cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

EEPC 7.x - SSO and password changes

We use single sign on in our environment.  Currently we are using EEPC 7.0.1.391 with ePO 4.6.6.

Here are two scenarios of password changes and my question is why does scenario 2 NOT update the McAfee Encryption password like scenario 1 does?

Scenario 1:

1  User has been using his laptop for months and SSO is working fine.  It is time to change his network password.

2. User's laptop is currently on the network and he is logged into Windows

3. User hits ctrl-alt -del and changes his password

4. User reboots his laptop and his new password is now accepted at the McAfee Preboot screen and SSO logs him all the way in to Windows with this new password set in step 3.

Scenario 2:

1. User cannot login to the McAfee preboot environment.  He cannot remember his password.

2.  An EEPC admin that has access to all machines logs in at preboot and logs into Windows (since this is his first time logging into this particular machine)

3.  EEPC admin remotes to a machine and access active directory.

4.  EEPC admin changes the users password in Active Directory.

5.  EEPC admin logs out of the remote machine and logs out of Windows on the user's laptop.

6.  The user logs into Windows on his laptop with the new password set in step 4 by the EEPC admin

7.  The user now hits ctrl-alt-del and changes his password locally on his laptop

8.  The user reboots his laptop and this new password set in step 7 using ctrl-alt-del is NOT accepted at the McAfee preboot screen.  WHY?

5 Replies
Highlighted

Re: EEPC 7.x - SSO and password changes

In testing Scenario 2 some more it appears the results are inconsistent.  I have done the scenario 5 different times and 3 out of the 5 worked as expected where McAfee took the password set in step 7 as soon as the user rebooted. However, 2 times it did not take that password.  Is there a timing issue we need to be aware of?

Highlighted

Re: EEPC 7.x - SSO and password changes

From experience and the only way I have observed it update/change the PBFS password is if the user authenticated in the PBFS is the same user that is authenticated into windows and they process the ctrl+alt+del.

Take a look here:

https://kc.mcafee.com/corporate/index?page=content&id=KB79339


To be able to change a user DE/EEPC preboot password, all of the following criteria must be met:




  • DE/EEPC must be installed and activated.

  • The DE/EEPC Product policy must have Single Sign On (SSO) enabled and the option Synchronize Endpoint Encryption password with Windows selected. It is also advised to enable Must match user name. To support this, see KB75216.

  • Client system is not set to Autoboot. For details, see KB65824.

  • The User that is logged into preboot must be the same as the Windows user. For details, see KB75216.

  • The password change must be performed after pressing CTRL+ALT+DEL (Credential Provider) screen.

  • The system did not boot utilizing Out-of-Band to bypass preboot.

  • An Emergency Boot was not performed on the client to bypass preboot.

  • An Administrative recovery was not performed on the client to bypass preboot


  • .
Highlighted

Re: EEPC 7.x - SSO and password changes

Thank you for this!  According to KB79339, in order to change a user's EEPC password the same user has to be logged in at preboot and windows.  I did not realize that was a requirement.  We are on version 7.0.x so we do not have the option to require endpoint encryption logon like KB75216 suggests.

So Senario 2  should look like this instead:

Scenario 2:

1. User cannot login to the McAfee preboot environment.  He cannot remember his password.

2.  An EEPC admin that has access to all machines logs in at preboot and logs into Windows (since this is his first time logging into this particular machine)

3.  EEPC admin remotes to a machine and access active directory.

4.  EEPC admin changes the users password in Active Directory.

5.  EEPC admin logs out of the remote machine and logs out of Windows on the user's laptop.

6.  Laptop is rebooted and a self-recovery or admin recovery is done on the users account to set the EEPC password to the password set in Step 4.

7.  User is required to login at Windows the first time to update the SSO credentials

Highlighted

Re: EEPC 7.x - SSO and password changes

I think you may be over complicating the process.  When I have users that cannot authenticate in the PBFS here are the steps I follow.

Perform a user based admin recovery via challenge response codes, however instead of the default options in ePO to perform a machine recover, choose User Recovery > Reset Token, then select the user for that system and provide that response code.  What this does it allows the user to recreate their password and recreate their recovery questions/answers.  Once that is completed, they will be challenged for a Windows login. Why didn't it do the SSO?  I believe this is a security step taken to ensure you say who you are. Upon a successful windows authentication  the machine boot and all is well.  After the next boot SSO will engage.

Works every time, and its a good user experience.

.

Highlighted

Re: EEPC 7.x - SSO and password changes

That is exactly what I have instruted the analysts to do.   I think they were trying to shortcut having to do a challenge and response, but they must in this case.  Thanks again!

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community