, or was lost or stolen.
When your smart card or certificates are changed, those new credentials are changed for your Windows login. Your Drive Encryption smart card preboot login requires a separate, parallel change. When you log in to Windows using your rekeyed or replaced smart card, Drive Encryption recognizes the change, verifies you as an Active Directory user, and silently reregisters you. No assistance is required.
If the change in smart card credentials takes place when your system is in a preboot state, however, you need to use any Drive Encryption recovery method to bypass preboot. These methods include Drive Encryption Self-Recovery, Drive Encryption Help Desk Recovery, having a client administrator log in, or having another user log in if multiple users are registered to your computer. At the Windows prompt, log in to your existing Windows account with your rekeyed or replaced smart card, to trigger the Drive Encryption reregistration.
The two following tables list the steps and actions for authenticating using a rekeyed or replaced smart card.
Step | Action | Description |
|---|---|---|
1 | Receive your rekeyed or replaced smart card from your administrator and immediately log in to Windows. | When your administrator issues you a rekeyed or replaced smart card, the information in Active Directory is updated for your Windows login. Log in to Windows using your rekeyed or replaced smart card. Drive Encrytion recognizes the change, verifies you as an Active Directory user, and silently reregisters you. If you are already logged in to Windows with old credentials, log out, then log back in with your rekeyed or replaced smart card. |
Step | Action | Description |
|---|---|---|
1 | In your preboot environment, attempt to authenticate. | Use your rekeyed or replaced smart card at the preboot login prompt. |
2 | Regain access to your encrypted computer using any recovery method. | When your login fails, invoke any Drive Encryption recovery method to gain access to Windows. |
3 | Log in to Windows using your new credentials. | Once you regain access to the Windows login prompt, select your existing Windows account and log in using your rekeyed or replaced smart card. Drive Encryption silently reregisters you. Your change of credentials is complete. |
4 | Restart your computer, as needed. | The next time you restart your computer, authenticate in preboot using your rekeyed or replaced smart card. Your preboot credentials are now identical to your Windows credentials. This allows single sign-on to work again and you are authenticated to Windows. |