cancel
Showing results for 
Search instead for 
Did you mean: 
alistg
Level 7
Report Inappropriate Content
Message 1 of 7

Query about sync of pre-boot password when AD password is changed on non EEPC machine

Hello

(VERY noddy question).

User Scenario

Exmple Sceanrio:

- User logs on to a desktop and also has laptop with McAfee EE on it

- User changes their Windows (AD) password on the desktop

- Users logs on with cached credentials to their laptop and uses it offline for a period of time

- Then brings it back "online"

- Pre-boot password is (obviousy) "out of sync" with their Windows password "breaking" SSO.

So

- They enter their (old) credentials on pre-boot, then the new password to logon to the domain

Will their pre-boot credentiails get "updated" to reflect their Windows logon credentials?

If yes when / how (e.g. is this expected to happen after an EE "synchronize" has occured?)

If no - what is the reccomended "best practise" to get this back in-sync (e.g. force a rest password on next boot?)

Support Sceanrio

Slightly different scenario but pretty much the same root cause.

- Support people responsible for manging McAfee EE issues

- Need credentials to logon to back-end etc

- Only need to logon occasionally and are not using McAfee EE on their own machines

- Their Windows (AD) password is changed on a regualr basis

- Need to logon to the back-end and find their credentials don't work (i.e. are "out of sync")

Is there a way for them to change their AD password and for it to remain in-sync with use with McAfee EE?

Thanks

-AL

6 Replies
Highlighted

Query about sync of pre-boot password when AD password is changed on non EEPC machine

Will their pre-boot credentiails get "updated" to reflect their Windows logon credentials?

-Yes, you have to select -Machines > Properties > General > Options > Set Endpoint Encryption Password to Windows Passpord

Is there a way for them to change their AD password and for it to remain in-sync with use with McAfee EE?

No, as said scenario as they are not using EEPC on thier machine. Normally People Add some Common Support User in machines for Support purpose and Frequently change from thier EEPC Console.

alistg
Level 7
Report Inappropriate Content
Message 3 of 7

Re: Query about sync of pre-boot password when AD password is changed on non EEPC machine

Hello

This helps, but i'm really after a more precise / detailed response.

i.e. we do have "Set Endpoint Encryption Password to Windows Password" selected.

When / how does the pre-boot encryption password get set / "synced" with the windows password?

So as per the scenario I described:

User logs on to a desktop and also has laptop with McAfee EE on it

- User changes their Windows (AD) password on the desktop

- Users logs on with cached credentials to their laptop and uses it offline for a period of time

- Then brings it back "online"

- Pre-boot password is (obviousy) "out of sync" with their Windows password "breaking" SSO.

So

- They enter their (old) credentials on pre-boot, then the new password to logon to the domain

What is responsible for getting their pre-boot password synced?

e.g.

- Is this done via the GINA / Credential Provider?

- Is it done by the McAfee EE service?

How does the pre-boot password get "Set .. to Windows Password"

e.g . Does the AD password somehow get captured or is it a hash of this?

When does it happen?

On the other response about support access:

you said "Normally People Add some Common Support User in machines for Support purpose and Frequently change from thier EEPC Console"

The english is poor, but I'm "assuming" you're suggesting use of a "generic account"?

IMHO use of genric accounts is "bad practise" and something most security departments would "discourage" or prohibit.

I'd be surprised if there wasn't a better way to do this

Best regards

-AL

on 03/03/11 16:44:16 CST

Re: Query about sync of pre-boot password when AD password is changed on non EEPC machine

When / how does the pre-boot encryption password get set / "synced" with the windows password?

So as per the scenario I described:

User logs on to a desktop and also has laptop with McAfee EE on it

- User changes their Windows (AD) password on the desktop

- Users logs on with cached credentials to their laptop and uses it offline for a period of time

- Then brings it back "online"

- Pre-boot password is (obviousy) "out of sync" with their Windows password "breaking" SSO.

