1 2 Previous Next 12 Replies Latest reply on Jun 28, 2017 3:55 PM by mmoyle

    DE 7.1.3 - User keeps receiving Balloon notification Preboot password needs updating

    slateythree

      MfeEpe.log shows:   INFO    EpePcMonitor.6028                    Users AD timestamp out of date. Showing notification.

       

      Every two hours (default polling interval for AD domain controllers).

       

      So far only seen this on one out of the 4 systems DE 7.1.3 is deployed to.  On all systems, we are also seeing the McAfee tile on the Credential Provider screen.

       

      Reference #s 1052112 & 1046611

       

      https://kc.mcafee.com/corporate/index?page=content&id=KB84502

       

      Anyone else seeing this in testing?

        • 1. Re: DE 7.1.3 - User keeps receiving Balloon notification Preboot password needs updating
          slateythree

          Cleared SSO for the user - so far so good. 

           

          Will update if status changes.

           

          Agent 4.8.0.1938 DE: 7.1.3 ePO 4.6.8 with the LDAP sync hotfix installed (Win 7 x64 system in BIOS mode)

          • 2. Re: DE 7.1.3 - User keeps receiving Balloon notification Preboot password needs updating
            robg3381

            We're testing 7.1.3 and rolled it out to a test group.  Of the 41 upgraded systems, we have had 1 user mention this problem.  I have not had them reset the token yet as I wanted to learn more about the issue before I just fixed it.

             

            We too are noticing the McAfee tile on login as well.

             

            ePO 5.1, Agent 4.8.0.1500.  DE is 7.1.3

             

            Here is a larger snapshot of the MFeEPE log.

             

            2015-08-26 19:10:36,911 INFO    MfeEpeCredentialProviderServiceV2    MfeEpeCredentialProviderServiceV2217330b2-4c26-11e5-af25-acfdce1f51d4 initialized successfully

            2015-08-26 19:10:36,911 INFO    MfeEpeCredentialProviderServiceV2    Service Started Successfully

            2015-08-26 19:10:37,020 INFO    MfeEpeCredentialProviderServiceV2    Service Stopped Successfully

            2015-08-26 19:10:37,067 INFO    MfeEpeCredentialProviderServiceV2    MfeEpeCredentialProviderServiceV2217330b4-4c26-11e5-af25-acfdce1f51d4 initialized successfully

            2015-08-26 19:10:37,067 INFO    MfeEpeCredentialProviderServiceV2    Service Started Successfully

            2015-08-26 19:10:40,515 INFO    DRIVER                               Session notification: EPEPC_DRIVER_SESSION_UNLOCK

            2015-08-26 19:10:41,573 INFO    MfeEpeCredentialProviderServiceV2    Service Stopped Successfully

            2015-08-26 19:12:53,946 INFO    EpePcMonitor.5100                    Users AD timestamp out of date. Showing notification.

            2015-08-26 19:14:54,552 INFO    EpoPlugin                            enforcePolicy: No policy enforcement required (nothing has changed), waiting until next ASCI.

            2015-08-26 19:27:54,023 INFO    EpePcMonitor.5100                    Users AD timestamp out of date. Showing notification.

            2015-08-26 19:30:10,491 INFO    EpoPlugin                            enforcePolicy: No policy enforcement required (nothing has changed), waiting until next ASCI.

            2015-08-26 19:42:53,912 INFO    EpePcMonitor.5100                    Users AD timestamp out of date. Showing notification.

            2015-08-26 19:45:26,531 INFO    EpoPlugin                            enforcePolicy: No policy enforcement required (nothing has changed), waiting until next ASCI.

            • 3. Re: DE 7.1.3 - User keeps receiving Balloon notification Preboot password needs updating
              jhall2

              The timestamp for the last password change located in AD is newer than the MDE token timestamp for the user. MDE queries AD and pulls the "PassLastSet" timestamp attribute and compares it to the MDE user token timestamp. If the AD timestamp is newer, a prompt will be displayed. However, some of the reasons why the AD timestamp would be newer than the MDE timestamp include:

               

                 1. The client system is not utilizing the same NTP server resulting in the Domain Controller's and client system's not being in sync.

                 2. The client system's clock was changed prior to the password change.

                 3. A third party password sync utility is utilized that updated the password in AD after the capture of the change at the Ctl + Alt + Del on the client system.

               

              The McAfee icon on the credential provider tile is shown with MDE 7.1.3 as the MDE credential provider logon component is always active when the system is displaying the credential provider. This change was made to allow MDE to capture the password any time it entered, not just when the password is being changed to reduce the occurrences of PBA and domain passwords out of sync.

