Last Modified: 10/7/2014
McAfee Endpoint Encryption GO (EEGO) 1.0
EEPC 6.2 Patch 1 is the latest EEPC 6 release available from the McAfee Downloads site. This article will be updated when newer patches are released that resolve the issues mentioned in this article.
NOTE: EEPC 6.x has been superseded by EEPC 7.0. To review the Release Notes for EEPC 7.0, see PD24143. For details about EEPC 7.0 supported environments, see KB76804.
General For product information, including licensing, and miscellaneous topics. Compatibility Interaction between other products and software, including operating systems, ePO/MA, and Active Directory. Installation/Upgrade For information about installing, upgrading, migrating, and removing. Configuration Includes best practices, optimizing, configuring, customizing and backing up. Functionality Product features and functions, including PBFS, preboot, clients, users, reporting, scripting, tokens, recovery and EEGO
|Opal General||For product information, TCG, and miscellaneous topics.|
|Opal Compatibility||Interaction between other products and software, including operating systems and S3.|
|For information about deploying, installing, upgrading, migrating, and removing.|
|Opal Configuration||Includes best practices, optimizing, configuring, and customizing.|
Why was EEPC 6.1 Patch 3 temporarily removed from the McAfee download site?
For details about the removal and reposting of EEPC 6.1 Patch 3 with Hotfix 7409862, see KB74231.
Is the version 5.x licensing enforced in EEPC 6.x?
No. The version 5.x licensing mechanism is not implemented in version 6.0. Instead, EEPC uses the ePO licensing mechanism.
Can Endpoint Encryption Manager (EEM) manage EEPC 6.x clients?
No. Version 6.0 clients can be managed only by ePO.
Is EEM available in EEPC 6.x?
No. ePO is the management console for version 6.x.
If my organization uses shared laptops, has anything changed for how they are configured in EEPC 6.x?
No. Nothing has changed in the overall procedure between version 5.x and version 6.0. Multiple users must be assigned to the client in version 6.0, just as they were in version 5.x.
If I have multiple communication servers in EEPC 5.x, how does it translate into the EEPC 6.x environment?
Communication servers are not necessary nor present in EEPC 6.x. The McAfee Agent is responsible for communication between the client and the ePO server. ePO 4.5 includes functionality called an Agent Handler that can assist with this issue.
What is an OptIn and OptOut user?
I see references in the Logs (for example, failing policy enforcement: assigned OptIn user). OptIn Users are users where the User Based Policy (UBP) Enforcement is set to True in ePO, whereas the OptOut Users are those where the UBP Enforcement is set to False. This means that for OptIn Users a specific UBP applies where as for OptOut users the UBP assigned to the machine applies.
What operating systems does EEPC support?
Does EEPC 6 support the Intel Rapid Start (IRS)?
No. IRS requires an extra partition space on the Solid State Drive (SSD)/Hard Disk Drive (HDD), called the Hibernation Partition, which must be equal or larger than the amount of system memory. This partition does not have a drive letter. The IRS provides a low power S3 state where, instead of storing state to DRAM in S3, the memory, contents are flushed to a dedicated partition on the SSD. Because the BIOS is responsible for flushing to and from the SSD, it means EEPC does not have any way intercept the write to SSD. Therefore, any sensitive data in DRAM is written in plaintext to the disk (this only affects the S3 state and not S4).
NOTE: IRS technology enables your system to resume faster from sleep. This saves time and power consumption.
Does EEPC 6.x work with agent handlers?
Yes, but to overcome some known issues this requires EEPC 6.0 Patch 2 or later and McAfee Agent 4.5 Patch 2 or later.
Does EEPC 6 support hardware encrypted disks (OPAL)?
Support is provided in starts with the EEPC 6.2 release and later.
Does McAfee retain a list of supported Systems/BIOS releases?
No. McAfee actively encourages customers to use the latest BIOS Updates. Any reported issues are often documented in an issue article and can be found by searching for the computer model.
Does EEPC support Solid State Drives?
Yes, because a Solid State Drive (SSD) perfectly emulates a physical drive.
Does McAfee recommend using the file system command TRIM after EEPC has fully encrypted the SSD?
It does not matter when you run TRIM, but it will improve performance if you run it after the SSD is encrypted.
Does EEPC integrate with Trusted Platform Module (TPM) technology to increase authentication security by storing authentication details (cryptographic keys) in a motherboard chip?
