9 Posts
0
7128
Unable to unlock, locked cached PBA user
Hi,
We are testing using DDS for management of SEDs for a system operating in a Workgroup environment. At the moment 20 failed logons is the maximum that can be set before a user is locked out within the PBA. My issue is that there seems to be no way to unlock that user in the PBA through the DDS server. The unlock command sent from the DDS server, seems to only work for when the whole SED is locked out, and not a individual user.
The only work around I have at the moment is to send a command to bypass the PBA, then send a command to remove all users from the PBA, then let the local accounts sync again with the PBA on next logon.
Any help would be greatly appreciated.
dell-dale p
156 Posts
0
September 6th, 2018 05:00
Hi Yostie___,
Currently the method to unlock a user would be to leverage the command of "Remove Users" within the Dell Security Management Server for that endpoint.
in the image below, you can see the option highlighted (it's wayyyyy at the bottom of a specific endpoint's "Details & Actions" options under "PBA Device Control / Cloud Device Control" (PBA is an acronym for Pre-Boot Authentication environment) , or formerly "SED Device Control" in older servers. once you have clicked this command, if you noticed the green highlight shows that this command has been prepped. As the endpoint in question enters the PBA, if it can reach the Dell Security Management Server, this command will be picked up, and the "Received" and "State" column will populate.
by Default, the Pre-Boot Authentication environment for Dell Encryption will only collect commands initially during the boot of the PBA. There is an endpoint-based policy (can be set at the "Enterprise", "Endpoint Group", and "Endpoint" levels) under "Authentication" -> "Pre-Boot Authentication" within the "Show advanced settings" section called "Enable Client Check For PBA Commands", which once consumed by the endpoint causes the PBA to check for commands every 5 minutes as it sits within the PBA.
I hope that helps get you moving forward!
Yostie__
9 Posts
0
September 6th, 2018 14:00
Thanks Dale. Appreciate the quick reply. Maybe in a a future release, the ability to unlock users would be a good addition. It would also be great to add the ability to unlock user or remove the users within the recovery tools int he WinPE iso.
Thanks again
Simon
dell-dale p
156 Posts
1
September 6th, 2018 15:00
glad to help!
I have submitted your feedback to our Product Marketing and Product Owners to see what we can do for your concern :)
I'll also check with our development teams to see if there may be a quick work-around to allowing the removal of user accounts from the PBA to force an "unlock" of affected users within the recovery WinPE.
Yostie__
9 Posts
0
September 6th, 2018 15:00
Thanks Dale,
Much appreciated.
Yostie__
9 Posts
0
September 6th, 2018 18:00
Sorry Dale, just have one more question.
Is there anyway to backup the OpalSP key. What we are trying to do is, re-image a machine after the PBA, with a base image. This base image has the Encryption Management Agent installed pointing to our DDS server. The problem is, is when the workstation is re-imaged the Encryption Management Agent will no longer be able to modify the PBA, because the OpalSP Key is null or empty. Is there a way we could backup the OpalSP Key, and re-apply it after the workstation is re-imaged.
Many Thanks
Simon
dell-dale p
156 Posts
1
September 7th, 2018 03:00
Hi Simon,
Currently the OpalSP key ("key" following this) is escrowed up to the Dell Security Management Server before the Pre-Boot Authentication environment is set on the local endpoint. This key is bound to the hostname of the current device that is activated against your Dell Server. You can download this key through the server in "Management" -> "Recover Data" -> "PBA" (Formerly "SED"). In this screen you can enter the FQDN of the device (the same name that is shown within "Populations" -> "Endpoints" ), and then hit "Search" this will give you the OpalSP key that can be used for a manual recovery for those devices that have already been re-imaged.
More information on retrieving the key here:
https://www.dell.com/support/manuals/us/en/19/dell-data-protection-encryption/recoveryguide/obtain-the-recovery-file---remotely-managed-sed-client?guid=guid-b2d1b3a0-c891-4560-a9f1-ec136f7440be&lang=en-us
It is highly suggested to disable the PBA if possible before re-imaging the device, this will really smooth your transition to a new OS. If that's not possible, then a manual recovery is sadly the way to go.
More information on the manual recovery process here:
https://www.dell.com/support/manuals/us/en/19/dell-data-protection-encryption/recoveryguide/perform-a-recovery?guid=guid-b170833a-17de-4974-9618-d5437aa95865&lang=en-us
And a link to the WinPE ISO that is mentioned in the recovery documentation here:
https://www.dell.com/support/home/us/en/19/drivers/driversdetails?driverId=YPJ2G
Let me know if you need more info! :)
Yostie__
9 Posts
0
September 10th, 2018 18:00
Thanks Dale. Your assistance is much appreciated.