I'll try to be brief and yet descriptive enough to get some help. We are in dev to deploy EEFF 3.2.5 along-side existing EEPC 5.2.5 and we have a MAJOR problem. We have 3 types of users and therefore 3 separate policies. We are using SSO to prevent multiple logons, and it's highly recommended, if not required for us to maintain SSO.
Admin = Encrypt Removable, not CD/DVD
Office = Encrypt Removable and CD/DVD
Engineering = Encrypt NOTHING
Short explaination for differences, on occasion, we need to burn .iso for various things in the admin environment. Engineering users must transfer data to external media to then transfer to machinery in the manufacturing area. This cannot be encrypted, as most are not Windows based.
So, here's the deal breaker.
I've made an install set from the Engineering policy, which I don't think is relevant, but I log onto EEPC with an Admin user. This user gets SSO and his policy to encrypt as expected. The Admin user logs off, the Engineering user logs on. The Engineer is NOT prompted for credentials. He then access a USB drive and any data he saves IS ENCRYPTED.
This scenario is repeatable if I log onto EEPC with the Engineering user, he gets proper policy and when logs off, the Admin user does not get proper policy.
In either case, the second user appears to be maintaining the EEFF policy and such from the user that initially passed through EEPC with SSO.
If the second user manually chooses to sync to EEFF and authenticate, they get the proper policy, but again, if they log off, the next person along does not.
The conclusion I get from this is that when a user logs off, the key and therefore the policy, IS NOT DELETED. This is in direct contrast to the description on page 46 of the EEFF 3.2.5 Administration Guide.
: When doing a Windows logoff, all the encryption keys are automatically closed. Thus, for each new
Windows logon, a Endpoint Encryption for Files and Folders authentication is required in order to access
SAFEBOOT PLEASE HELP ME
SafebootMEE was kind enough to recreate this scenario in his dev using 3.2.4 so I believe this to be a product fault, not my environment.
Is the quote above a deprecated feature, or is the product not functioning as designed?
If it were possible to script "Unload All Keys", then I could apply that through GPO to the logoff, but I don't believe there's any scripting for EEFF.
Can anyone else verify my issue, offer advise, provide a remedy, or acknowledge that it's going to be addressed?
the problem is you didn't log off to EEPC, you only logged off to Windows - because you linked the EEFF/EEPC policies together, when the new user logs into Windows EEFF (helpfully) uses the pre-boot credentials for authentication.
You're caught in an incompatible policy loop - there's no "log on with EEPC credentials seamlessly unless the user logs off and logs on as someone else" policy option.
And sorry, no, there's no scripting option to unload all the keys either.
Well, we've modified our original Engineering policy to "Use regular encryption" and then "Ignore existing content" and "Make all removable media plaintext".
The result is that if an Office user passes through EEPC SSO and gets policy, that user can logoff and the Engineer can logon. The Engineer gets his proper policy and does not encrypt drives.
Another nice side effect of switching from the "Use no removable media encryption" option was that this policy no longer encrypts items when the presence of the key is already on the media.
However, if the Engineer logs off and the Admin logs in, the Admin does not get new policy. This is independent of which policy is used to create the install set.
What I don't understand is why it works one direction and not the other. Clearly, at some point it's not working correctly.