The reason we want to use an account with a fixed password is because some laptops may be away from the domain for long periods of time.
When the laptop comes back, it would have a cached PBA password that would be very old and the IT staff would not be able to authenticate through PBA if they don't remember all their previous passwords and enter the correct old password before being locked out.
Since we would not be able to get to Windows without going through PBA, does EEPC have a way to sync accounts to the current password without booting into Windows first?
It would be an account that had no rights to do anything except authenticate PBA on a specific group of laptops. Needing to do recovery everytime the staff needed to work on a laptop that had been away from the network for several weeks/months would not be practical.
Having a shared account with a fixed (and shared) password is a big risk. Even more-so when machines are left unsync'd for long periods of time, since there's no way to reset those credentials on all assets in the case of a breach/loss of those credentials.
Getting through PBA is essentially "everything" for us. The product is rendered useless if you're willing to hand out free "get through PBA" cards. Hence, we recommend going the recovery route, since rogue users would have to jump through extra hoops to get access.
Ultimately, you can assign a user to the root with a known password with the existing product today. But it's not at all recommended. The risks are too high.
I thought you meant the tech would need to do a challenge/response recovery if their current password was not cached on the laptop. I forgot about recovery questions.
Do the recovery answers automatically sync to every computer with their user account?
Also, if there is a policy to bypass PBA when computers are on the local network, would that be an alternative way assuming the laptop had a working network connection? I don't understand how that would work though since don't you need to get past PBA before the networking starts?
Any of the recovery options is preferable to shared credentials (IMO).
As for your second question, folivier has already answered your post on another thread: https://community.mcafee.com/message/277670#277670
That is of limited value because it is only possible on a vPro system and assumes you also have Deep Command deployed in your environment.
There are some other prodicts where this can be done all within the encryption product by pinging some key IP addresses before the Windows login promptis presented. If it is unable to reach those IPs, the system shuts down and takes the user back to the PBA screen. No special hardware requirements needed.
We deliberately avoid having a network stack in our preboot environment, to plug the many potential security holes that inherently come along with network stacks. The vPro chip allows for a secure channel at a hardware level.
The mechanism you describe sounds like little more than a gimmick ; I steal your laptop, plug it into my own network, sniff the ping requests, then configure device(s) to respond. Failing that, I'll start scouring the disk for the machine key that'll be written on it somewhere