This is EEPC 6.2
1) passwords sync via mcafee agent communication (ASCI). If the user is stuck at pre-boot authentication it will never sync. This will change in version 7 on systems with specific intel CPUs through the use of mcafee deep command.
2) follow the recovery procedures appropriate for your setup in section 8 of the product guide: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 23000/PD23743/en_US/ee_620_product_guide_en-us.pdf
Hi, thanks for your answer in the first question.
About the second question, the question goes more into how I change the windows password as a domain admin and make sure it syncs to the EEPC. Because the behavior we are seeing after a password change in the domain is erratic. It does not sync immediately, I have to reboot twice for the EEPC to sync the windows password again. Is there a right procedure to ensure the sync happens?
It should sync with eepc upon login then be written to the PBFS (pre boot file system) after the first ASCI which I beleive is 5 min by default. To make things happen imediately I open the agent monitor and run the top four buttons, send events, collect all props etc. I'm sure you don't have to press all four but doing so actually makes some things happen twice incase something required sending an event on one ASCI and receiving a task on the second or whatever. Anyway, it gets the job done. If doing it remotely run agent wake up with force send all props.
Be sure to open the encryption monitor so you can see when it has finished updating PBFS, it will say "enforcing policies" when it's done. Or wait at least 1-2 minutes after the ASCI/wakeup to reboot.
AD passwords and EEPC passwords are disjoint. The only time they might get synchronized is if you use SSO. Are you using SSO?
Yes I am using SSO!
I am going to try to click the four buttons to see if it works, though I believe I have tried this before.
The key thing to understand here is that Windows will *not* inform EEPC about any password changes made at the AD server, and thus we cannot sync Windows user passwords to EEPC passwords when the password change is made at the server. This is for security - I am sure that you would not wish AD to broadcast your new password to anyone that asked for it :-)
In contrast, when the Windows password is changed at the client (perhaps through Ctrl-Alt-Delete, for example), the Windows client does notify us of the new password and we can then synchronise this password across into the EEPC password for the user. Since EEPC runs in the system context on the client, Windows will allow this to happen.
Password change at AD: Sync from Windows user->EEPC user is not supported
Password change at client: Sync from Windows user->EEPC user is supported
I hope this clarifies things for you.
Um... That's not true... It syncs all the users/groups that you specify in epo...
dwebb, what you are saying helps me understand better. But I don't think there is not a right way to do it. If a password change occurs in the Domain, what is the right way to make sure this change replicates to EEPC?