Client always shows the System State as Inactive (when Users contain certificates)
Last Modified: 1/6/2024
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Client always shows the System State as Inactive (when Users contain certificates)
Technical Articles ID:
KB69651
Last Modified: 1/6/2024 Environment
Drive Encryption (DE) 7.x Microsoft Windows Active Directory (AD) For details of DE 7.1.x supported environments, see KB79422 - Supported platforms for Drive Encryption 7.x. Problem 1Some systems fail to activate after installing DE.
Client side: The user sees the following in the Encryption System Status window, even though the encryption policy is activated in ePolicy Orchestrator (ePO):
ePO console: The administrator sees the Client System Details showing for DE:
Clicking More, Disks shows the following message: No details available, as Drive Encryption is not Active Problem 2This problem is seen after configuring a policy to add users via the Add Local Domain User or adding the users via ePO. A check at the ePO console to verify what users are assigned to the client shows that there are no associated users. To perform this check, click Menu, Data Protection, Encryption Users, select the client, then click Actions, Endpoint Encryption, View Users. CauseUser records that contain certificates prevent the activation from being successful.
Solution 1As a best practice, we recommend that the LDAP synchronization task parameter User Certificates be left blank.
This configuration might not be possible in specific cases when a hardware token that stores certificates in the AD is used at preboot authentication. From the DE 7.x Best Practices Guide (PD24868): User Certificate
The User Certificate attribute is used by the ePO Server to determine which certificate should be sent from ePO to the client, for example, smartcard tokens. It's better to clear this attribute when you use the Password only token. Setting this attribute can accumulate a large amount of certificate data in the ePO database and impact LDAP performance; therefore, you can remove the certificate query from To overcome this issue, implement the workaround below.
Solution 2If Solution 1 doesn't resolve this issue, search the Knowledge Base using the following string, including the double quotes, to locate other content covering inactive issues:
WorkaroundRemove the certificate and verify that users are assigned to the client.
Related InformationSee also related articles that cover the AD usercertificate attribute.
Affected ProductsLanguages:This article is available in the following languages: |
|