1 Reply Latest reply on Nov 18, 2016 1:30 PM by jhall2

    McAfee Drive Encryption and Active Directory


      We are using the latest McAfee Drive Encryption We will be encrypting a system and will enable the pre-boot. In the past, we have only done users that are not part of a domain/active directory. I will usually assign the local windows login name to the encryption users list under ePO. Know, we have a user who is part of the new company Active Directory. Not familiar in how the pre-boot and encryption interacts with Active Directory.


      1. What user do I assign as encryption users? Do I use the AD name say peter.smith@xyc.com or use the local windows login name.

      2. Our McAfee ePO server is currently not part of that AD and does not sync with it, will that cause issues?

      3. When the AD password changes for that user will it sync that change up to the Pre-Boot.

        • 1. Re: McAfee Drive Encryption and Active Directory

          You will first need to create a Registered LDAP Server in ePO under Actions | Configuration | Registered Servers. I recommend pointing to the domain itself rather than to a specific DC. ePO is not required to be on the domain that it is querying.


          You can use Encryption Users to assign the users to the systems just as you have done before. However, in the upper left of the LDAP picker, you will see an option for "Look in:" which is a drop down that will allow you to select users from either the domain you have registered or user directory.



          You can also use the Add Local Domain Users option in the Product Policy. This will automatically assign Active Directory users that has previously logged into that specific system. Do not add more than 5000 users to any system as the PBFS could run out of space and ideally the user assignments should be a one to one match of user to system.


          Password changes will only be captured on a client system in which MDE is installed and the user changing the password is the user that logged into preboot. Specific information can be found in KB79339.


          There is an option in the product policy under SSO that will enable MDE to check the LastPassSet timestamp for the current user in AD against the timestamp for the Preboot user. If they are out of sync, the user will be prompted to lock and unlock their system for MDE to capture the password.