No. To submit a Product Enhancement Request, see the Related Information section.
Does EEPC work with the Windows 7 Partition or Volume Shrink Feature available via the Disk Management interface or DiskPart command prompt?
No, because the EEPC encryption is at the sector level.
Can I install EEPC 6.x to a Windows operating system on Mac hardware (no Mac OS X)?
No. For details about Mac Boot Camp (Dual Boot - Mac and Windows) with Endpoint Encryption, see KB72978.
Can I use the Windows defragment tool, even during encryption?
Although you can use the Windows defragment tool on an encrypted disk, McAfee does not recommend using it while the drive is being encrypted. For considerations when using defragmentation (defrag) tools with EEPC, see KB73032.
What are the security differences between using Windows Sleep Mode or Hibernate Mode when EEPC is installed?
Hibernate Mode writes the hibernation file to disk where it will be encrypted. Resuming from hibernation triggers a preboot authentication, which is just as safe as a cold-boot start. Sleep Mode keeps power to the RAM and bypasses EEPC preboot authentication and leaves the Windows authentication as the only security authentication measure.
Is ePO required to use EEPC 6.x?
Yes. ePO is the management console for EEPC 6.0. The Endpoint Encryption Manager is not used to manage EEPC 6.x.
What ePO version is required for EEPC 6.0?
EEPC 6.0 requires ePO 4.5 Patch 1 or later. For more information about which versions of EEPC are supported with later releases of ePO, see KB68053.
What happens to my endpoints if the ePO server goes down?
If the product is already installed and active, clients will continue to operate with the cached copy of the policy. No additional policy updates or user assignments will occur until the client can communicate with the ePO server. If the product is not yet installed, it will not be able to activate until communication with the ePO server is re-established.
Can ePO and EEPC 6.x manage a version 4.x or 5.x client?
No. EEPC 6.x can manage only EEPC 6.x clients.
What is the minimum McAfee Agent version supported by EEPC 6.x?
EEPC 6.x supports McAfee Agent 4.5 or later. Earlier versions of McAfee Agent do not work with EEPC 6.x.
Do I have to use McAfee Agent with EEPC 6.x?
Yes. McAfee Agent is used to communicate with the ePO server to receive policy and product updates. EEPC 6.0 is dependent on McAfee Agent for all forms of communication. To determine which versions of McAfee Agent and associated patches are required to support your version of ePO, see KB68053.
Is Active Directory required for EEPC 6.x?
Yes, currently. ePO 4.5 was released with LDAP support for Active Directory only. The ePO team plans to add support for various LDAP servers in later releases.
What happens if I do not use Active Directory or an LDAP server?
If you do not use Active Directory or another supported LDAP server, EEPC 6.0 will not be able to reference any user information. For example, you will not be able to assign a user to a system.
Is Novell eDirectory supported with EEPC 6?
No. To submit a Product Enhancement Request to include this functionality, see the Related Information section.
Can I enforce the sAMAccountName to be checked with its certificate?
You can use the LDAP sync task to pull the sAMAccountName and its certificates via the EEPC LDAP sync task. This ensures a 1-to-1 relationship.
When using 'Provide LDAP user certificate,' if there are numerous imported certificates with different key usages (for example, one for authentication, one for encryption, and another one for signature) all with the same expiry date, which one is used (if no certificate rules defined)?
The product will use the latest certificate that it can find; no check is undertaken on the certificate for key usages.
Can EEPC enforce certificate validity period on the client? This is enabled by default to enforce certificate validity period for the added certificate rule.
No. A Certificate Revocation List (CRL) check is not possible during preboot authentication. The only check that is made is to ensure the dates of the certificates are still valid at the point they are used for authentication.
Can the certificate rules under the EEPC User Based Policies (UBP) be used to verify the user in the certificate is mapped to the correct EEPC User?
Yes. If the value in the rule is '%USERNAME%', it will be replaced with the User Name attribute, as defined in the automated server task for EE LDAP Server User/Group Synchronization.
Is OpenLDAP supported?
No. Refer to the product statement article KB73550.
Is EEPC 6.0 FIPS 140-1 and FIPS 140-2 compliant/certified?
McAfee is in the process of FIPS certifying Endpoint Encryption for PC (EEPC) 6.x. For detailed information on the progress of this verification and which versions are affected, see KB74396.
To install EEPC in FIPS mode via command line, see KB72802.
Does EEPC 6.x support Intel Anti-Theft technology?
No. Intel Anti-Theft technology is not supported. McAfee Product Management is evaluating use cases for possible inclusion in future releases.
Is the EEPC 6.x client compatible with Microsoft BitLocker?
No, EEPC 6.0 is not compatible with BitLocker Drive Encryption or any other Full Disk Encryption or Sector Level Encryption software running on the same system.
Is EEPC 6.x compatible with the Microsoft Encrypted File System (EFS)?
Yes, you can use EEPC 6.x with EFS because they work at different levels that have no interaction. EFS works at the file encryption level and EEPC works at the disk encryption level.
Is EEPC 6 compatible with Guidance Software EnCase?
Yes. There are two phases to integrate EEPC with Encase, for details see KB72642.
Are there any compatibility issues with Absolute Software Computrace Agent?
Yes, For details of known issues, see KB73011.
NOTE: Absolute Software is part of the McAfee Security Innovation Alliance program and Computrace Agent is supported by ePO 4.0.
Are there plans to provide support for JAWS for Windows screen reading software for the preboot client, to assist users with poor eyesight?
JAWS is a Windows-only software product and does not work at the preboot authentication point because Windows is not yet loaded.
Does EEPC 6 support booting systems using a native Unified Extensible Firmware Interface (UEFI) BIOS?
No. However, support is planned to be included as a new feature in the EEPC 7.0 release. The EEPC supported environments article will be updated when this is posted to the McAfee Download site. For details, see KB68053.
- UEFI is a replacement for the older BIOS
- The original EFI developed by Intel has been replaced in favor of UEFI
Do I need to create Install Sets in EEPC 6?
No. EEPC 6.x has no concept of Install Sets. Instead, there is a single installation that contains all necessary files and functionality. This assists with installation via the ePO deployment task.
Can I upgrade EEPC 5.x to EEPC 6.0?
You can migrate to EEPC 6.0 from the following versions:
- EEPC 5.1.7, EEPC 5.1.8, and EEPC 5.1.9
- EEPC 5.2.x or later
For more information, see KB68016. For later releases of EEPC, refer to the Release Notes for upgrade information.
Do I need to decrypt and re-encrypt the clients during the upgrade to EEPC 6?
No. The upgrade process is designed to transfer the key from the old agent to the new agent. This is how McAfee has always done upgrades. (The upgrade from Endpoint Encryption 4 to 5 worked similarly.)
Can I upgrade an operating system while the hard disk is encrypted?
Yes - for Windows XP and Windows 7. For details see the following:
- PD23245 - Endpoint Encryption for PC 6.x Windows OS Refresh Recommended Process Guide
- KB73035 - EEPC Refresh Tool to enable customers to perform an Operating System Refresh using standard Microsoft Tools
Is the Windows OS refresh procedure supported if the client is in FIPS mode?
Yes. FIPS compliance will not change if you move from one validated operating System (OS) to another validated OS. Because there is no need to generate new encryption keys in the OS refresh process, there is no intervention in the already created FIPS installation.
What version/build of EEPC 5 do I need to be on to upgrade to EEPC 6.1?
The migration is supported only from EEPC 5.1.7 and later for Clients and Server. If you are on 5.1.x, McAfee recommends upgrading to EEPC 5.2.x first. For more information see PD23082.
Are there any reasons to stay with EEPC 5 and not upgrade to EEPC 6.1?
Yes. EEPC 6 requires Active Directory. If you do not use Active Directory for user management, you should stay on EEPC 5. There are some plans on the roadmap to support other LDAPs, but those will not be immediately available in EEPC 6.1.
On the server, can I do the upgrade in phases or will the upgrade be immediately deployed to all endpoints?
ePO allows you to do phased deployments. You can push to a single system or to a test group. ePO also allows you to track the upgrade progress with reports and dashboards. Also, you can use a third-party tool to deploy the EEPC 6.1 installers in a phased manner.
What are the steps involved in the upgrade?
To upgrade, deploy the EEPC 6 Agent over the top of the EEPC 5 Agent. McAfee has an upgrade document that fully explains the process. For more information, see PD23082.
How do I transfer my policies?
You do not transfer policies. The policies are different in ePO, so part of the upgrade process is to manually port your EEPC 5 policies to EEPC 6. For most customers, this task will take approximately 20 minutes.
During the migration, will I have to decrypt and re-encrypt my clients?
No. It is not necessary to decrypt and re-encrypt during migration.
Which version of EEPC 6 will allow the users to retain their Personal Identification Number (PIN) / password during the migration?
EEPC 6.1 Patch 1 and later. The Endpoint Encryption for PC 6.1 Patch 1 Release Notes (PD23187) states that this release supports exporting and importing the user token (password), Single-Sign-On, and Self Recovery details from the 5.x.x database, only when they are available, to EEPC 6.1 Patch 1.
Do I have to re-create my policies when I migrate from EEPC 5.x to version 6.x?
Yes. You have to properly configure the various policies in ePO when you migrate.
During the migration, do I have to upgrade all of my systems at once?
No. EEPC 5.x and 6.x can be run in parallel but will be managed by two separate consoles (ePO for EEPC 6.x and EEM for EEPC 5.x).
Can I migrate EEPC 6.x clients to a different ePO server?
Yes. This is possible with EEPC 6.1.x clients and later. This is documented in the EEPC 6.1.0 Best Practice Guide, Machine Key management section. For details, see PD23081.
Can I use my existing EEPC 5.x server as an ePO server, or do I have to migrate to a new server?
The answer depends on the specifications of your current version 5.x server. During the migration from EEPC 5.x to version 6.x, both management consoles will be running on the server, potentially reducing performance. Contact your local McAfee representative for a review of your environment.
NOTE: You can also migrate the entire ePO server and database (which retains the EEPC encryption keys). For more information, see KB68427.
When migrating from EEPC 5.x to version 6.x, can I merge multiple version 5.x management centers into a single version 6.x?
Yes. The migration from EEPC 5.x to version 6.x involves exporting information from version 5.x. You can export information from the various systems and import them all into a single version 6.x system.
Do I have to migrate from version 5.x as soon as the migration functionality is available?
No. There is no need to migrate immediately. Version 5.x will still be supported for quite some time yet, and will continue to be supported per McAfee standard policy.
Will WinTech and SafeTech work on endpoints encrypted with EEPC 6.1?
No. You will have to upgrade your support tools. The new tool is called EETech, and like the previous tool, it is available as a standalone version and also as a Windows application that can be built into PE environments or run from a Recovery workstation so that you can rescue data from slaved drives.
Is the Web Help Desk functionality also available in EEPC 6?
No. The recovery functionality in ePO and the Local User Recovery functionality replace the Web Help Desk.
Back to Contents
How do I configure User properties?
Go to User Based Policies, or Queries, EPE User, Actions.
How do I back up the EEPC Computer and User data for disaster recovery?
All computer and user recovery information is stored in the ePO database. For information on how to back up the ePO database, see: KB66616.
What is the default size of the Preboot File System (PBFS)?
Is the Endpoint Encryption Agent (EEAgent) extension backward compatible with previous releases?
What types of problems lead to preboot corruption?
Common examples include hard-disk failures, an infected system, or certain EEPC 6 product issues with hibernation that are resolved in the latest releases. The first major PBFS improvements took place with EEPC 6.1 Patch 2; for details see KB73381.
What types of formatted disks are supported?
Only Windows Basic formatted disks are supported. Dynamic and GUID Partition Table (GPT) disks are not currently supported, but support will be included in EEPC 7.0. This article will be updated when this is posted to the McAfee download site.
NOTE: BIOS-based systems cannot boot from a primary GPT disk, however GPT disks will be supported with EEPC 7 and later as secondary disks on a BIOS based system. Conversely, UEFI-based systems can only boot from a primary GPT disk.
How many users can be accommodated by the default PBFS?
Approximately 350 users.
Is EEPC 6 or later supported on a Dual Boot system?
No. EEPC is not tested against Dual Boot systems and therefore support cannot be provided. Currently the market demand is low and is not regarded as an item to be included on current roadmap. To submit a Product Enhancement Request, see the Related Information section.
How much space does a single user occupy in the PBFS?
Approximately 8-10 KB.
Are there any WEB API commands that we can use for scripting?
Yes. For the EEPC 6.1 Patch 2 Scripting Guide, see PD23437.
Can I change the default size of the PBFS?
Yes. This is a Server policy setting.
Can I change the PBFS during an upgrade?
Yes. With all activations in EEPC 6 (both EEPC 5 upgrade and new installations) a new PBFS is created in a completely separate host file of the size specified in the EEPC 6 policy. Only when or if the EEPC 6 activation completes successfully, is the switch to the EEPC 6 PBFS made (by updating the MBR).
