This Guide is valid for versions 7.1, 7.1.2, 7.1.3
A boot sequence is executed by the BIOS leading to the starting of the bootable operating systems.The boot sequence is the initial set of operations that the computer performs when it is switched on. A boot loader (or a bootstrap loader) is a short computer program that loads the main operating system for the computer. The BIOS first looks at a boot record, which is the logical area zero (or starting point) point of the disk drive, known as the Master Boot Record (MBR), which contains the boot loader.
On BIOS systems - Drive Encryption alters the MBR; the BIOS loads the modified MBR, which then loads the sector chain containing the Pre-Boot environment. This pre-boot screen prompts the user for authentication credentials, which might be a password, smart card, or token.
For ePO 5.x Install the McAfee Hotfix:
Extract the file: EPO5xHF1048264.zip
Install the file ldapsync.zip
Log on to the ePolicy Orchestrator server as an administrator.
Click Menu | Software | Extensions | Install Extension
The Install Extension dialog box appears.
Click Browse and select the extension file (3 zip files listed above) then click OK
The Install Extension page appears with the extension name and version details.
Install the Endpoint Encryption extensions, in this order:
EEADMIN-X.ZIP
EEADMIN-X.zip
help_DE_X.zip
Log on to the ePolicy Orchestrator server as an administrator.
Click Menu | Software | Extensions | Install Extension
The Install Extension dialog box appears.
Click Browse and select the extension file (3 zip files listed above separately) then click OK
The Install Extension page appears with the extension name and version details.
Check in the Endpoint Encryption packages, in this order:
MfeEEAgent-X.zip
MfeEEPC-X.zip
-Log on to the ePolicy Orchestrator server as an administrator.
-Click Menu | Software | Master Repository, then click Actions | Check In Package. The Check In Package wizard opens.
-Select Product or Update (.ZIP) from the Package type list, then browse to and select the package file (2 zip files listed above separately).
-Click Next. The Package Options page appears.
-Click Save to begin checking in the package. Wait while the package is checked in.
-The new package appears in the Packages in Master Repository list on the Master Repository page.
Impotent Note:
Before Deployment check any known issue with laptop model.
Register Active Directory Server
-Log on to the ePolicy Orchestrator server as an administrator.
-Click Menu | Configuration | Registered Servers then click New Server The Registered Server Builder wizard opens
-Choose a name
-Type the Server name
-Type the User name
-Type the Password and confirm it
-Click Test Connection to ensure that the connection to the server works, then click Save
Configuring automation task for LDAP synchronization
-Log on to the ePolicy Orchestrator server as an administrator.
-Click Menu | Automation | Server Tasks, The Server Tasks page opens.
-Click Actions | New Task. The Server Task Builder wizard opens.
-On the Description page, name the task, type some notes about the task, and choose whether it is enabled, then click Next. The Actions page appears.
-From the Actions drop-down list, select EE LDAP Server User/Group Synchronization and accept the default values.
Note: If you are not using SmartCards, then it is a best practice to delete the contents of the User Certificate field (leave it blank).
-Click Next.
-Schedule the task, then click Next
-Summary of task details, then click Save.
Configure McAfee Drive Encryption Product Settings Policy
This policy setting is for environment of windows domain account without smartcard.
General Tab
- Enable the policy - Enable
-Disable Endpoint Encryption Go activation dependency - Disable
-Logging level: keep the default
-Enable all three options for hardening against cold boot attacks
-Disable Expire users who do not login
-Allow users to create endpoint info file (check the box)
Encryption Tab
-Choose All Disks
-Encryption Provider Priority: PC OPAL first, PC Software second
LogOn Tab
-Enable Automatic Booting - Disabled .if you enable this module, you will not see the pre-boot authentication. We refer to this as autoboot mode.
-Allow temporary automatic booting - Enable
- Use of TPM for automatic booting: If available
- Log on Message: write your company message to the end user here.
