Defender Hotfix 255241 - How to redeploy Software Tokens after applying hotfix. (4262899)

The Defender hotfix for KB 328355 enhances the security of Defender tokens.

This Hotfix will need to be installed anywhere tokens are generated (such as Administration Console / Management Portal / Management Shell).

Once installed this hotfix will now use a cryptographically secure pseudorandom number generator to generate encryption keys for Defender software tokens, making the generated tokens more secure.

 After applying the hotfix all new tokens issued will utilize the enhanced token security changes, however previously deployed tokens will remain and the previous level of security.

To ensure all Defender tokens utilize the enhanced level of security please follow the steps outlined in the resolution section of this KB article.

Please Note – If the Defender installation is upgraded to a later version, the hotfix must be re-applied for the new version.  Please consult KB 328355 for all versions of the hotfix.

Previously released deprecated versions of Defender are also impacted and should be upgraded to the latest version of Defender along with the corresponding hotfix for that version.

The Product Lifecycle can be located here.

Downloads for the latest version can be located here.

NOTE: The below steps should only be actioned after the hotfix has been applied.

Resolution # 1 - Recommended

For each existing software token:

1. Depending on your workflow for distributing software tokens to your user base, perform one of the following:
   1. Program a new token through one of the Defender administrative interfaces, for example, the Administrative Console or the Management Portal and assign that token to the user in question
   2. Have the user in question request a new token through the Defender Self-Service Portal
2. Once the user has the activation (or QR) code for the new token, instruct the user to open the Defender Soft Token app that they’re using, for example, Soft Token for iOS and perform the following steps:
   1. Delete their current token from the app
   2. Enter the activation code (scan the QR code) for the new token
3. Once the user has confirmed that they have the new token set up, unassign the old token from the user and delete it through one of the Defender administrative interfaces

Additional considerations:

1. IMPORTANT: When programming additional tokens for users, the licensed token count may be exceeded and Defender will display a warning message. The product will, however, continue to function normally and the warning message will disappear once the old tokens have been unassigned.
2. If a user has multiple soft tokens, the workflow above will need to be performed for each token
3. To minimize the impact on the user base, consider processing tokens in batches, finishing up with one batch before moving on to the next
4. If a user is using a software token to authenticate to Defender Desktop Login and offline login is enabled, the user must perform at least one online login with the new token, in order for the token to get cached for subsequent offline authentication

Resolution # 2

For each existing software token:

1. Unassign the token from the user and delete it through one of the Defender administrative interfaces
2. Depending on your workflow for distributing software tokens to your user base, perform one of the following:
   1. Program a new token through one of the Defender administrative interfaces, for example, the Administrative Console or the Management Portal and assign that token to the user in question
   2. Have the user in question request a new token through the Defender Self-Service Portal
3. Once the user has the activation (or QR) code for the new token, instruct the user to open the Defender Soft Token app that they’re using, for example, Soft Token for iOS and perform the following steps:
   1. Delete the current token that they have from the app
   2. Enter the activation code (scan the QR code) for the new token

Additional considerations:

1. IMPORTANT: Once a token is unassigned from a user, they will not be able to authenticate with their Soft Token app until they register the new token. This must be communicated to the user base
2. If a user has multiple soft tokens, the workflow above will need to be performed for each token
3. To minimize the impact on the user base, consider processing tokens in batches, finishing up with one batch before moving on to the next