So

- They enter their (old) credentials on pre-boot,

then the new password to logon to the domain

- At this point when McAfee Client Syncronize with server  (Clinet sync once on first boot), Password get change

What is responsible for getting their pre-boot password synced?

e.g.

- Is this done via the GINA / Credential Provider?

- Is it done by the McAfee EE service?

- Not sure but, its done by McAfee EE Service with the Help of GINA/Crenential Provider

How does the pre-boot password get "Set .. to Windows Password"

e.g . Does the AD password somehow get captured or is it a hash of this?

When does it happen?

-When you logon to the domain with new passoword , McAfee Service sense the change of password and also update the token on Server

On the other response about support access:

you said "Normally People Add some Common Support User in machines for Support purpose and Frequently change from thier EEPC Console"

The english is poor, but I'm "assuming" you're suggesting use of a "generic account"?

IMHO use of genric accounts is "bad practise" and something most security departments would "discourage" or prohibit.

I'd be surprised if there wasn't a better way to do this

- it up to individual, How one wants to manage,

ollit
Level 7
Report Inappropriate Content
Message 5 of 7

Query about sync of pre-boot password when AD password is changed on non EEPC machine

Hi Al,

if you use:

Set Endpoint Encryption Password to Windows Password

you also need to use: Must match windows user name

Explanation: If you dont use the must macht option the following can happen:

You logon with User A to PBA and User B to windows. Now what seems to happen is, that the windows password of User B ist written as PBA Password to User A. This caused us a lot ot trouble.

My experience with thy sync:

If the PBA password differs from password stored in the EEM database, after the next sync the password in the database is written to the PBA. Means you have to logon to windows once at least and do a sync.

If a user changes his windows password on a machine with EEPC installed the above setting detects the differing passwords and changes the PBA password automatically and writes it into the database.

If a user changes his password on a machine without EEPC it seems that the differing passwords are not detected.

But what I dont understand: If you do not use Must match... sometimes passwords are synchronized.

I am totally confused.

Olli

Query about sync of pre-boot password when AD password is changed on non EEPC machine

Hi,

Yes, You should I always use Must match username option.. otherwise you will fall into above said problem..

If a user changes his password on a machine without EEPC it seems that the differing passwords are not detected.

- Yes, If user changes his password on am machine wihtout EEPC, than you have to enter Last OLD password on machine where EEPC installed as there is no network connectivity at PBA screen . once you logged in and synchorize your new passowrd will be synch.

What’s to be done if user change his/her Windows domainpassword?

Some scenarios forchanging password

Scenario 1: You are changing Windows domain password onthe same machine where EEPC(DE) installed.

Whenever EEPC client will automatically synchronize & update the password entry. If you want to synchronize manually than rightclick on the SafeBoot icon on the system tray and click on synchronise optionas shown in the below screenshot.

Scenario 2: You have changed your windows password fromPASS1 to PASS2 on the different machine.

OR

Scenario 3: You are sharing your ID with some otheruser and that user has changed password for your SAP ID.

Now you would try tologin with your new password (PASS2) in SafeBoot pre-boot authentication onyour machine. But you will get the error “Authentication parameters incorrect”,please enter your old password (PASS1) because your machine do not have latestpassword entry. So you must have to enter your last password only. Once windowsstarts you will be prompted for windows credential (Normal Windows Authentication) enter your ID and newpassword. Once you login with your new password on your machine SafeBoot Clientwill synchronize your new password and replace it with old one. From the nextrestart you can login with your new password (PASS2).

Query about sync of pre-boot password when AD password is changed on non EEPC machine

From my understanding: McAfee Endpoint Encryption Password updated by McAfee EndPoint Encryption Client

The password updated/capture by MEE client so basically when laptop with McAfee Endpoint Encryption AD password change the Client will catch this password and then sync to database and update the password same as AD password.

So if you uninstall/decypted your laptop and not using MEE anymore your MEE password will remains same the last password you have. changing new AD password on system without MEE client will not have an effect to MEE password mean it's will not be changed.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community