cancel
Showing results for 
Search instead for 
Did you mean: 
SeanKeeley
Level 7

Warning: EEPC 7.0 Can Activate Before Domain Join in Re-Image Situation

We've just started testing EEPC 7.0 and ran into a potential problem. The scenario is as follows.

  1. Domain-joined Windows machine has EEPC 7.0 deployed to it via ePO with the Add Local Domain User option enabled.
  2. EEPC activates as normal and encrypts.
  3. Some time later, the machine is re-imaged, including a new ePO GUID (i.e. the machine has a new software image installed, NOT just a restore from backup).
  4. If the re-imaged machine has a network connection, EEPC will activate regardless of whether it is domain joined or whether a domain user has logged in.

In our case, the ePO server was running 4.6 patch 4 and the client agent was 4.6 patch 3.

This behaviour is "as designed" -- we raised an SR about it and were told by Support that unless the machine's ePO object is deleted, ePO will re-use it in this situation and therefore EEPC will find the previously assigned user(s) and activate. (The ePO agent reuse is because, although the GUIDs are different, the MAC address is the same.)

I can see this being a signficant problem in the situation where EEPC is integrated into the re-image process (i.e. the image includes the EEPC client). If a technician is re-imaging a previously encrypted machine, EEPC will activate as soon as a network connection is available, and the technician likely will not know the user ID necessary to get past the pre-boot. Pre-defining local user IDs would be a workaround but that seems like a bad idea from a security viewpoint. The Add Local Domain User option is an elegant solution to the problem of not enabling pre-boot until the machine is in the hands of its eventual user and I believe the product should not activate until a domain user logs into the newly re-imaged machine.

15 Replies
tommersyip
Level 7

Re: Warning: EEPC 7.0 Can Activate Before Domain Join in Re-Image Situation

I agree. We have the same issue. I have done the same, raised a SR and such and ended up with the same issue.

I would like the option of requiring ALDU prior to activation of any system.

0 Kudos
SeanKeeley
Level 7

Re: Warning: EEPC 7.0 Can Activate Before Domain Join in Re-Image Situation

Support themselves raised a PER on this issue and have closed our SR (which is fine with us).

0 Kudos
Timmah
Level 11

Re: Warning: EEPC 7.0 Can Activate Before Domain Join in Re-Image Situation

Hi,

The main issue here (as you've pointed out) is that the machine hasn't been deleted from ePO, and the MAC address doesn't change. As far as ePO and EEPC are concerned, it's the same machine, even if its GUID changes.

To solve your issue, and indeed to increase the security (by minimising assigned users), you really should delete the machine from ePO as a matter of course for re-imaging. If you don't, then the newly imaged machine might have arbitrary users assigned that really don't belong there.

Cheers,

Tim

0 Kudos
Timmah
Level 11

Re: Warning: EEPC 7.0 Can Activate Before Domain Join in Re-Image Situation

Hi again,

There is also the possibility of using the "Only add currently logged on user(s): activation is dependent on a successful user assignment". However, this won't help if you use ALDU to add other previously logged-in domain users.

Cheers,

Tim

0 Kudos
SeanKeeley
Level 7

Re: Warning: EEPC 7.0 Can Activate Before Domain Join in Re-Image Situation

I agree that deleting the machine from ePO is a good idea in principle but it is not practical in our case -- we have thousands of encrypted machine all over the world which are re-imaged as required by local technical support. As a result, we believe EEPC's behaviour needs to be changed to prevent immediate activation based on "remembered" user assignment(s).

0 Kudos
tommersyip
Level 7

Re: Warning: EEPC 7.0 Can Activate Before Domain Join in Re-Image Situation

SeanKeeley wrote:

I agree that deleting the machine from ePO is a good idea in principle but it is not practical in our case -- we have thousands of encrypted machine all over the world which are re-imaged as required by local technical support. As a result, we believe EEPC's behaviour needs to be changed to prevent immediate activation based on "remembered" user assignment(s).

Safeboot v 5. and previous did not remember previous user assignments also - this behavior is new with 6 and above.

0 Kudos
SafeBoot
Level 21

Re: Warning: EEPC 7.0 Can Activate Before Domain Join in Re-Image Situation

Unfortunately, because it's so common for people to delete machines from EPO, we have to change the architecture within EEPC6 to support this kind of thing, so the machines are much more amicable to re-use existing configurations, or even to replace deleted configurations back into EPO.

How about using the EPO API within your image process to look up the machine leaf node and delete it?

0 Kudos
SeanKeeley
Level 7

Re: Warning: EEPC 7.0 Can Activate Before Domain Join in Re-Image Situation

Using the ePO API sounds interesting but would not be a simple thing in our case. We don't have one imaging process, we have many, and credentials to allow deleting ePO records would seem to be an issue as well.

I still believe that, at the very least, EEPC 7 needs an option (although I believe it should be the default) to NOT activate based solely on previously assigned domain users, but to wait until there has been a domain login on the current image.

0 Kudos
tommersyip
Level 7

Re: Warning: EEPC 7.0 Can Activate Before Domain Join in Re-Image Situation

We currently have this set and have seen inconsistent behavior - old users are sometimes pulled in, sometimes they are not.

Timmah wrote:

Hi again,

There is also the possibility of using the "Only add currently logged on user(s): activation is dependent on a successful user assignment". However, this won't help if you use ALDU to add other previously logged-in domain users.

Cheers,

Tim

Message was edited by: tommersyip on 1/30/13 12:45:37 PM CST
0 Kudos