We are running DE 22.214.171.124 and have been working fine on encryption and preboot for our single-device users so far. We will need to start looking at devices that have multiple users in the near future. I need some clarification on a few items regarding this.
1) On a test laptop I was able to add a user to PBA through the EPO console. We checked it in and enforced policies, and rebooted but the user could not log in (unknown user). After signing in to preboot with a different account, we had the new user sign in to Windows. We also ran an ldap sync and checked the device in again. After rebooting the user was known, but was not accepting a password. What are/should be the normal procedures for getting a new user(who has never signed in to the device) onto a computer?
2) Some of our devices use generic windows user account that auto-signs in. What's best practice for these devices if we would not know who may be using them and couldn't add the user ahead of time? Would just having PBA active interrupt the current Windows auto-login settings?
3) How does the pba password sync across devices if a user hasn't used a device in a long time? I had thought the preboot password only syncs with windows for the user who signs in. Does that mean if a staff member hasn't used a certain shared device in a long time, the preboot will only take her old password? If that's the case, how does she get in if she doesn't remember it? Assuming if she used her challenge questions and could get passed PBA and signed in to windows, does that password update then?
I believe I found the answer to #3 - the user would have to use a recovery method and then once she gets past PBA and into Windows, the password will sync.
We are still having problems with #1 - we're not getting consistent results trying to add users to a device. Also, our admin "group users" are not being added to devices after PBA is active. I found some articles referring to the LDAP user used to register the LDAP servers and I confirmed that service account is working, is there something else it needs to be able to add these admins?
1. After manually adding the user, enforce the policy on the system or send a wake up agent. Once it completes, please open the MFeEpe log located in C:\Program Files\McAfee\Endpoint Encryption Agent\ and check if the user has been added successfully. If the user is added, then reboot and log in with default password "1234567"(Unless changed).
2. If SSO is enabled in the policy, when user logs in to preboot, then system will be automatically logged in. If SSO is disabled, user will get both preboot and windows login.
3. If a user logs in to multiple devices, then password will get updated across all systems when they communicate with ePO. If the system has not communicated with the ePO, then the old password will work till the sync occurs. If the user does not remember the password then admin recovery can be done after which when system communicates with ePO, password would get updated.
For #1 - Is there a way to get a new user into PBA without having to do it through the console? Assuming that they were already at the Windows login and could sign in? Does DE actively look for new Windows users as they sign in?