1 2 Previous Next 15 Replies Latest reply on Nov 21, 2014 5:18 PM by SeanKeeley

    Warning: EEPC 7.0 Can Activate Before Domain Join in Re-Image Situation

    SeanKeeley

      We've just started testing EEPC 7.0 and ran into a potential problem. The scenario is as follows.

      1. Domain-joined Windows machine has EEPC 7.0 deployed to it via ePO with the Add Local Domain User option enabled.
      2. EEPC activates as normal and encrypts.
      3. Some time later, the machine is re-imaged, including a new ePO GUID (i.e. the machine has a new software image installed, NOT just a restore from backup).
      4. If the re-imaged machine has a network connection, EEPC will activate regardless of whether it is domain joined or whether a domain user has logged in.

       

      In our case, the ePO server was running 4.6 patch 4 and the client agent was 4.6 patch 3.

       

      This behaviour is "as designed" -- we raised an SR about it and were told by Support that unless the machine's ePO object is deleted, ePO will re-use it in this situation and therefore EEPC will find the previously assigned user(s) and activate. (The ePO agent reuse is because, although the GUIDs are different, the MAC address is the same.)

       

      I can see this being a signficant problem in the situation where EEPC is integrated into the re-image process (i.e. the image includes the EEPC client). If a technician is re-imaging a previously encrypted machine, EEPC will activate as soon as a network connection is available, and the technician likely will not know the user ID necessary to get past the pre-boot. Pre-defining local user IDs would be a workaround but that seems like a bad idea from a security viewpoint. The Add Local Domain User option is an elegant solution to the problem of not enabling pre-boot until the machine is in the hands of its eventual user and I believe the product should not activate until a domain user logs into the newly re-imaged machine.

        1 2 Previous Next