Here's my situation. I am implementing multi-factor authentication for user logins. We also use EEPC/DE for full disk encryption (now at v7.2). SSO has always been hit or miss, perhaps due to the requirement to depopulate the username field. I have written off SSO and am okay with it.
We have been a long time Deepnet Security customer and wanted to use their Windows encryption provider to prompt for a token/FIDO key/etc.. Simple, right?
The product works great on un-encrypted computers. My DE Product Settings policy has disabled the option for "Provide a single sign-on experience for Drive Encryption users (SSO)." and on the Pre-7.2 screen, Enable SSO is disabled.
What happens is this:
PC boots. User authenticates at the pre-boot. WIndows loads. User is presented with what looks like the Windows credential provider. (They should have received the Deepnet provider asking for a token code.) If they lock the screen, the Deepnet provider is there. If you log off/log on again, you get the Deepnet provider. Only at boot (when the McAfee SSO bits are trying to work) does it seem to be a problem.
This is what DeepNet support says, and what I am failing to accomplish.: The solution is to disable the McAfee credential provider. This will not disable McAffee encryption, but the side effect will be that after the user signs they will need to supply their credentials a second time during DualShield 2fa Sign-On (once during McAffee sign-on, and once during DualShield sign-on).
Anyone successfully disabled SSO for DE? Any advice?