at the moment we are testing Drive Encryption and Location Aware Preboot. Based on customers need, local domain users should be added to the PBA as soon as possible.
We have the following problem.
- System is encrypted with DE 7.1.3
- The user is logged on in windows
- The System has the TAG EE:ALDU
- After rebooting the system, the user does not work in the PBA
We checked the Mfe LOG. It shows the username. EPO shows the user as well unter Encryption user.
So what could be the problem why the user is not able to authenticate in the preboot?
Is the user getting a 'Failed to authenticate' error or are they getting 'Unknown user'? Failed to authenticate would imply that there is a password and/or token issue in which case I would recommend trying to reset the token and then see if they continue to have the issue. Otherwise, 'Unknown user' would imply that ALDU is failing to add the user and/or the user is attempting to log in before the full policy enforcement has completed on the workstation. Logs would need to be investigated on client and server side and you may want to consider opening a support ticket.
we saw two steps which are taking a long time.
1) User does a logon in windows. After the desktop is available the user does a reboot. At this state we see an unknown user message in PBA
2) After some time and several logons the user is available in PBA, but now we get the Failed to authenticate error message.
I get it working, no problem, i just looking for an easy approach for the customer. Actually, the customer uses a product, where LDAP authenticaiton is available in the PBA. This is much easier to implement. So i´m looking for an easy to implement approach with McAfee DE and PBA.
1) My reply in the previous post would still apply here. There are too many unknowns for me to make a recommendation on what you should or should not do here.
2) Failed to authenticate implies that the user is entering a bad password. If this is their first time logging into the preboot environment then the user ID has a default password. The default password can be configured in your user based policy settings for MDE in EPO. The 'default' default password is set to '12345'.
If they are looking to utilize the same password from active directory for their preboot user accounts then they can configure single sign-on (SSO) within the product settings policy for MDE in EPO.