Can someone explain what the exact purpose of "Require Endpoint Encryption Log On" in the McAfee Endpoint Encryption policy? If I don't have this option selected can I still use SSO and will the users EE password still sync up with AD? I noticed that in the 6.0 Unofficial Quickstart Guide that McAfee recommended this feature only be enabled on Windows Vista and Windows 7 machines but in the 6.0.2 Best Practice Guide it recommends having this enabled with no mention of Windows versions. Why the discrepancy?
It is just better wording, I think.
IF you "must have it enabled" for Windows 7, and "can have it enabled" for other Windows flavors, then that should be default setting for Windows in general.
When I tried to use the "Require Endpoint Encryption" setting it caused alot of headaches like:
1. When users change their password when logging in via a VPN client or in their Citrix sessions then lock and unlock their laptop screens to make the password take effect, the McAfee prompt doesn't recognize the new password. The user still needs to use the old password which is invalid on the domain and cause alot of other issues ,i.e inability to access shares, login to remote desktops or Citrix (if they changed the password via VPN) etc..
2. Password securty: Now you need to set up the McAfee User-Based password policies on top of the ones you have for Active Directory. Otherwise, you can sit there at the laptop and try over and over to guess the password of the McAfee prompt. This is a real pain in the neck because now you need to worry about two places for password security. This just add more of a headache when the auditors come a callin.
I like not using this option because then you can still have the pre-boot authentication, but without the added password issues of the McAfee prompt. If an admin or the user changes his/her password via other means than using their PC to do it, then that password is instantly available to the user due to the prompt being the actual windows prompt and not the McAfee one which still seems to be looking at the PBA password.
However, with Windows Vista & 7 if I don't use the "Require Endpoint Encryption" and I don't put my password in the login prompt due to a phone call or someone stops by to chat, etc.. the login prompt will disappear and just give me a cancel button. If I hit cancel, I get nothing on my screen until I press CTRL+ALT+DELETE and then the login prompt appears. There is a bug thats not displaying the text that tells the user to press CTRL+ALT+DELETE so all the user sees is the Vista or Windows 7 background with nothing on it. Doesn't happen with XP.Message was edited by: Jack Siergiej on 11/19/10 7:27:55 AM CST
Thanks for taking the time out to tell me your experiences. I don't think we will be using this option either. Although it is a bit unnerving that the Ctrl + Alt + Del prompt is not shown in Vista or Win 7 without this option being used. I will have to check and see if my users are experiencing this as well.
No problem. I willing to live with the CTRL+ALT+DELETE text missing rather than having a user unable to access resources due to the confusion of not changing the password in the correct way. If they know to just press the buttons if it happens than I can deal with that.
Definitely check the CTRL+ALT+DELETE thing out and let me know. It happens to me on each Vista / 7 computer I put it on.Message was edited by: Jack Siergiej on 11/19/10 9:49:42 AM CST
I just tested this on a Windows Vista machine and confirmed what you are seeing. The login window does disappear leaving only the "Cancel" button. In my setup we have SSO enabled as well so to see this bug I signed into EE Pre-boot and SSO logged me into Windows. I then logged out of Windows and left the login window open after about 30-60 seconds the window disappeared. I did get the login window back by pressing "CTRL + ALT + DEL".
I hope that my users are savvy enough to do this. In most cases I don't think this will be a problem for our environment with SSO enabled but it is still a problem.