              • 4. Re: DE 7.1.3 - User keeps receiving Balloon notification Preboot password needs updating
                robg3381

                Great response!  Thanks!  Do you or anyone know of a way to grab the MDE user token timestamp manually for a user?  Either within ePO or on the users' endpoint?

                • 5. Re: Re: DE 7.1.3 - User keeps receiving Balloon notification Preboot password needs updating
                  jhall2

                  The MDE user timestamp can be found in the Machine Info File that can be generated by clicking on the Machine Info button on the MDE Status Monitor (Option must be enabled in the product policy). The timestamp can be converted using an epoch time converted. (The year will be 369 years in the future)

                   

                  The AD attribute can be obtained using the DSQuery command run on a domain controller:

                   

                  DSQuery * "CN=TestUser,CN=Users,DC=<YourDomainName>, DC=<Com>" -Attr PwdLastSet

                   

                  The AD timestamp can be then converted using the w32tm command:

                   

                  w32tm.exe /monitor /computers:<hostname>

                  example: w32tm.exe /monitor /computers:MyDC

                  • 6. Re: DE 7.1.3 - User keeps receiving Balloon notification Preboot password needs updating
                    slateythree

                    Hi jhall,

                    The problem is that even after locking the screen and re-entering credentials with MDE apparently updating the credentials, at the next AD polling interval, the user is prompted yet again.

                     

                    Also, with regards to the mcafee tile overlay, it would seem to be a bug which is under investigation:  1046611

                    046611-7.1.0InvestigatingIssue: The McAfee tile on the Credential Provider screen keeps appearing even after the Single Sign On (SSO) is captured for a user.

                    https://kc.mcafee.com/corporate/index?page=content&id=KB84502

                     

                    So the question still remains, is there a solution to this issue with the AD polling feature that is new to DE 7.1.3?  Workarounds would be to clear SSO or disable the balloon notification completely in the policy (but that's not a solution to the issue.)

                    • 7. Re: DE 7.1.3 - User keeps receiving Balloon notification Preboot password needs updating
                      jhall2

                      The bug 1046611 has been closed as it is the intention that the shield at the logon and lock screen be displayed to inform the user that MDE may be able to capture this logon.

                       

                      The issue that is present when the balloon is displayed multiple times is the result of the AD timestamp being newer than the timestamp of the user token. The user token timestamp will not be updated unless a change to the password occurs. Locking and unlocking the machine in which no password change occurs will not update the timestamp. Clearing the SSO information will cause the password to be recaptured and result in the timestamp being updated. However, if the issue was caused by the client machines clock being set incorrectly and that issue has not yet been corrected or a third party password update utility updates the Last Password Set AD attribute for the user, the behavior may reoccur.

                      • 8. Re: DE 7.1.3 - User keeps receiving Balloon notification Preboot password needs updating
                        slateythree

                        jhall2 wrote:

                         

                        The bug 1046611 has been closed as it is the intention that the shield at the logon and lock screen be displayed to inform the user that MDE may be able to capture this logon.

                         

                         

                        Thanks.  I figured the McAfee tile overlay was intentional when I first saw it - but then when I saw the bug listing in the Known issues page, I wasn't so sure.

                         

                        With regards to the AD timestamp, I'll need to see how more machines behave as we pilot to a larger test group.  We've had it occur on 3 out of 12 machines so far - I would've thought it would update upon lock and unlock since the prompt is shown specifically to update the credentials, but I guess that isn't the case.

                        • 9. Re: DE 7.1.3 - User keeps receiving Balloon notification Preboot password needs updating
                          robg3381

                          Thanks jhall.  I got the Endpoint Info file, but converting using epoch is giving me some crazy values (see below).  To make sure that it wasn't just the trouble users' token/system, I also tried a couple other systems and got similar date/times.  I tried the first 2 google results for "epoch time converter".

                           

                          UserNameTime:            1426075236148    converts to Wed Mar 11 2015 08:00:36 GMT-0400 (Eastern Daylight Time)

                          Token Timestamp:         13070401734933 converts to Thu Mar 08 2384 14:08:54 GMT-0500 (Eastern Standard Time)

                          Logon Data Timestamp:    13085238080488 converts to Mon Aug 27 2384 08:21:20 GMT-0400 (Eastern Daylight Time)

                          Self-Recovery Timestamp: 13046883475541 converts to: Fri Jun 10 2383 10:17:55 GMT-0400 (Eastern Daylight Time)

                          SSO Timestamp:           13070401734153 converts to: Thu Mar 08 2384 14:08:54 GMT-0500 (Eastern Standard Time)

                           

                          For this specific user, their AD timestamp was Monday, August 10, 2015 10:15:10 AM

                          1 2 Previous Next