cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JKdc
Level 8
Report Inappropriate Content
Message 1 of 6
‎11-30-2020 09:08 AM

Network password sync for offline users

Jump to solution

We're looking to rollout DE w/preboot to a department that uses a lot of 'float' laptops that are shared throughout. I know that upon installation, DE will add profiles for users who have signed into that device before. I'm wondering how the password sync portion works for those users whose profile is on a device from the original install, but may not have logged in for a long time and had since changed their password.

-Will it only accept their old password from the last time they logged in?

-If another user was using that device regularly, when DE syncs their network  and preboot password, does it also update all the other profiles on the device or does it just sync the user that signs in when it's online?

I looked around for a KB article, but couldn't find an answer exactly.

0 Kudos
Reply
1 Solution

Accepted Solutions
cross
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6
‎11-30-2020 11:37 AM

Re: Network password sync for offline users

Jump to solution

After using the recovery questions they should be able to set a new MDE password.  At this point, they can authenticate at preboot with that.  Then, MDE will attempt to pass through the existing SSO data that it has to Windows.  Assuming that the password that MDE has is no longer accepted by Windows, the user will need to log in to Windows and the MDE credential provider should pick it up there to set new SSO data and MDE password.  If, however, Windows accepts the logon data, then MDE will not synchronize it since what MDE had\has is acceptable to the OS.  

Such a case should be unlikely since the passwords should ultimately be the same with SSO and password synchronization enabled so if they don't remember their password to get in to MDE, what MDE has for the OS logon is likely to be "old" and not the current Windows password.

View solution in original post

Reply
5 Replies
cross
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6
‎11-30-2020 09:19 AM

Re: Network password sync for offline users

Jump to solution

I should start by saying that we do not recommend the use of MDE with regular/simple automatic booting as that significantly decreases the security provided by MDE.

To get to your questions, as far as a KB article, https://kc.mcafee.com/corporate/index?page=content&id=KB93173 probably covers the situation the best. There are some examples listed in there. The last one listed covers the subject of user passwords with automatic booting in use.

0 Kudos
Reply
JKdc
Level 8
Report Inappropriate Content
Message 3 of 6
‎11-30-2020 10:26 AM

Re: Network password sync for offline users

Jump to solution

We are using drive encryption with preboot authentication. We are also using single signon with it matching windows usernames.

Thank you for the link, it did answer my question about how it syncs the other user profiles on a machine and - it does not unless those users would log past the preboot authentication screen.

In this case - if user1 cannot sign in to preboot authentication because they haven't used a particular device in a long time and they don't remember their password from back then; how to they get into the device and get their passwords to resync?

0 Kudos
Reply
cross
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6
‎11-30-2020 10:48 AM

Re: Network password sync for offline users

Jump to solution

 There are a multiple options if a user is at preboot and does not recall their MDE password.  There is a user recovery methods that can be configured with password recovery questions, they could use challenge\response recovery that involves either another person who has access to ePO or the use of the Data Protection self-service portal (DPSSP), this challenge\response option could also be used with the McAfee Endpoint Assistant app for smart phones so that the user does not need to contact another person for ePO access, or in more involved situations the use of the DETech standalone recovery utility could be used for an emergency boot.

Another, less simplistic approach would also be an option in which someone with proper ePO access could issue a token reset from ePO and then another authorized user logs in the client system to allow the system to get online and sync up to get that reset as well.

The options like the use of the Endpoint Assistant application and the recovery questions require that they be set up before they need to be used but the other options like challenge\response recovery are enabled by default.

0 Kudos
Reply
JKdc
Level 8
Report Inappropriate Content
Message 5 of 6
‎11-30-2020 11:27 AM

Re: Network password sync for offline users

Jump to solution

If they recover access via their security questions and are able to sign in, will this update and sync their password after signing in to Windows. I assume in this case that single signon will not work as the preboot has an old password, correct?

Thank you,

0 Kudos
Reply
cross
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6
‎11-30-2020 11:37 AM

Re: Network password sync for offline users

Jump to solution

After using the recovery questions they should be able to set a new MDE password.  At this point, they can authenticate at preboot with that.  Then, MDE will attempt to pass through the existing SSO data that it has to Windows.  Assuming that the password that MDE has is no longer accepted by Windows, the user will need to log in to Windows and the MDE credential provider should pick it up there to set new SSO data and MDE password.  If, however, Windows accepts the logon data, then MDE will not synchronize it since what MDE had\has is acceptable to the OS.  

Such a case should be unlikely since the passwords should ultimately be the same with SSO and password synchronization enabled so if they don't remember their password to get in to MDE, what MDE has for the OS logon is likely to be "old" and not the current Windows password.

View solution in original post

Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC