Hi, we recently began migrating our DE clients to FIPS compliance by standing up a new FIPS EPO server and re-installing the DE software in FIPS mode. The process is like this:
Decrypt the machine
Uninstall DE software 7.2.9.14
Transfer system to new server
Re-install DE software in FIPS mode
Previously we were getting users assigned to machines via AD, and using AD password syncing/SSO. Now, however, we've discovered we need to turn both of those off in order for our newly implemented DUO MFA to work correctly (needs DE credential provider disabled.)
Since we've been doing this migration, we've had the PBA bypassed on all machines since coronvavirus started, so we haven't had any users have to log in with their DE accounts into a machine in a long time, and I assumed that when they got transferred to the new server, since the new server has no token data, it would reset all the users so that when we re-activate PBA, it would just act like they're setting up the user for the first time and prompt for a password. We turned on PBA for one machine yesterday with SSO and password syncing disabled, and some basic UBP policy enforced, and this seems to not be happening. it still asked for a password but no passwords the user gave it work, returning a failed to authenticate error.
The only way to solve this was to do an encryption user recovery that resets the token. I tried to just reset the token in the EPO server but it wouldn't let me because "there is no token data for this user." If that's the case, shouldn't the client be asking for the user to set the password instead of trying to authenticate to.... a token that doesn't exist?
I don't see anything in the MfeEpe.log that indicates any users tokens got reset after transferring to the new server. But I also can't force them to reset from the new server. So it seems like it is in some weird limbo state where it thinks there is token data on the machine and is trying to use that but it won't ever work.
Would really appreciate some guidance here, as it seems whenever we turn PBA back on for everyone we'll run into this.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA