McAfee Drive Encryption 7.1
Release NotesHotfix 1097826McAfee Drive Encryption 7.1.3For use with ePolicy OrchestratorContents About this release Resolved issues Installation instructions Known issues Additional information Find product documentationAbout this releaseThis document contains important information about the current release. We strongly recommend thatyou read the entire document.ImportantWhen installing a new version of a product, upgrading an existing product or performing anycomplex changes to the environment, always ensure that a copy of the ePO Database is takenfor DR purposes. For more information on the backup process see KB66616 “ePO serverbackup and disaster recovery procedure”.ImportantWe do not support the automatic upgrade of a pre-release software version. To upgrade to aproduction release of the software, you must first uninstall the existing version.Release build – 7.1.3.559This release was developed for use with: McAfee ePolicy Orchestrator 4.6.7, 4.6.8 and 4.6.9 McAfee ePolicy Orchestrator 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.3.0, 5.3.1PurposeThis Hotfix release of McAfee Drive Encryption (DE) 7.1 Patch 3 (7.1.3) introduces fixes for issues thatwere reported in the previous versions.Read this before upgradingUpgrade from EEPC 6.x.xCustomers using EEPC 6.1.2 or later only need to upgrade the extensions to either EEPC 7.0 Patch 2 orPatch 3 before initiating the upgrade process to DE 7.1 Patch 3. These clients can then be upgradeddirectly from EEPC 6.1.2 or later to DE 7.1 Patch 3.Once the extension has been checked in, follow the steps detailed in the McAfee Drive Encryption 7.1Product Guide – PD24867.Before upgrading EEPC 6.1.x or 6.2.x clients to DE 7.1 Patch 1, McAfee strongly recommends that youreview KB81522.1
Upgrade from EEPC 7.0 RTW or 7.0 Patch 1Customers using EEPC 7.0 RTW or EEPC 7.0 Patch 1 only need to upgrade the extensions to either EEPC7.0 Patch 2 or Patch 3 before initiating the upgrade process to DE 7.1 Patch 3 (DE 7.1.3). These clientscan then be upgraded directly from EEPC 7.0.x to DE 7.1.3.Once the extension has been checked in, follow the steps detailed in the McAfee Drive Encryption 7.1Product Guide – PD24867.Upgrade from EEPC 7.0 Patch 2 or Patch 3 to Drive Encryption DE 7.1.xPerform these tasks to upgrade from EEPC 7.0 Patch 2 or Patch 3 to Drive Encryption 7.1.3:1Upgrade the EEPC 7.0 Patch 2 or Patch 3 EEAdmin extension to EEPC 7.0 Patch 4, which isincluded in the DE 7.1.3 HF1097826 Package.2Follow the remaining upgrade steps in the McAfee Drive Encryption 7.1 Product Guide – PD24867,which remain the same.Upgrade from Drive Encryption 7.1.x to Drive Encryption 7.1.3Perform these tasks to upgrade from DE 7.1, 7.1 Patch 1 (7.1.1) or Patch 2 (7.1.2) to Drive Encryption7.1.3:1Ensure that there are no LDAP Sync tasks running. If any are running, then wait for them tocomplete2Disable all LDAP Sync tasks before initiating the upgrade3Install the Drive Encryption 7.1.3 extensions to the McAfee ePO system4Check in the Drive Encryption 7.1.3 Agent and PC software packages to the McAfee ePO system5Re-enable all LDAP Sync tasks6Deploy the Drive Encryption 7.1.3 software packages to the client system7Restart the client system after the deployment task has completed.Upgrading systems with TPM autoboot policy enabledOn upgrade of the client to DE 7.1.3, the user will be prompted to authenticate in preboot due to bootmeasurement changes caused by the upgrade process. Without intervention, Help Desk calls may begenerated as users attempt to log back onto their systems after the upgrade, as TPM autoboot usersmay not know their preboot usernames or passwords, or no users may be assigned to the system.Intel Security recommends that ePO administrators take proactive actions to mitigate the potentialproblem using one of the following approaches:Method 1 - Enable temporary autoboot for two reboots prior to upgrading systems that are runningwith TPM autoboot policy enabled. This will ensure that new boot measurements are made following theupgrade, and that preboot will not be displayed.In summary the steps needed are as follows:1Enable temporary autoboot via policy2Enable temporary autoboot on each TPM autoboot endpoint with “—number-of-reboots 2” on anactive 7.1.x clientNoteIt is recommended that 2 instances of temporary autoboot are set to allow the bootcode to be synced.3Deploy DE 7.1.3 EEAgent and EEPC4Reboot the client when prompted. (This will use insecure temporary autoboot)5On the next reboot of the client the temporary autoboot will again be exercised6For any subsequent reboots, secure TPM autoboot will be reinstated.2
ImportantWhilst temporary autoboot is enabled, the system is not secure.Method 2 - Enable normal autoboot via policy before sending down the upgrade task to systems thatare running with TPM autoboot policy enabled. The normal autoboot policy can be disabled/revoked bythe ePO administrator once the systems report a successful upgrade to DE 7.1.3.Resolved issuesThese issues are resolved in this release of the product. For a list of issues fixed in earlier releases, seethe Release Notes for the specific release.ReferenceIssue description1047480The policy “TPM Autoboot” is not applied correctly on a Microsoft Surface Pro 3due to Algorithm requirements.1084527A machine in UEFI BIOS mode may appear to hang at preboot if the “out ofband” policy is enabled and no user input is made.1085224HASP Token is incorrectly recognized as an E-Token preventing login at preboot1092250McAfee’s DEGO fails to upgrade if the Major Version numbers for DEGO matchthe preinstalled version and the upgrade version.1034556Fujitsu Models A547H and A547K internal mouse moves erratically in preboot ifa USB mouse is also attached.Installation instructionsFor information about installing or upgrading Drive Encryption for PC, see McAfee Drive Encryption 7.1Product Guide - PD24867. For Product Guide documentation corrections, refer to KnowledgeBase articleKB79912.Please refer to McAfee KnowledgeBase article KB83541 for further information about the installationand configuration of the Data Protection Self Service Portal (DPSSP).Known issuesFor a list of known issues in this product release, refer to McAfee KnowledgeBase article KB84502.Privacy NoticeData Protection Self Service Portal (DPSSP) collects users' login names, system names, IP addresses,and audit data. Access to this information is available in DPSSP reports within McAfee ePO. Make surethat access to these reports is authorized and appropriately managed.Additional informationProduct documentationThis release of DE 7.1 Patch 3 includes the following documentation set.Standard product documentationMcAfee documentation provides the information you need during each phase of productimplementation, from installing a new product to maintaining existing ones. This release of DE 7.1Patch 3 includes the following documents: McAfee Drive Encryption 7.1.3 HF1097826 Release Notes (this document)Knowledgebase articles FAQs for Drive Encryption 7.1.x: KB797843
Drive Encryption 7.1.x Error Codes and Messages: KB79785 Supported Environments for Drive Encryption 7.1.x: KB79422 How to install, configure and use the Data Protection Self Service Portal (DPSSP) — KB83541 Web API commands for McAfee Drive Encryption: Out of Band Management — KB83542 How to identify and remove Drive Encryption duplicate users and groups — KB84531 How to access Windows Safe Mode when Drive Encryption or Endpoint Encryption is installed:KB73714 Tablet support for Drive Encryption 7.1.x and Endpoint Encryption for PC 7.0.x: KB78049 How to upgrade the operating system to Windows 10 with Drive Encryption 7.1 Patch 3installed: KB84962 Important information about Windows 8 Recovery Tools and the interaction with EEPC 7.0.xand DE 7.1: KB76638NoteWindows Recovery Console (F8 recovery) is not available on Samsung Slate 700Ttablets because technical issues prevent F8 recovery from working on this platform.NoteFor general information about the recovery tools available with McAfee DriveEncryption 7.x please refer to the FAQs for Drive Encryption 7.1.x KB79784Supported tokens and readersMcAfee Drive Encryption for PC supports different logon tokens and token readers. The token typeassociated with a user or a group can be modified using McAfee ePO. For details on modifying tokens,see the McAfee Drive Encryption 7.1 Product Guide.KnowledgeBase articles for tokens and readers in DE 7.1.xFor more information about supported tokens and readers, refer to these KnowledgeBase articles: Supported Tokens for authentication in Drive Encryption 7.1.x KB79787 Supported Readers for authentication in Drive Encryption 7.1.x KB79788Support for self-encrypting Opal-based disk driveDrive Encryption 7.1.x provides support for self-encrypting Opal-based disk drives on UEFI and BIOS.UEFIOpal-based self-encrypting disk drives will be supported on UEFI systems where the system is Windows8 logo compliant and if the system was shipped from the manufacturer fitted with an Opal selfencrypting drive.Opal-based self-encrypting disk drives might not be supported on UEFI systems if the system is notWindows 8 logo compliant, or if the system did not ship from the manufacturer fitted with an Opal selfencrypting drive.This is because a UEFI security protocol that is required for Opal management is only mandatory onWindows 8 logo compliant systems where an Opal-based self-encrypting disk drive is fitted at the timeof shipping. Those shipped without self-encrypting drives might or might not include the securityprotocol. Without the security protocol, Opal management is not possible.NoteDrive Encryption 7.1.x will support the Opal-based encryption provider on UEFIsystems fitted with an Opal-based disk drive if the UEFI protocolEFI STORAGE SECURITY COMMAND PROTOCOL is present on the system.4
