Unknown User (displayed during preboot after running the ePolicy Orchestrator Duplicate Agent GUID task)
Last Modified: 2023-04-26 09:21:36 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Unknown User (displayed during preboot after running the ePolicy Orchestrator Duplicate Agent GUID task)
Technical Articles ID:
KB75669
Last Modified: 2023-04-26 09:21:36 Etc/GMT EnvironmentDrive Encryption (DE) 7.x
For details of DE-supported environments, see KB79422 - Supported platforms for Drive Encryption 7.x. ProblemUsers are unable to successfully authenticate at preboot.
Users who could previously authenticate successfully at preboot for a long period suddenly fail to do so after the ePolicy Orchestrator (ePO) administrator runs the ePO Duplicate Agent GUID task. A subsequent check using the ePO console identifies that the systems to which the users were previously assigned now have no users assigned. After checking the Audit Log, you see that the affected systems are listed as deleted and added. System ChangeThe Duplicate Agent GUID - Remove systems with potentially duplicated GUIDs task has been run.
This task deletes the systems that have many sequencing errors and classifies the agent GUID as problematic. As a result, the agent is forced to generate a new GUID. The threshold number of sequencing errors is set in the query for systems with high sequence errors. CauseSeveral actions at the ePO console can lead to this problem:
At the next Agent to ASCI when the client communicates with the server, all previously assigned preboot users are removed from the client, leaving the computer in a locked-out state.
Solution
To avoid this issue, you must have Add Local Domain Users enabled. This option allows the system to detect and readd local users to the computer when it syncs with ePO. The system can take 10 minutes or more to fully sync with ePO and add the users. If they're not using Add Local Domain Users, the systems must have the users manually reassigned to them after they've synchronized and new entries have been created in the ePO System Tree. If you've already run the task, implement one of the following workarounds. Workaround 1
Perform an Administrative Recovery using the challenge or response option, and allow the client to restart. To perform a challenge or response procedure, see the "Recovering users and systems" section in your DE Product Guide. IMPORTANT: When the client has restarted and accessed Windows, wait and allow the client to synchronize with ePO, allowing the generation of a new Machine Object within ePO. Workaround 2
To access the computer, perform an Emergency Boot. A recovery file is required to be authenticated and needs to be exported from ePO using the scripting API. For instructions on how to perform an Emergency Boot with the Related InformationFor product documents, go to the Product Documentation portal.
Affected ProductsLanguages:This article is available in the following languages: |
|