cancel
Showing results for 
Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 4

User sync interval

Jump to solution

Hi There,

SSO enabled - In the ePO, I removed the assigned MDE user, but on the client, after doing a full pros collection, seems i can still use the removed user to logon to MDE PBA, any ideas why this happens?

Also I tried to disable the user on my AD, but on client i'm still able to logon to MDE PBA, after repeated few times i could see i no longer can use this user to logon. Is there some user sync interval settings behind it?

Thanks in advance!

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: User sync interval

Jump to solution

Hi @Former Member ,

Thank you for the explanation.

Please find the below,

How does MDE captures password for AD user:
=====================================

MDE captures user account password only when the password is being changed from the WINLOGON UI screen.

Scenarios when a User account password is being changed:
===============================================

An user account password can be changed in two ways,

Scenario 1) from the local machine by giving CTRL + ALT + DEL screen

Scenario 2) from the AD server directly

For Scenario 1:
============
MDE 7.2.6 and above immediately captures the password when its being changed from CTRL + ALT + DEL screen and synchronizes with the MDE Preboot File System on the local machine immediately. On the next McAfee Agent to EPO Server Communication, all other machines are updated about the change in this username's password and they update the password details accordingly.


For Scenario 2:
============
At the polling Interval, the MDE on the local machine directly contacts the AD and check if the users password has been changed or not. If changed then MDE on the local machine will throw a red color rectangular pop-up on the bottom right of the screen to re-capture the newly changed password on the WINLOGON UI screen. To re-capture the password you would need to log off the machine and then log in with the new password on the Windows login screen. At this time MDE immediately captures the captures the new password and when you restart the machine MDE accepts the new password in here.

For this to work, you would need to enable the "Periodically check domain credentials for changes and ask the user to re-capture the Drive Encryption password if required" from the Password Synchronization: section under the MDE Product Settings policy in EPO.

 

AD sync.PNG

 

Hope this clarifies your question 🙂 

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thank you. 

Regards,
Jithendran S
McAfee Employee

View solution in original post

3 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: User sync interval

Jump to solution

Hi @Former Member ,

Good Day and Happy New year 🙂

Thank you for writing in here.

Its not about the user sync interval, its about the policy enforcement interval and agent to server communication interval. 

Once you remove the user and do not do any wake up agents for that machine from the EPO console or locally on the machine, then McAfee Agent does the wake up automatically in its scheduled interval.

ma communication interval.PNG

Once the wake up call happens, the policy enforcement is also initiated and the changes which you have made in the MDE users (addition or removal) gets reflected on the client machine once the MDE policy enforcement gets completed.

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thank you.

Regards,
Jithendran S
McAfee Employee
Highlighted
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 4

Re: User sync interval

Jump to solution

Hi @jsubbura ,

Yes after making changes in my AD, I performed an agent wakeup call (full props) and can confirm the wakeup is successful.

What I want to know is: for example i changed the domain user password, how long will MDE knows it and sync the new password to SSO? is it happens right after a full props agent wakeup call?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: User sync interval

Jump to solution

Hi @Former Member ,

Thank you for the explanation.

Please find the below,

How does MDE captures password for AD user:
=====================================

MDE captures user account password only when the password is being changed from the WINLOGON UI screen.

Scenarios when a User account password is being changed:
===============================================

An user account password can be changed in two ways,

Scenario 1) from the local machine by giving CTRL + ALT + DEL screen

Scenario 2) from the AD server directly

For Scenario 1:
============
MDE 7.2.6 and above immediately captures the password when its being changed from CTRL + ALT + DEL screen and synchronizes with the MDE Preboot File System on the local machine immediately. On the next McAfee Agent to EPO Server Communication, all other machines are updated about the change in this username's password and they update the password details accordingly.


For Scenario 2:
============
At the polling Interval, the MDE on the local machine directly contacts the AD and check if the users password has been changed or not. If changed then MDE on the local machine will throw a red color rectangular pop-up on the bottom right of the screen to re-capture the newly changed password on the WINLOGON UI screen. To re-capture the password you would need to log off the machine and then log in with the new password on the Windows login screen. At this time MDE immediately captures the captures the new password and when you restart the machine MDE accepts the new password in here.

For this to work, you would need to enable the "Periodically check domain credentials for changes and ask the user to re-capture the Drive Encryption password if required" from the Password Synchronization: section under the MDE Product Settings policy in EPO.

 

AD sync.PNG

 

Hope this clarifies your question 🙂 

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thank you. 

Regards,
Jithendran S
McAfee Employee

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community