1 2 3 4 Previous Next 32 Replies Latest reply on Jun 2, 2016 4:25 PM by Travler

    "Administrator Recovery is now required"

    Travler

      I have an 6.3.1 EEPC encrypted laptop which has given the following message:

      This system is locked because it has been too long since the  last policy update.  Administrator Recovery is now required.

       

      After searching the Product Guid, these forums, and Google, I'm at a loss to account for this message.  Our "Product Settings" policy is set to "Disable pre-boot authentication when not synchronized" after 90 days.  Since we haven't had EEPC deployed for 90 days yet, I don't think that this is the problem.  I can't find any reference to a "policy update" setting in either of the EEPC policies (Product Settings or User Based Policies).

       

      Using Administrator Recovery will indeed unlock this, but I'd like to know what "policy update" this is referring to.  Most of our encrypted laptops are going to be off our network (not communicating with ePO) for extended periods of time, so I must find out what is causing this so I can make our endusers' experience better.

       

      Thanks in advance!

       

      Message was edited by: Travler UPDATE:  I used the Administrator Recovery, connecting the laptop to our network and updating the VSE dat.  I then verified that the laptop communicated with ePO.  I rebooted the laptop and received the exact same error, requiring yet another Administrator Recovery!  Any ideas...? on 2/29/12 12:43:15 PM GMT-06:00
        • 1. Re: "Administrator Recovery is now required"

          It would seem that there's something wrong with the eepc policy update. You need to check the epe logs.

           

           

          The feature was added in 6.1.2 though - https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 23000/PD23434/en_US/EEPC_6_1_2_Release_Notes.pdf

          • 2. Re: "Administrator Recovery is now required"
            Timmah

            Hi Travler,

             

            Two things:

             

            1. By any chance, had the system clock been fiddled with? (from the BIOS, for example) (Actually... can you check the date/time as set in the bios? Make sure it's correct?)
            2. An "ePO communication" isn't enough to revert the locked state ; you'll need a full/successful EEPC policy enforcement to remove the lock.

             

            Cheers,

             

            Tim

             

            Message was edited by: Timmah on 01/03/12 02:47:50 CST
            • 3. Re: "Administrator Recovery is now required"
              Travler
              • An "ePO communication" isn't enough to revert the locked state ; you'll need a full/successful EEPC policy enforcement to remove the lock.

               

               

              This apparently fixed the repeated "...system is locked..." message.  I went into the McAfee Agent Monitor and clicked on all the buttons there to ensure policy enforcement, but a quick reboot after this still displayed the "locked" message.  I Recovered again, went into the Agent Monitor again, clicked on everything again, but this time let it sit on the network for awhile.  When I came back to it and rebooted, the "locked" message was gone and I could log in as the end user successfully.

               

              This leads me to two questions:

               

              1.  I checked ou tthe system clock and it looks fine.  Any other ideas as to what may have caused this?  I find no reference to anything like this except for the "synchronization" setting I mentioned earlier.  While it seemed like it was a different issue, can you tell me if this is the same message you receive when you reach the "Disable pre-boot authentication when not synchronized" limit?

               

              2.  I've noticed that ePO communications involving EEPC are quite slow.  While, say, a VSE dat update or changing a VSE policy goes as fast as always, trying to get an EEPC policy change made takes quite some time.  Is this normal?

               

              Thanks again!

              • 4. Re: "Administrator Recovery is now required"
                Timmah

                Hi Travler,

                1.  I checked ou tthe system clock and it looks fine.  Any other ideas as to what may have caused this?  I find no reference to anything like this except for the "synchronization" setting I mentioned earlier.  While it seemed like it was a different issue, can you tell me if this is the same message you receive when you reach the "Disable pre-boot authentication when not synchronized" limit?

