we have set an AUTOBOOT using TPM on Windows 10 (user don't see the preboot screen) in our environment.
It seems to me, that password synchronisation between Windows and MDE doesn`t work anymore when TPM is used for pre authentication.
And after a major update to Windows, TPM measure will fail (as designed) and PBA screen will be shown. But since passwords are not synced user can only authenticate with a old password or doesn`t remember it and need to be recovered.
MDE version: 220.127.116.11
MA agent: 5.6.2
Hi @ipsos-mk ,
Thank you for writing in here.
Since you are using Autoboot feature, as soon as the machine is installed with MDE and restarted the PBFS would be created with users assigned to the PBFS, however, these users need to be initialized in the first place for password sync features.
User Initialization can only happen at the MDE PBA screen.
Since you have auto-boot enabled, MDE PBA screen is not displayed at all from the first, so user initialization does not happen at all. And when there is a windows upgrade which makes the TPM measurements to fail, MDE PBA screen appears. Now the user tries to enter his username and his windows password or any other password. Definitely you will get the failed to authenticate messages on the PBA screen.
At this case, since the user is not initialized, advise the user to use the mcafee default password (12345 or 1234567) mentioned in the product guide to initialize the user account, post this the user would be advised to enter a new password and confirm password, which can be their Windows account password.
Post user Initialization, MDE password sync will happen regularly. So before provisioning the machines to the end-users, kindly make sure that these users are initialized at the PBA.
Kindly let me know if you have any further questions on the above 🙂
Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
We are also seeing this problem - it's not just uninitialised users - it seems to be everybody. Our AD policy is to get users to change their passwords every 30 days and the password required for DE after a Windows update is very out of date - mine for instance is one I was using 4 months ago so it seems DE has not synced for that long. This means, after a major Windows update, I spend all day resetting tokens (my users aren't any good at remembering their Q & As!). We are currently on version 7.2.9
After not getting a response here on the forums I`ve created a official support ticket.
After that I had a call with a McAfee developer for endpoint encryption. He said that the pre boot system cannot update the password from Windows after STRG + ALT + ENTF because TPM is between both systems. Only the password which was entered on the PBA screen will work when PBA screen appears the next time a change happens (i.e. a Windows update). All changes to the password you are using with Windows will not be synced.
We disable TPM now so users will get PBA screen again. What a bummer!
We are also looking into McAfee Native Encryption with Bitlocker now...
"Post user Initialization, MDE password sync will happen regularly. So before provisioning the machines to the end-users, kindly make sure that these users are initialized at the PBA."
This is simply not correct. Password will not be synced if TPM is in place. I had a call with a drive encryption developer at McAfee and he told me that this is not working by design.
Thanks for the reply - I tried to give you kudos but the button doesn't seem to be working. I think this makes DE a totally unsuitable product for us - wish I'd known this before we rolled it out. Looks like we'll have to consider going back to Bitlocker too.
@SSIL: The only way is to turn TPM off. Without TPM password will be synced for sure.
Though the problem with that is, that you need to ad all users to the machine (via EPO) who need to work with it. Otherwise they will not get past the PBA screen. You do not want to use just one user account to pass the PBA screen.
And then there is a option to autoboot without TPM, and then authenticate with AD user at Windows logon screen, but McAfee documents say this is unsecure.
It's how we used to do it when we first started using DE (before MNE), so all our AD OUs are mapped to ePO groups already. We thought that involving the TPM would make life easier for everybody but that hasn't turned out to be the case. Thanks anyway.