000035250 - Cannot log on to Microsoft Windows 8.1 with RSA Authentication Agent 7.3.x for Windows after Windows update is applied using Update and Restart until a second reboot.

Document created by RSA Customer Support Employee on Jun 13, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035250
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.3.x
Platform: Windows 8.1
IssueWhenever a Windows update invokes an automatic system restart (for example, if a user installs updates using the Start menu Update and Restart option) , the user has to reboot the Windows 8.1 laptop twice before he gains access to his machine. After the Windows update followed by a reboot, the user sees the RSA SecurID prompt. The user types his login and passcode and is prompted with the Windows password prompt. After submitting the password, it loops backs to the RSA prompt. The user types his passcode and receives the Windows password prompt. The user submits his password multiple times but cannot log on. The prompt then becomes unresponsive. The user has no choice but to reboot the machine.
CauseLocking the desktop immediately after the first logon following Update and Restart is the default behavior on Windows starting with Microsoft Windows 8.1 and Microsoft Server 2012 R2.
ResolutionThe behavior is controlled by a Microsoft policy named Sign-in last interactive user automatically after a system restart (details below). Disabling the policy avoids the problematic locking of the user desktop.  To implement the workaround:
  1. Open the relevant Group Policy Editor (gpedit.msc for local policies or the Group Policy Management tool for domain policies).
  2. Open Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options.
  3. Open the policy Sign-in last interactive user automatically after a system restart.
  4. Set the policy to Disabled.
  5. If you are setting a domain policy, force a policy refresh; for example by invoking gpupdate /force from the command line.
WorkaroundDisable the Microsoft Group Policy Sign-in last interactive user automatically after a system-initiated restart to prevent the Windows auto-logon/auto-lock behavior.