BIOSOpal is supported for Opal-based disk drives under BIOS. To activate a system using the native Opalfunctionality, Windows 7 SP1 Operating system and above is required. On systems with Opal-baseddisk drives where the Operating System is Windows 7 RTW or below, PC software encryption will beused.NoteBy default, software encryption will be used on both Opal and non-Opal basedsystems in Drive Encryption 7.1.x.To make sure that Opal technology is chosen in preference to software encryption, werecommend you always set Opal as the default encryption provider by moving it tothe top of the list on the Encryption Providers page. This makes sure that Opallocking is used on Opal-based disk drives. For more information about Opal, refer tothe FAQs available in KB79784.Reimaging Opal drivesWhen an Opal system (activated using the Opal encryption provider) is reimaged and restarted withoutfirst removing Endpoint Encryption, the user is locked out of the system. This happens because: The Pre-Boot is held off the disk and it is still active when the system is restarted. The Pre-Boot File System is destroyed during the imaging process.NoteOn BIOS systems, IDE and RAID modes are not supported with Opal. For moreinformation regarding Opal support, please review the KnowledgeBase articleKB75045. Opal activation might occasionally fail because the Microsoftdefragmentation API used fails to defragment the host. For this to happen, theactivation will restart at the next Agent-Server Communication Interval (ASCI).Before installing Drive Encryption 7.1.xMake sure that you read this section completely and take the following precautions before installingDrive Encryption 7.1.x on the client.Disk hardware failure during EncryptionWe recommend running a CHKDSK /r prior to installing Drive Encryption to make sure the hard disk isin a healthy state. If the Hard Disk is damaged or has a high number of undiscovered bad sectors, thedisk could fail during the full disk encryption process.In addition, we recommend using Drive Encryption GO to discover potential issues prior to installation.For more information, see KB72777.Dynamic and RAID disks in WindowsEndpoint Encryption works at sector level, consequently it does not support software-based dynamicdisks and software based RAID.Hardware RAID – Endpoint Encryption is untested in this mode, but may work properly in a situationwhere pure Hardware RAID has been implemented. However, Drive Encryption can’t support diagnosticor disaster recovery in this situation.General Notes Users upgrading from EEPC 6.x should be aware that a new default theme is shipped aspart of the Drive Encryption 7.1.x releases. If you are using customized themes with EEPC6.x, then recreate your custom themes from the Drive Encryption default theme after theupgrade. This will make sure that the correct user interface is displayed and the correctaudio is heard. Failure to do so will continue to display the EEPC 6.x user interface and usethe EEPC 6.x audio. Those users who wish to deploy the new default theme to all theirexisting endpoints or have their own custom theme should follow these steps to make surethey are using the correct theme during PBA.1. Create a Theme Deployment task and assign it to all of your endpoints.2. Make sure that you have the desired theme selected in the Theme section of theProduct Policy, that is, McAfee Default or your own custom theme based on the DriveEncryption 7.1 default theme.5
3. After upgrading an endpoint, allow the Theme Deployment and Policy Enforcementtasks to complete before restarting the system.NoteThe size limit of the PNG file that can be uploaded is 2.5 MB. If you are using Policy Assignment Rules to assign specific Endpoint Encryption User-BasedPolicies (UBP) to users, see the Drive Encryption 7.1 Product Guide to learn how toconfigure these users to continue to use Policy Assignment Rules. This must be done priorto deploying the Endpoint Encryption (EE) Agent/PC to the clients. Failing to configure userscorrectly will result in users returning to the default User Based Policy assigned at systemlevel. If you are using the autoboot feature in EEPC 5.x.x, please be advised that at least oneEEPC user must be assigned to each client system to be upgraded to Drive Encryption 7.1.xsuccessfully.NoteIn Drive Encryption 7.1.x, the autoboot feature no longer requires the user autoboot ,therefore do not create this user in Active Directory. In the context of the bullet above,one EEPC user refers to a valid Active Directory user. On upgrading from EEPC 6.x and EEPC 7.0.x to Drive Encryption 7.1.x, the EEPC MBR isbacked up to the McAfee ePO server. To avoid overloading the server, we recommend thatyou roll out the upgrade in batches of around 5000 systems. Out-of-band