-Do not display previous user name at log on - Enable
-Enable on screen keyboard - Enable
-Always display on screen keyboard - Disable
-Add local domain users: Disable .
Enable this module if you want to automatically provisions the Windows users (currently logged in and all cached profiles) as valid pre-boot accounts. Select the option to add all previous and current local domain users of the system.
-Enable accessibility - Disable
-Disable pre-boot authentication when not synchronized: Disable
-Read username from smartcard - Disable
-Enable SSO - Enable
-Must match user name - Enable
-Using smart card PIN - Disable
-Synchronize Endpoint Encryption Password with Windows - Enable
-Allow user to cancel SSO - Disable
Lock workstation when inactive - Disable
Recovery Tab
-Enabled - Enable
-Key size low
-Message: write your message for end user in case of login issue/problem, phone nuber or instruction for self recovery option
-Allow users to re-enroll self-recovery information at PBA - Disable
Boot Options Tab
-Enable Boot Manager - Disable
-Always enable pre-boot USB support - Disable
-Always enable pre-boot PCMCIA support - Disable
-Graphics mode - Automatic
-Theme Tab - keep the default
Out-of-Band Tab
-Eanble at PBA - Enable
-Encryption Providers Tab
-User compatible MBR - Disable
-Fix OS boot record sides - Disable
-Use Windows system drive as boot drive - Disable
-Enable Pre-Boot Smart Check - Disable
Companion Devices
-Enable Companion Device Support - Disable/Enable Depend on your choise, If you enable this module you will give the end user the option of self recovery with smartphone.
Configure McAfee Drive encryption User Based Policy
Authentication Tab
-Token type: password only
-Certificate rule: N/A
-Logon hours- Disable
Password Tab
-Change default password - Disable - Leave the default password "12345"
-Do not prompt for default password - Enable - Force user to create a new password the first time they see the pre-boot authentication screen.
-Password Change - disable all of these since we are using SSO and don't want to cause conflict with Windows password requirements
-Enable Password history - Disable
-Prevent change - Disable
- Require change every: Disable, the password will be replace by the domain setting.
-Timeout password entry after X attempts - Disable
-Invalidate password after 10 attempts - Enable
-Allow showing of password - Disable
Password Content Rules Tab
Display list of password rules - Enable
Password length - leave default
Enforce password content - leave default
Password content restrictions - leave default
Self Recovery
Enable self recovery - Enable
Invalidate self recovery after No. of invalid attempts: enable, set to 10
Questions to be answered: 3
Logons before forcing user to set answers: 0
Questions: Recommend to change password or the think which question is comfortable to answer
Companion Devices
Password Definition - PIN, minimum 6 digits
Add Encryption Users
This is very important step, Without this step the encryption process on the system will not start.
-Go to Menu | Data Protection | Endpoint Encryption Users
-Select the My Organization level from the system tree in the left pane and drill down to the group of system that will be encrypted - recommended to create on system tree a dedicated group.
-Click on the Group Users tab, the list will be blank
-Click on Actions | Endpoint Encryption | Add Users
You can now add individual users, groups of users, or all the users in an OU. Typically, you only want to select one or two accounts for this role or the user account and helpdesk account.
-Select the gray button in the first row; this will allow you to add individual users .
You are now browsing the Active Directory structure that we added by registering the AD server earlier
-Browse AD for your account and check the box next to it. Do this again for any other accounts that you want to have pre-boot access to all of your encrypted systems. Then click -click OK.
-Click OK again to proceed.
Your Group Users list should now show the accounts you selected.
check the add user procedure
- Check the box right to the system
- Click actions
- Click View Users
On the new windows you can see the users/groups/ou Assign to the system.
There is a limitation up to 200 users, even if you choose to work with group/ou make sure the group/ou is limited to 200 users.
Create a group for Decryption
- On This group Assign a McAfee Drive Encryption Product Settings Policy
With the configuration:
General Tab
- Enable the policy - Disable (uncheck the box)
To this Group you can move system for Automatic decryption, if you will ever need.
