Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-7921: Some versions of Symantec Endpoint Encryption would bypass Centrify Windows Agent login

Authentication Service ,  

1 March,18 at 03:16 PM

Applies to:  Centrify DirectControl Agent for Windows Suite 2016.1

It is found that some versions of Symantec Endpoint Encryption would bypass Centrify Windows Agent login

Different versions of Symantec Endpoint Encryption may use different Credential Provider IDs. 

Configure a GPO to exclude the correct version of Symantec Endpoint Encryption with the following steps:
1) Find out the Credential Provider ID for currently installed Symantec Endpoint Encryption
- Go to this registry key location, "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers".  
- Under this registry key, click on each sub key to find out the Symantec Credential Provider named with "eedCredentialProvider" by looking at the ‘Data’ column of the ‘(Default)’ value as exampled in this screenshot.

User-added image

- When it is found, copy the sub key name which is a CLSID string, e.g.
 2) Create a GPO to exclude credential provider
- Go to Centrify GP located at "Computer Configuration\Centrify Settings\Windows Settings\MFA Settings"
- enabled GP "Specify the credential providers to exclude from the logon screen"
- put the Symantec Credential Provider CLSID string copied in Step 1 (enclosed with {}) to the value field, together with the pre-filled CLSIDs (for Microsoft Password Credential Providers), comma-separated for multiple CLSIDs.
Please note for 2016.1-R2 release, the GP template files are located in the Centrify Agent installation folder, e.g. add centrify_windows_settings.admx, adml, or xml template files to GPOE from "C:\Program Files\Centrify\Centrify Agent for Windows\".
3) Push this GP settings to the client machine to take effect.

This will be fixed in Suite 2017