I have not tested this feature yet, but in my understanding you have two possibilities
- enable "auto boot" for a limited time, so eepc agent might be able to capture the windows credentials
- the user has to enter "any" password on first preboot auth. it does not matted which on, because it would be overwritten while windows logon (depends on policy)
What you are seeing is expected behavior. Instead of having to enter a default password, the user is instead allowed to simply create a new one. SSO won't happen until they complete that step and then login to Windows. We expect that most peole will enter their Windows password when prompted to create that new password in the pre-boot.
We currently have setup a 3 day window that a machine will auto-boot after encryption is first installed to allow it to learn who logs in and automatically add them through the add domain users policy. If I set the policy to not prompt for a default password, can anyone confirm whether the Windows password will get synced to the encryption so that the first time a user is presented with the the pre-boot authentication it will just take their Windows password rather than prompting to create a new one first?
This sounds like a much more user friendly way of doing things, especially when you have a large distributed user base.
I think asking users to define a password which is only ever used once is pretty much useless!
Whilst Im on it, having an option to allow the administrator to control SSO into the OS would also be useful.
I know SSO can be disabled, but I would like to have the option of using the Windows AD credentials and still forcing a second logon onto the domain.
1 of 1 people found this helpful
Brianm, the answer to your question is no. The SSO logic (i.e. password learning) does not happen until pre-boot authentication is enabled and the user logs into it once, and then logs into Windows. This means, the user still must enter something in the pre-boot password field the first time that they see it. With the policy set to not prompt for a default password, the user can now enter anything they want in this screen instead of having to enter a known default password. We expect that most people will just enter their Windows password, but technically they could enter anything they want (as long as it meets the password complexity requirements you have established).
HI, Dlarson, many thanks for all your valuable posts here. Can I pls check with you some questions which I am not sure about.
I have currently EEPC 6.1 product setting policies as follows:
- Add local domain users: enable - this is the option that automatically provisions the Windows users (currently logged in and all cached profiles) as valid pre-boot accounts.
- Enable SSO: enable
- Must match user name: enable
- Synchronize Endpoint Encryption Password with Windows: enable
Scenario 1: With the above settings on, there is one user (User A) having already logged into the preboot screen, using default password 12345, then prompted to input new password; after reset the preboot, User A then logging into Windows. Question: If a second user (User B), which is a Windows user with a cached profile in Windows, tries to first time log into the preboot screen; will User B have to use the default password, then prompted to input a new password? (i.e., with “Add local domain users enable, for every local user account, it has to go through every simple step upon its first time preboot screen logon?)
Scenario 2: Becuase of SSO enabled, after User A once successful log on through preboot screen and windows, User A preboot account password is synchronized with Windows’ password. So that the preboot screen password just set is used for once only, then what is the point to configure all the password policy options in user based policy?
Scenario 3: With SSO enabled, if a user account’s password is changed on AD server, then when will preboot screen user account’s password be synchronized with AD server? If for some reasons, such as network connectivity issues causing sychronization with AD server failure, what will happen to the entire user log on / SSO flow? i.e., for preboot screen, the user using new password won’t able to log into preboot screen; but if the user using old password, will SSO go on successful?
Pls help! Thanks a lot.
I know this is an old thread but i am curious as to how you set up a 3day window for automatic booting. When I go to the EEPC Product Settings policy I see where to Enable Automatic Booting and where to set an expiration date. Do you give machines that are greater than 3 days old a different policy? If so how do you tell that the machine is over 3 days old? Thanks in advance.