cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Preboot password not syncing after password change (CTRL-ALT-DEL)

One particular user, who is remote for a few weeks, is not able to get past pba without recovery.

Drive Encryption 7.1.1

Win7

SSO

Chain of events:

User changes password with ctrl-alt-delete.

Password change detected and logged in epo.

Person goes home.

Person forgets password.

I recover to get past preboot, have them log into a local account, start vpn and fast switch and log in with a temporary password I set for them.

Ctrl-alt-delete again to change password

NO 'Password change' logged in epo. User cannot successfully preboot.

So, if I am reading all the forums right - preboot *should* update de password on a) failed SSO login or b) C-A-D password reset

a) Is not happening I assume because I am recovering and sso cannot be triggered

b) Is not happening because?

Collect/Send Props, Enforce policies, etc all seem to work. No apparent connectivity issues between vpn device and epo.

Yes, the eventual solution may be DE 7.1.3 but am hoping for a quicker fix.

5 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Preboot password not syncing after password change (CTRL-ALT-DEL)

This is the expected behavior. The user must be authenticated in PBA for a password sync to occur. This is documented in KB78474 - "Unable to authenticate at preboot after changing the password in Windows".

To workaround this behavior in the future, perform an administrative user recovery and reset the users token allowing them to reset their PBA password first and loading their user a PBA. Once in Windows, no any password change at Ctl + Alt + Del will by synchronized to the PBA user.

Highlighted

Re: Preboot password not syncing after password change (CTRL-ALT-DEL)

Reset token, got it.

Any idea if this is true even with MDE 7.1.3 and the periodic password sync?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: Preboot password not syncing after password change (CTRL-ALT-DEL)

Yes, this is the same behavior with 7.1.3. You must have a user logged into PBA for the PCDC functionality to work. It verifies the users LastPassSet AD attribute against the token timestamp. Without a user loaded into PBA, there is no token timestamp to verify against.

However, once the user has authenticated at PBA, if the password is changed in a way in which MDE cannot capture such as within AD or on another system, the PCDC functionality will detect the password change and request the user lock and unlock their system to update their preboot users credentials.

Highlighted

Re: Preboot password not syncing after password change (CTRL-ALT-DEL)

I don't. Know!

Highlighted

Re: Preboot password not syncing after password change (CTRL-ALT-DEL)

Not sure

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community