000036049 - RSA Authentication Agent 7.3.3 for Windows prompt does not appear after the first reboot of Windows 10 when McAfee SafeBoot is installed

Document created by RSA Customer Support Employee on Feb 21, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036049
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Windows
RSA Version: 7.3.3
IssueThe following  behavior occurs:
  • When McAfee SafeBoot (now known as McAfee Drive Encryption [DE]) is installed on a machine running Windows 10 that also has the RSA  Authentication Agent 7.3.3 installed, every time the machine is booted. the RSA SecurID prompt does not display.
  • Once logged in, if a user locks the machine and unlocks it, it starts prompting for RSA SecurID credentials and the user authenticates successfully.
  • Subsequent logins work as  expected.
  • The SecurID prompt does not appear after the first reboot on Windows 10.
  • Tried changing the Credential Manager setting and enabling Exclude the Third-party Credential Providers.
  • This behavior has been tested on multiple machines and recreated consistently.
Current settings are:

  • Exclude the Microsoft Password Credential Provider = Not configured
  • Exclude the RSA Credential Provider for disconnect auth = Not configured
  • Exclude the RSA Smart Card Credential Provider = Not configured
  • Exclude the Third-party Credential Providers = Enabled
  • The auto registration client is installed.
CauseBased on the article entitled Single Sign On fails on systems that have third-party credential providers installed in the McAfee Knowledge Center, there is a known McAfee issue that the McAfee provider named MfeEpeCredentialProvider is not compatible with third-party credential providers.  Here's an excerpt:from that article:
DE/EEPC does not currently support any third-party Windows credential provider integrations. These third-party credential providers are conflicting with the DE/EEPC credential provider because, on Windows systems, it is not possible to chain the DE/EEPC credential provider.
ResolutionThe fact that the RSA credential tile does not appear during the first logon after a reboot is not within the control of the RSA Authentication Agent. In all  cases the RSA Authentication Agent returns a credential tile to LogonUI normally.  The fact that it is not displayed is (probably) because the SafeBoot product is filtering third party credential providers on the first logon after reboot.

The customer needs to engage McAfee to find a workaround. It might be possible to configure SafeBoot to not use its' MfeEpeCredentialProvider, but that needs to be handled by McAfee.

The RSA Authentication Agent 7.3.3 for Windows is functioning as designed.