user management does not work when the action is performed on the clientsystem at PBA through CIRA. RemoveDE is not supported in the UEFI version of the standalone DETech for Opal. Theusers should use the WinPE version of DETech if they wish to remove DE on a UEFI system.The reason for this is that the Opal removal process is highly complex on a UEFI systemand is technically challenging to put in a standalone version of DETech. The built in track pad/mouse pad/touch interface may not work in Pre-Boot on UEFI bootingsystems. The reason for this is that OEM might not bundle a suitable UEFI driver for thedevice in the firmware. The track pad/mouse pad requires the UEFI Simple Pointer Protocoland the touch interface requires the Absolute Pointer Protocol to work correctly. With HIPS 7.0 Patch 1, HIPS Security content 8.0.0.4611 is required for successful DEinstallation on the client. EEPC installation will fail if this security content is not updated onthe client.Find product documentationAfter a product is released, information about the product is entered into the McAfee online KnowledgeCenter.Task1Go to the Knowledge Center tab of the McAfee ServicePortal at http://support.mcafee.com.2In the Knowledge Base pane, click a content source: Product Documentation to find user documentation Technical Articles to find KnowledgeBase articles3Select Do not clear my filters.4Enter a product, select a version, then click Search to display a list of documents.Recommended ReadingFor information about the operating systems supported by this release of McAfee Drive Encryption,refer to the KnowledgeBase article KB79422.For information about the minimum software and system requirements, refer to the McAfee DriveEncryption 7.1 Product Guide – PD24867.6
Copyright 2015 McAfee, Inc. www.intelsecurity.comIntel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo aretrademarks/registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others.7
McAfee Drive Encryption for PC supports different logon tokens and token readers. The token type associated with a user or a group can be modified using McAfee ePO. For details on modifying tokens, see the McAfee Drive Encryption 7.1 Product Guide.
McAfee Drive Encryption made up of the encryption software installed on client systems and the managing component on the servers. It is deployed and managed through McAfee ePolicy Orchestrator (McAfee ePO ) using policies. A policy is a set of rules that determines how McAfee Drive Encryption software functions on the user's computer.
McAfee Management of Native Encryption (MNE) 4.1.1 McAfee Policy Auditor 6.2.2 McAfee Risk Advisor 2.7.2 McAfee Rogue System Detection (RSD) 5.0.4 and 5.0.5 McAfee SiteAdvisor Enterprise 3.5.5 McAfee Virtual Technician 8.1.0 McAfee VirusScan Enterprise 8.8 Patch 8 and Patch 9 McA
access control with transparent full encryption of storage media to offer effective security for PCs running the Microsoft Windows operating system. Management, deployment and user recovery are handled by a centralised McAfee Endpoint Encryption Manager and communication between the McAfee Endpoint Encryption Client and this administrative
Encryption Email Encryption The McAfee Email Gateway includes several encryption methodologies: Server-to-server encryption Secure Web Mail Pull delivery Push delivery The encryption features can be set up to provide encryption services to the other scanning features, or can be set up as an encryption-only server used just
McAfee Email Gateway delivers comprehensive, enterprise-class protection against email threats in an . Encryption The McAfee Email Gateway includes several encryption methodologies: Server-to-server encryption Secure Web Mail Pull delivery . feedback service in your product, you will help us improve McAfee Global Threat
The Drive Encryption protected system also updates any changes on the client system back to the McAfee ePOserver, for example, change of user's password token data. Contents Support for self-encrypting (Opal from Trusted Computing Group) drives Drive Encryption Policies PBA in Drive Encryption 7.1 How Drive Encryption works McAfee ePO requirements
unauthorized users. This paper defines endpoint encryption, describes the differences between disk encryption and file encryption, details how disk encryption and removable media encryption work, and addresses recovery mechanisms. What is Endpoint Encryption? When it comes to encrypting data, there are various encryption strategies.
The standards are neither curriculum nor instructional practices. While the Arizona English Language Arts Standards may be used as the basis for curriculum, they are not a curriculum. Therefore, identifying the sequence of instruction at each grade - what will be taught and for how long- requires concerted effort and attention at the local level. Curricular tools, including textbooks, are .
