cancel
Showing results for 
Search instead for 
Did you mean: 
rogue8
Level 7
Report Inappropriate Content
Message 1 of 15

EEPC 5.2.5 and 'Set Endpoint Encryption Password to Windows Password'.

Jump to solution

I've been doing this for quite some time and have never seen anything like this so I'm reaching out to the community.  Has anybody ever seen the safeboot password get set to a local admin password while logged in with a different windows account?  Both safeboot account and windows account usernames match.  An example is, I log in with the domain account 'safeboot' to Windows.  With 'Set Endpoint Encryption Password to Windows Password' enabled, once logged into windows, it will set the safeboot password to a local admin account, not the account I'm logged in with.  So when I reboot and login to pre-boot with account 'safeboot', the password isn't matched to the 'safeboot' windows account, it's matched to the local admin account.  Also, if I enable SSO and watch safeboot pass the windows credentials, it uses the local admin account even if I originally logged in with 'safeboot' account..... Make sense?  Has anybody ever seen this?

1 Solution

Accepted Solutions

Re: EEPC 5.2.5 and 'Set Endpoint Encryption Password to Windows Password'.

Jump to solution

There is an issue with SSO when it attaches to Vmware_user or HelpDesk accounts. Exclude them by using :

SBWinLogonOpts.XML

This file can be used to exclude users from single-sign-on logon, e.g. VMware user

accounts can overwrite the single-sign-on even though the “Must Match the Window

user name” option has been selected.

- <SafeBoot>

- <SetSbPwd>

- <Exclusions>

<User name="__Vmware_User__" />

</Exclusions>

</SetSbPwd>

</SafeBoot>

14 Replies
Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 2 of 15

Re: EEPC 5.2.5 and 'Set Endpoint Encryption Password to Windows Password'.

Jump to solution

if you don't have the "must match username" option ticked, the SSO details will get set to whatever Windows reports them to be, so yes, it's entirely possible to get mismatched details stored.

It's not possible for it to set the password to anything other than the one you typed though, Windows does not know what your password is. Of course, if you, or some application is using the autoadminlogin registry keys, that can cause those details to get stored in the SSO fields as well.

rogue8
Level 7
Report Inappropriate Content
Message 3 of 15

Re: EEPC 5.2.5 and 'Set Endpoint Encryption Password to Windows Password'.

Jump to solution

Thanks for the quick response Simon!  In this particular case, the safeboot account password is getting set to another windows account password, not the password I logged into windows with....  The password that is set in safeboot is taken from a local account prepopulated in the image that I haven't used to login to windows yet for some reason, safeboot decides to use that password, regardless of which windows account is used to login.  It's super weird and I have a workaround but I do appreciate your response!

Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 4 of 15

Re: EEPC 5.2.5 and 'Set Endpoint Encryption Password to Windows Password'.

Jump to solution

Windows does not know what that password is, unless you put it in the registry that is, or unless you have some other 3rd party software remembering it.

The SSO feature of EEPC just stores what Windows tells us the current user logged in with 😉

rogue8
Level 7
Report Inappropriate Content
Message 5 of 15

Re: EEPC 5.2.5 and 'Set Endpoint Encryption Password to Windows Password'.

Jump to solution

Okay.  I'm willing to bet they have it defined somewhere in the registry because in this case, it's setting the safeboot password to something other than the Windows account logged in.  It's sooooooooo weird.  If I can pinpoint why, I will certainly share the info.  Thanks again!

Reliable Contributor SafeBoot
Reliable Contributor
Report Inappropriate Content
Message 6 of 15

Re: EEPC 5.2.5 and 'Set Endpoint Encryption Password to Windows Password'.

Jump to solution

check the current machine winlogon hive, or just search HKLM for the password 😉

Re: EEPC 5.2.5 and 'Set Endpoint Encryption Password to Windows Password'.

Jump to solution

There is an issue with SSO when it attaches to Vmware_user or HelpDesk accounts. Exclude them by using :

SBWinLogonOpts.XML

This file can be used to exclude users from single-sign-on logon, e.g. VMware user

accounts can overwrite the single-sign-on even though the “Must Match the Window

user name” option has been selected.

- <SafeBoot>

- <SetSbPwd>

- <Exclusions>

<User name="__Vmware_User__" />

</Exclusions>

</SetSbPwd>

</SafeBoot>

rogue8
Level 7
Report Inappropriate Content
Message 8 of 15

Re: EEPC 5.2.5 and 'Set Endpoint Encryption Password to Windows Password'.

Jump to solution

Thanks for the responses gentlemen!  It's great to see you both on here helping when I know you're probably incredibly busy.  I'll keep you posted.  Apparently, they're forcing the local admin account/password through GP.  I'm wondering if after logging in with one account, GP is applied and safeboot sees the local account get it's password refreshed although it's not the account that is logged in but safeboot somehow associates that change with the currently logged in account....  Even if that is the case, the script set by Peter should take care of it.  Just confirmed it's happening on more than one machine.  The only other thing is I did find some references to the local account in the registry under Symantec.  I'll be investigating that as well to see if the local account in question has been tied to any services or tasks in Symantec.

rogue8
Level 7
Report Inappropriate Content
Message 9 of 15

Re: EEPC 5.2.5 and 'Set Endpoint Encryption Password to Windows Password'.

Jump to solution

Where exactly is the .xml placed so that the clients will run properly?  Also is a double 'underline' required before and after the username?

Re: EEPC 5.2.5 and 'Set Endpoint Encryption Password to Windows Password'.

Jump to solution

In EEPC Client program folder.

No that is Vmware user name (with underscores).

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community