cancel
Showing results for 
Search instead for 
Did you mean: 
sw41
Level 10
Report Inappropriate Content
Message 1 of 11

Updated PW in AD does not update preboot

DE 7.2.8.4
EPO 5.10
 
We have random one off (but a couple of times a month) users where they change their password, it updates in AD, and Mcafee DE does not pick up on that so when the user is at the preboot login, they cannot sign in with their new password.  We tried to sync it with CAD locking and unlocking the computer, then rebooting but no luck.  Our typical workflow is where the user updates their PW and the preboot just gets it without the user doing any other action.
 
My understanding for the flow is that EPO syncs with AD, then Agents sync with EPO, then the preboot is updated.  Is there some log somewhere that we can see the user info is updated either on the endpoint or in EPO?
10 Replies
Reliable Contributor jacek
Reliable Contributor
Report Inappropriate Content
Message 2 of 11

Re: Updated PW in AD does not update preboot

After changing password in AD, try to run ePO Server tasks:

LdapSync: Sync across users from LDAP
DE: Force update for UBP enforcement users

Wake up system (3 times) to update their policies and preboot users and try to use new password. Is ti working?

sw41
Level 10
Report Inappropriate Content
Message 3 of 11

Re: Updated PW in AD does not update preboot

Thanks!!

Is there a log to look at to see when the PW updates or fails to update??? (not expecting to see the PW)

Reliable Contributor jacek
Reliable Contributor
Report Inappropriate Content
Message 4 of 11

Re: Updated PW in AD does not update preboot

Yes, but these log is on the client side.
C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpe.log
But I think it is not you are looking for.
If mfeepe.log there is an information that task updating users from the client side was successful, but there is no information which password it is (the old one or a new one).

If it was an issue, you could change frequency of above tasks.
sw41
Level 10
Report Inappropriate Content
Message 5 of 11

Re: Updated PW in AD does not update preboot

I have been watching that log and you are right, not what I am looking for.  I am trying to find the log that is reporting on the exe that syncs the password from the user to the preboot.  It appears to be not working.  The username gets registered in the preboot but not the password.  Is it erroring out? Is there some cache to clear? Is there a timing messed up? 

We have a few people now where the password won't sync and with only the standard "CAD-Lock-Unlock, repeat" their passwords are not syncing. 

Now a batch of new computers where we install McAfee with our local Tech account, then have an AD user log in, the AD user is not able to get past the preboot.  We do not see the invalid user name, we just get not able to authenticate.

The one error we see repeat from the MfeEpe log is about the theme not syncing.  Could that be related??

Reliable Contributor jacek
Reliable Contributor
Report Inappropriate Content
Message 6 of 11

Re: Updated PW in AD does not update preboot

Yes, updating themes is connected with PBFS as well as synchronizing passwords.
Could you post errors/warnings from MfeEpe.log?
Highlighted
sw41
Level 10
Report Inappropriate Content
Message 7 of 11

Re: Updated PW in AD does not update preboot

After a few more send/rec props and restarting the encryption service, the theme did download and apply, I rebooted and saw my background vs the mcafee default one, so that part is working.

Now seeing

2019-07-11 16:13:22,107 ERROR MfeEpeServiceLPCServer Unable to subscribe to data channel item EEADMIN_1000_AddDomainUsersRsp: Unexpected IPC error. Please ensure MA/Point Product service is running.
2019-07-11 16:13:22,107 ERROR MfeEpeServiceLPCServer Unable to unsubscribe from data channel item EEADMIN_1000_AddDomainUsersRsp: Unexpected IPC error. Please ensure MA/Point Product service is running.

and

2019-07-11 16:13:40,824 INFO FirstUserRegistryListener Detected registry change in FirstUser key.
2019-07-11 16:13:40,824 INFO FirstUserRegistryCopier Copy operation started
2019-07-11 16:13:40,824 INFO FirstUserRegistryCopier Copy operation started
2019-07-11 16:13:40,824 INFO FirstUserRegistryCopier Unable to mount user hive. Retrying in 10 seconds

Reliable Contributor ninov_n
Reliable Contributor
Report Inappropriate Content
Message 8 of 11

Re: Updated PW in AD does not update preboot

Hello,

In regards to password synchronization, McAfee took the same approach as other FDE encryption vendors like CheckPoint Pointsec where best way to update/synchronize PBA credentials is to change your password from the Ctrl+Alt+Del -> Change password link even if the re-capture option is enabled from the General MDE policy.

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino
sw41
Level 10
Report Inappropriate Content
Message 9 of 11

Re: Updated PW in AD does not update preboot

I agree and encourage everyone to do change their passwords from their machine and not other tools, but what about the people that have 2+ computers?  Some users have the Mac and PC combo, others have work and development machines, others may have the desktop and surface combo.

Reliable Contributor jacek
Reliable Contributor
Report Inappropriate Content
Message 10 of 11

Re: Updated PW in AD does not update preboot

I think, the easiest way to workaround this problem, is to adjust server tasks:
LdapSync: Sync across users from LDAP
DE: Force update for UBP enforcement users
Change theirs execution time every 1 hour.
After changing password in a domain, user should wait around 2 hours for a password synchronization on theirs others workstations.

There is no other method to sync password immediately across all systems (except using Ctrl Alt Del and forcing password change from Windows system).
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community