Symantec Privileged Access Management

  • Private Community
 View Only

  • 1.  About TDI filter question

    Posted Jan 24, 2023 07:44 PM
    [Environment]
    CA PAM 4.0.1

    [Question]
    After installing SFA, a warning message is generated in Windows syslog file.
    =====
    TDI filter (\Driver\XcdmTDIFlt)  was detected.
    This filter has not been certified by Microsoft and may cause system instability.
    =====

    Do you know how not to show the message?
    It is effective that we disable UEFI secure boot?
    Also, I think that Microsoft's Transport Driver Interface (TDI) is using within PAM SFA.
    Has Broadcom confirmed its safety?

    Best regards,
    Marubun


  • 2.  RE: About TDI filter question

    Broadcom Employee
    Posted Jan 24, 2023 11:37 PM
    Hello, Can you clarify what Windows release you have the SFA installed on? A new Microsoft certified driver is included in PAM 4.0.2 and newer for Windows releases 2012 R2 and newer, see enhancement The PAM Access Agent and and Socket Filter Agent Certified by Microsoft to Work in a Windows Secure Boot Environment.
    Original Message


  • 3.  RE: About TDI filter question

    Posted Jan 25, 2023 12:48 AM
    Edited by MARUBUN SUPPORT Jan 25, 2023 02:05 AM
    Hi,

    I will check the Windows release version.
    Just to be sure, please let me ask you a question.
    If we use newer for Windows Release 2012 R2 and PAM 4.0.2 and newer, we should not see the message.
    Correct?
    Also, even if we see the warning message, it is no problem, isn't it? 

    Best regrads,
    Marubun


    Original Message


  • 4.  RE: About TDI filter question

    Posted Jan 25, 2023 03:42 AM
    In additional question:

    We cannot upgrade to 4.0.2 and OS.
    In this case, we must disable secure boot.
    It is correct, isn't it?

    Best regards,
    Marubun
    Original Message


  • 5.  RE: About TDI filter question

    Broadcom Employee
    Posted Jan 25, 2023 09:59 AM
    Yes, with the newer PAM versions and current Windows releases there should be no problem. You may not be going to 4.0.2, but you will have to upgrade to 4.1.X very soon, because 4.0 reaches End Of Service in three months, see the PAM Release and Support Lifecycle Dates page.
    Original Message


  • 6.  RE: About TDI filter question

    Posted Jan 25, 2023 06:46 PM
    HI Ralf,

    >Yes, with the newer PAM versions and current Windows releases there should be no problem.

    Thank you.
    However, I'm waiting for the answers of the following questions.

    :Even if we see the warning message, it is no problem, isn't it?
    :If we cannot upgrade PAM and OS and if we don't want to see the warning message, we have to disable secure boot.
    It is no problem, isn't it?

    Best regards,
    Marubun
    Original Message


  • 7.  RE: About TDI filter question

    Broadcom Employee
    Posted Jan 25, 2023 07:13 PM
    I'm not aware of an actual problem with the older driver. Whether or not you disable secure boot is a decision you have to make.
    Original Message


  • 8.  RE: About TDI filter question

    Posted Jan 25, 2023 07:18 PM
    Hi,

    >Whether or not you disable secure boot is a decision you have to make.

    I would like to know if the warning message is not showed if we disable secure boot.
    Correct or not?

    Best regards,
    Marubun
    Original Message


  • 9.  RE: About TDI filter question

    Broadcom Employee
    Posted Jan 25, 2023 07:21 PM
    I assume so, but I don't have such a setup. Maybe someone else in this community can chime in.
    Original Message


  • 10.  RE: About TDI filter question

    Posted Jan 25, 2023 07:25 PM
    HI Ralf

    Thank you very much.

    Marubun,
    Original Message