Unknown User (displayed during preboot after running the ePolicy Orchestrator Duplicate Agent GUID task)

Technical Articles ID:   KB75669
Last Modified:  2/5/2020

Environment

McAfee Drive Encryption (DE) 7.x

For details of DE supported environments, see KB79422.

Problem

Users are unable to successfully authenticate at preboot.

Users who could previously authenticate successfully at preboot for a long period suddenly fail to do so after the ePolicy Orchestrator (ePO) administrator runs the ePO Duplicate Agent GUID task.

A subsequent check using the ePO console identifies that the systems to which the users were previously assigned now have no users assigned.

After checking the Audit Log, you see that the affected systems are listed as deleted and added.

System Change

The Duplicate Agent GUID - Remove systems with potentially duplicated GUIDs task has been run.

This task deletes the systems that have many sequencing errors and classifies the agent GUID as problematic. As a result, the agent is forced to generate a new GUID. The threshold number of sequencing errors is set in the query for systems with high sequence errors.

Cause

Several actions at the ePO console can lead to this problem:
  • Running the Duplicate Agent GUID task removes the DE User assignment from the system because the user assignments are mapped to the system and have now been deleted. The task removes both entries of the GUID from the database and re-creates the object at the next agent-server communication interval (ASCI). The action leads to the AutoID being changed within the ePO SQL database.
  • Running one of the system queries for duplicate systems or sequence errors by selecting a system, and then clicking Actions, Directory Management, Move GUID to Duplicate List and Delete system
  • Selecting a system from the ePO Tree and clicking Actions, Directory Management, Move GUID to Duplicate List and Delete system
  • Performing any action that deletes a system in ePO, causes the managed system to lose all user assignments.
At the next Agent to ASCI when the client communicates with the server, all previously assigned preboot users are removed from the client, leaving the computer in a locked-out state.

Solution

To avoid this issue, you must have Add Local Domain Users enabled. This option allows the system to detect and readd local users to the computer when it syncs with ePO. The system can take 10 minutes or more to fully sync with ePO and add the users. If they are not using Add Local Domain Users, the systems must have the users manually reassigned to them after they have synchronized and new entries have been created in the ePO System Tree.

If you have already run the task, implement one of the following workarounds.

Workaround

Perform an Administrative Recovery using the challenge/response option, and allow the client to restart. 

To perform a challenge/response procedure, see the "Recovering users and systems" section in your DE Product Guide.

IMPORTANT: When the client has restarted and accessed Windows, wait and allow the client to synchronize with ePO, allowing the generation of a new Machine Object within ePO.

Workaround

To access the computer, perform an Emergency Boot. A recovery file is required to be authenticated and needs to be exported from ePO using the scripting API.

For instructions on how to perform an Emergency Boot with the DETech or Standalone boot disk, see the respective DETech User Guide.

Related Information

For McAfee product documents, go to the Enterprise Product Documentation portal at https://docs.mcafee.com.

Affected Products

Drive Encryption 7.2

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.