There are two methods to reset the smart card token: PKI and Self-Initializing. The method used is determined by how the token data is created.
Method 1 (PKI): Pre-initializing the token data - certificate is imported into Active Directory (AD) and the Provide LDAP user certificate option is selected in the UBP. These tokens can be reset manually or by using the LDAP sync task.
- Manual token reset:
- At pre-boot, the user selects Options, Recovery, Administrator Recovery.
- The administrator selects Menu, Data Protection, Encryption Recovery, and types the code from the user. The administrator then selects Machine Recovery.
- The user types the code given to them by the administrator. After logging in to Windows, the user must sync EEPC or DE until the policy enforcement is complete.
- The administrator selects Menu, Reporting, Queries & Reports and runs the EE: Users or DE: Users query. In the output from the query, the administrator selects the user, and then clicks Actions, Endpoint Encryption, Reset Token.
- The administrator then imports the new certificate into AD, and runs the EEPC LDAP Sync task for EEPC v7.x, or the LDAPSync: Sync across users from LDAP for DE 7.1.x.
- The user syncs EEPC or DE until the policy enforcement is complete while logged on to receive the changes. The next time the user logs on, the new certificate is seen.
- LDAP Sync token reset:
- The administrator imports the new certificate into AD, and runs the LDAP sync task:
- EEPC LDAP Sync task for EEPC v7.x,
- LDAPSync: Sync across users from LDAP for DE 7.1.x.
- The user syncs DE or EEPC until the policy enforcement is complete while logged on to receive the changes. The next time the user logs on, the new certificate is seen and the user is prompted to enter their new PIN.
NOTE: A successful LDAP Sync token reset shows the following in the
MfeEpe.log file:
INFO UserLib userLib: user user_name (82F2EC256191F146B189DE97F6E13BB6) has had certificate updated
Method 2 (Self-Initializing): The client performs the initialization of the token data:
- At pre-boot, the user selects Options, Recovery, Administrator Recovery.
- The administrator selects Menu, Data Protection, Encryption Recovery, and types the code from the user. The administrator then clicks User Recovery, Reset Token, and selects the user with the new CAC card.
- The user types the code provided by the administrator. The user is prompted to register the new token. After registering the new token, the user can authenticate with the new CAC card.