Now you can start the deployment of packages to the system for encryption
A boot sequence is executed by the BIOS leading to the starting of the bootable operating systems.The boot sequence is the initial set of operations that the computer performs when it is switched on. A boot loader (or a bootstrap loader) is a short computer program that loads the main operating system for the computer. The BIOS first looks at a boot record, which is the logical area zero (or starting point) point of the disk drive, known as the Master Boot Record (MBR), which contains the boot loader.
On BIOS systems - Drive Encryption alters the MBR; the BIOS loads the modified MBR, which then loads the sector chain containing the Pre-Boot environment. This pre-boot screen prompts the user for authentication credentials, which might be a password, smart card, or token.
For ePO 5.x Install the McAfee Hotfix:
Extract the file: EPO5xHF1048264.zip
Install the file ldapsync.zip
Log on to the ePolicy Orchestrator server as an administrator.
Click Menu | Software | Extensions | Install Extension
The Install Extension dialog box appears.
Click Browse and select the extension file (3 zip files listed above) then click OK
The Install Extension page appears with the extension name and version details.
Install the Endpoint Encryption extensions, in this order:
EEADMIN-X.ZIP
EEADMIN-X.zip
help_DE_X.zip
Log on to the ePolicy Orchestrator server as an administrator.
Click Menu | Software | Extensions | Install Extension
The Install Extension dialog box appears.
Click Browse and select the extension file (3 zip files listed above separately) then click OK
The Install Extension page appears with the extension name and version details.
Check in the Endpoint Encryption packages, in this order:
MfeEEAgent-X.zip
MfeEEPC-X.zip
-Log on to the ePolicy Orchestrator server as an administrator.
-Click Menu | Software | Master Repository, then click Actions | Check In Package. The Check In Package wizard opens.
-Select Product or Update (.ZIP) from the Package type list, then browse to and select the package file (2 zip files listed above separately).
-Click Next. The Package Options page appears.
-Click Save to begin checking in the package. Wait while the package is checked in.
-The new package appears in the Packages in Master Repository list on the Master Repository page.
Impotent Note:
Before Deployment check any known issue with laptop model.
Register Active Directory Server
-Log on to the ePolicy Orchestrator server as an administrator.
-Click Menu | Configuration | Registered Servers then click New Server The Registered Server Builder wizard opens
-Choose a name
-Type the Server name
-Type the User name
-Type the Password and confirm it
-Click Test Connection to ensure that the connection to the server works, then click Save
Configuring automation task for LDAP synchronization
-Log on to the ePolicy Orchestrator server as an administrator.
-Click Menu | Automation | Server Tasks, The Server Tasks page opens.
-Click Actions | New Task. The Server Task Builder wizard opens.
-On the Description page, name the task, type some notes about the task, and choose whether it is enabled, then click Next. The Actions page appears.
-From the Actions drop-down list, select EE LDAP Server User/Group Synchronization and accept the default values.
Note: If you are not using SmartCards, then it is a best practice to delete the contents of the User Certificate field (leave it blank).
-Click Next.
-Schedule the task, then click Next
-Summary of task details, then click Save.
Configure McAfee Drive Encryption Product Settings Policy
This policy setting is for environment of windows domain account without smartcard.
General Tab
- Enable the policy - Enable
-Disable Endpoint Encryption Go activation dependency - Disable
-Logging level: keep the default
-Enable all three options for hardening against cold boot attacks
-Disable Expire users who do not login
-Allow users to create endpoint info file (check the box)
Encryption Tab
-Choose All Disks
-Encryption Provider Priority: PC OPAL first, PC Software second
LogOn Tab
-Enable Automatic Booting - Disabled .if you enable this module, you will not see the pre-boot authentication. We refer to this as autoboot mode.
-Allow temporary automatic booting - Enable
- Use of TPM for automatic booting: If available
- Log on Message: write your company message to the end user here.
-Do not display previous user name at log on - Enable
-Enable on screen keyboard - Enable
-Always display on screen keyboard - Disable
-Add local domain users: Disable .
