Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 12
Report Inappropriate Content
Message 11 of 18

Re: Encyption users disappearing and "Unknown user" at pre-boot

Thanks for responding.. 
Could you please clarify if you the following scheduled task ‘Inactive Agent Cleanup Task’  is enabled?

If so, could you please provide the settings.

If the machine is deleted from ePO:

  • Then any users assignments specifically assigned to the machine will be removed.
  • If the user is not used by any other machine or branch in ePO, then any user data will also been removed.


Re: Encyption users disappearing and "Unknown user" at pre-boot

The task is not enabled and its status is "Task has never run".

Level 12
Report Inappropriate Content
Message 13 of 18

Re: Encyption users disappearing and "Unknown user" at pre-boot

Ok, that rules that one out...

What is the frequency that the users are being removed from the machine ?

Could you please send me your orion.log file in a private message and I will have a look at it for you.  I may now see anything, as the orion.log files are rolled over.

Have you opened a support ticket for this issue, if so could you please send that to me in a private message as well..

Re: Encyption users disappearing and "Unknown user" at pre-boot

The users are removed at random.  Like I said, I had this occur 3 times over the past month to 3 separate users (1 time per user).  So its not an everyday thing and is not affecting the same user, at least not yet.

Where is the orion log located?

Message was edited by: jsiergiej on 5/26/11 7:27:00 AM CDT
Level 12
Report Inappropriate Content
Message 15 of 18

Re: Encyption users disappearing and "Unknown user" at pre-boot


The orion.log is on the ser ver under <ePO installed folder>\server\logs.

Sorry one more question..  The users that are being removed, were they added as part of a LDAP OU/GROUP with recursion ?


Level 12
Report Inappropriate Content
Message 16 of 18

Re: Encyption users disappearing and "Unknown user" at pre-boot

Hi jsiergiej,

Did you manage to resolve you problem ?

Many thanks

Re: Encyption users disappearing and "Unknown user" at pre-boot

Glad to know we are not crazy. We have seen this too.

Message was edited by: rmnetops on 8/10/11 2:46:51 PM CDT

Re: Encyption users disappearing and "Unknown user" at pre-boot

We think we have this issue figured out, at least in our environment. It is related to the laptop computer object in EPO having the same MAC address as another laptop, because the agent at one time was installed while connected to the VPN (where clients may share the same MAC address). It will keep clobbering the user assignment on an EPO machine object, creating this problem.


McAfee Agent 4.6 (I added this because the tech did say it's an issue in 4.6 as well)

McAfee Agent 4.5

McAfee Agent 4.0
McAfee ePolicy Orchestrator 4.x

For details of all supported operating systems, see KB51109.


When a new computer is added to the ePolicy Orchestrator (ePO) tree another computer disappears.

The common factor is that this happens with computers that connect via a Virtual Private Network (VPN).


This problem will be encountered only when the first connection from a client computer to the ePO server takes place over a VPN connection. If the computer's first connection is via a Local Area Network (LAN), the correct Media Access Control (MAC) address is added to the table.

When a computer communicates with the ePO server via VPN, it uses the VPN virtual computer's MAC address and not its own actual MAC address. This VPN MAC address is usually the same for all computers connecting through the VPN.

This issue is not restricted only to VPN clients. Anything that could cause multiple computers to report the same MAC could cause this problem. For example, if you clone a virtual machine and do not reset the MAC address, both computers would report the same MAC address to ePO.

Solution 1

To avoid this issue, when adding a new computer to ePO Server, ensure that the first connection occurs via a LAN and not via VPN.

Solution 2

To resolve the issue if the computers have already connected via a VPN, create a new entry in the ePOVirtualMacVendor table with the Organization Unique Identifier (OUI) which is part of the VPN MAC address.

Step 1 - Determine the VPN MAC address to add to the ePO VendorID field.

The best way to obtain the VPN MAC address is to identify a computer that has connected to the ePO Server for the first time via VPN and removed the previous computer.

  1. From the client computer, use the agent Status Monitor to Collect and Send Props.
  2. Log on to the ePO console.
  3. Click Systems.
  4. Click the System Tree.
  5. Locate the computer that has connected via VPN.
  6. Double-click on the computer to view its properties.
  7. To the right of System Information, click More. This displays the VPN MAC address collected from the client.
  8. Scroll down and locate the MAC Address. Make a note of the first six digits of this MAC address in the next step. (Example: 00123F21ECED)

If you are unable to identify a computer using the virtual MAC, you can author a report to identify the computers:

  1. Log on to the ePO 4.x console.
  2. Click Menu, Reporting, Queries.
  3. Click New Query.
  4. Click System Management, Managed Systems and click Next.
  5. Select Single Group Summary Table for Display Results As.
  6. In the Labels Are: drop down, select MAC Address under Computer Properties and click Next.
  7. Click Managed State under Managed Systems, select Equals from Comparison drop-down and select Managed from Value drop-down.
  8. Click Run.

You should have a list of MAC addresses with a count of the number of systems reporting that MAC address. Ideally it would be a 1-to-1 ratio. If you have more than 1 system sharing the same MAC address, then that is probably your issue.

Step 2
- Modify the SQL script to add the computer to the tree.

NOTE: See KB56429 for how to run SQL scripts provided by McAfee Support using OSQL for ePO.

Use the SQL command syntax below to add the computer to the tree:

INSERT INTO ePOVirtualMacVendor (VendorID) values ('######')
Where: ###### is the first 6 digits of the VPN MAC address collected from the client.

Example: For a system with 00123F as the first six digits of the MAC address obtained in Step 1:

INSERT INTO ePOVirtualMacVendor (VendorID) values ('00123F')

Previous Document ID


on 8/10/11 2:50:44 PM CDT

Message was edited by: rmnetops on 9/9/11 1:39:16 PM CDT
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community