                 

                The act of figuring out how long it has been since the last communication will always depend on the system clock. In fact, most features of the product are very time-dependant. Tampering of the system clock isn't supported at all, and regarding this particular feature, it's designed to be safer than sorry, and will attempt to detect any such tampering. I unfortunately don't have any other ideas on this one. Is it possible that your BIOS is open to re-configuration by your end user, and they may have been toying with the clock? (clutching at straws here!).

                 

                2.  I've noticed that ePO communications involving EEPC are quite slow.  While, say, a VSE dat update or changing a VSE policy goes as fast as always, trying to get an EEPC policy change made takes quite some time.  Is this normal?

                 

                Thanks again!

                 

                Yes, this is normal. If you're referring to the speed differences between V6.0.x and >=V6.1.x, please see the following KB article: https://kc.mcafee.com/corporate/index?page=content&id=KB71865 (in short: we employed the use of events to allow scaling to much larger numbers, but events don't always get dispatched immediately).

                 

                Hope this helps,

                 

                Tim

                • 5. Re: "Administrator Recovery is now required"
                  Travler

                  Thank you, Tim.

                   

                  I've double-checked the clock and it's good.  I doubt that this end user would have the know-how to even get into the BIOS, but...you never know!  I guess I'll just have to keep an eye on this.  We set the policy to 90 days simply because we weren't sure what to do (being new to EEPC and all) and 90 days seemed reasonable, so I imagine that if it becomes a headache, we'll either 1) move the time out further, or 2) simply turn it off.

                   

                  I've only started using EEPC this past December, so 6.1 is all I've experienced.  However, the KB you referred me to did help me understand the situation.

                   

                  Thanks again!

                  • 6. Re: "Administrator Recovery is now required"
                    Travler

                    I've just been handed my second laptop that is stating: This system is locked because it has been too long since the last policy update. Administrator Recovery is now required.

                     

                    Again, just as before, this machine's "Product Settings" policy is set to "Disable pre-boot authentication when not synchronized" after 90 days.  After Recovering, I promptly checked the Last Security Update Check and noted that it was on 1/17/2012.   While I neglected to confirm the Policy Enforcement date listed in the EE System Status window, I do know that this laptop was originally encrypted in early January, confirming that we were nowhere near the 90 day parameter.  (Also, the user was locked out two weeks ago, so I'm estimating that the time from the last sync was somewhere around 45-60 days.  This would fall within the same time window that the first laptop got locked out.)

                     

                    I am at a total loss to understand why we are getting the "too long since the last policy update" message.  (I'm positive that these two end users did not tamper with the system clock.)

                     

                    I am now decrypting this laptop (which is the 3rd of our 4 test EEPC laptops to be decrypted) so the end user can continue her work.  If I can't find an answer to this, I imagine my supervisor will start to investigate other vendors.  I assumed EEPC was going to be a challenge, but this test/PoC has been one rocky road.

                     

                    Does anyone have any further thoughts or ideas?

                    • 7. Re: "Administrator Recovery is now required"
                      Timmah

                      Hi Travler,

                       

                      I'm sorry to hear that you've experienced this again. Are you able to provide the logs for this machine? Also, could you check the audits in ePO related to this machine?

                       

                      Thanks,

                       

                      Tim

                      • 8. Re: "Administrator Recovery is now required"
                        Travler

                        Hello again, Tim.

                         

                        There are two logs.  The first one is MFEEPE.1.LOG and is the oldest.  The second one is MFEEPE.LOG and contains the most current entries.

                         

                        As for the ePO audits, I've recently moved from 3.6.1 to 4.6; could you clarify which audits you're referring to, and where to find them?

                         

                        Thanks!

                        • 9. Re: "Administrator Recovery is now required"
                          Timmah

                          Hi Travler,

                           

                          For the audits, please go to: Queries & Reports -> Shared Groups -> Endpoint Encryption, then run the query EE: Product Client Events. You should be able to export the table (XML or HTML would be good).

                           

                          Many thanks!

                           

                          Tim

                          1 2 3 4 Previous Next