Enable this module if you want to automatically provisions the Windows users (currently logged in and all cached profiles) as valid pre-boot accounts. Select the option to add all previous and current local domain users of the system.
-Enable accessibility - Disable
-Disable pre-boot authentication when not synchronized: Disable
-Read username from smartcard - Disable
-Enable SSO - Enable
-Must match user name - Enable
-Using smart card PIN - Disable
-Synchronize Endpoint Encryption Password with Windows - Enable
-Allow user to cancel SSO - Disable
Lock workstation when inactive - Disable
Recovery Tab
-Enabled - Enable
-Key size low
-Message: write your message for end user in case of login issue/problem, phone nuber or instruction for self recovery option
-Allow users to re-enroll self-recovery information at PBA - Disable
Boot Options Tab
-Enable Boot Manager - Disable
-Always enable pre-boot USB support - Disable
-Always enable pre-boot PCMCIA support - Disable
-Graphics mode - Automatic
-Theme Tab - keep the default
Out-of-Band Tab
-Eanble at PBA - Enable
-Encryption Providers Tab
-User compatible MBR - Disable
-Fix OS boot record sides - Disable
-Use Windows system drive as boot drive - Disable
-Enable Pre-Boot Smart Check - Disable
Companion Devices
-Enable Companion Device Support - Disable/Enable Depend on your choise, If you enable this module you will give the end user the option of self recovery with smartphone.
Configure McAfee Drive encryption User Based Policy
Authentication Tab
-Token type: password only
-Certificate rule: N/A
-Logon hours- Disable
Password Tab
-Change default password - Disable - Leave the default password "12345"
-Do not prompt for default password - Enable - Force user to create a new password the first time they see the pre-boot authentication screen.
-Password Change - disable all of these since we are using SSO and don't want to cause conflict with Windows password requirements
-Enable Password history - Disable
-Prevent change - Disable
- Require change every: Disable, the password will be replace by the domain setting.
-Timeout password entry after X attempts - Disable
-Invalidate password after 10 attempts - Enable
-Allow showing of password - Disable
Password Content Rules Tab
Display list of password rules - Enable
Password length - leave default
Enforce password content - leave default
Password content restrictions - leave default
Self Recovery
Enable self recovery - Enable
Invalidate self recovery after No. of invalid attempts: enable, set to 10
Questions to be answered: 3
Logons before forcing user to set answers: 0
Questions: Recommend to change password or the think which question is comfortable to answer
Companion Devices
Password Definition - PIN, minimum 6 digits
Add Encryption Users
This is very important step, Without this step the encryption process on the system will not start.
-Go to Menu | Data Protection | Endpoint Encryption Users
-Select the My Organization level from the system tree in the left pane and drill down to the group of system that will be encrypted - recommended to create on system tree a dedicated group.
-Click on the Group Users tab, the list will be blank
-Click on Actions | Endpoint Encryption | Add Users
You can now add individual users, groups of users, or all the users in an OU. Typically, you only want to select one or two accounts for this role or the user account and helpdesk account.
-Select the gray button in the first row; this will allow you to add individual users .
You are now browsing the Active Directory structure that we added by registering the AD server earlier
-Browse AD for your account and check the box next to it. Do this again for any other accounts that you want to have pre-boot access to all of your encrypted systems. Then click -click OK.
-Click OK again to proceed.
Your Group Users list should now show the accounts you selected.
check the add user procedure
- Check the box right to the system
- Click actions
- Click View Users
On the new windows you can see the users/groups/ou Assign to the system.
There is a limitation up to 200 users, even if you choose to work with group/ou make sure the group/ou is limited to 200 users.
Create a group for Decryption
- On This group Assign a McAfee Drive Encryption Product Settings Policy
With the configuration:
General Tab
- Enable the policy - Disable (uncheck the box)
To this Group you can move system for Automatic decryption, if you will ever need.
Now you can start the deployment of packages to the system for encryption