Can I see the events that took place in preboot environment, such as invalid login attempts?
Yes. After logging in, view the MfeEpe.log.
Can I force the language displayed during preboot authentication? (By default it is choosing the local language setting.)
There is no policy option to achieve this automatically. The system always defaults to the language your operating system is set to. However, during preboot under Options, an alternative language can be selected. Once changed, the setting will remain enabled for that user.
If I deploy to a single client, and later increase the size of the PBFS in the policy, will the PBFS size change on the deployed client?
No. The PBFS size setting is applied only when the PBFS is created or when it is re-created during any recovery procedure.
What is included in the PBFS?
The PBFS contains all of the necessary information to provide the user with the ability to authenticate. This includes but is not limited to:
- The files necessary for the preboot environment
- Language files for all supported client languages
- Fonts to display characters from all supported languages
- The theme assigned to the client
- The users assigned to the client
Are Preboot Themes the same in EEPC 6?
No. The definition of a theme is a server-specific policy setting. It is now easier in version 6.0 to change theme settings such as the background image in the preboot environment.
Can Preboot Themes be created and/or customized?
Yes. Themes can be easily created and customized in ePO.
When should I use Autoboot versus Preboot?
Autoboot enables automated patching on the computer. It is not designed as a mode of perpetual operation, because it offers zero effective security, and no protection from data protection regulations.
The National Institute of Standards and Technology (NIST) white paper on Endpoint Encryption states that it is a best practice to use preboot authentication.
To review the details, see: http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf.
What are the requirements for an EEPC 6.x custom theme?
Create the custom theme according to the following requirements:
NOTE: The procedure provided in the EEPC 6.0 Product Guide does not provide all the required information to create a custom EEPC 6.x theme.
- An image with dimensions 1024 x 768 and ensure the file format is .PNG
- A file size of around 600 KB
Can I force during preboot an English keyboard when first installing EEPC 6.x to a non-English operating system?
No, this is not possible. By default, the EEPC installer displays the localized keyboard associated with the localized Windows operating system that the product is installing to.
Can I use a Windows bootable CD on an encrypted system?
A bootable CD will work on an encrypted system unless you want to access the hard drive. One advantage of full disk encryption is that it prevents a bootable drive from being used to access the hard drive without authenticating. If Windows is not working properly and needs to be repaired using the Windows setup disk, then the drive must be first decrypted before using any Windows repair tools.
Version 5.x users currently do not see the preboot authentication screen - are there any special considerations for AutoBoot?
The AutoBoot function is available version 6.0, but it is implemented differently. In version 5.x, there is an AutoBoot user(s) account that is used to boot the client. In version 6.0, the AutoBoot function is a policy setting and no AutoBoot users are required. Enabling this policy setting enables AutoBoot.
How can I tell which clients have EEPC version 6.x installed and are encrypted?
In ePO, a standard EEPC report show the clients that are installed and encrypted. Information about each system in the ePO database will indicate whether it is encrypted or not.
How do I configure the properties for individual clients?
These are configured in the Product settings policies.
How do I configure the encryption properties of individual clients?
These are configured in the Product settings policies.
What impact will it have on the end user?
The upgrade happens behind the scenes and does not require any user interaction. However, the user will need to create a new password when they first see the EEPC 6.1 preboot environment.
Can I create users in version 6.x?
In version 6.x, users are not manually created. Instead, they are referenced from Active Directory or other LDAP server. Referenced is the important word. Some user information will be kept by EEPC inside ePO, but generally it is referenced. In version 6.0, users cannot be created as they can be in version 5.x.
If the ePO server is unavailable, are users still able to log on to their encrypted systems?
Yes. Preboot authentication (PBA) does not require a network connection.
Can users change their passwords while the ePO server is down?
Yes. Password changes are held locally and will be transferred to ePO with next Agent to Server Communication (ASCII) interval.
Are Local Users supported?
No. EEPC needs to reference user information from Active Directory or an LDAP Server.
How do I prevent users from accessing devices such as ports and floppy disks?
EEPC version 5.x contained some basic device control functions. This has been removed from version 6.0 because there are other McAfee products, such as Host DLP, that provide a much better implementation.
Can I still use the Reporting Tool in EEPC 6?
No. The Reporting Tool is not available in version 6.0. All audit and log information is sent from the clients and stored in the ePO database. You can use ePO reporting capabilities to extract information stored inside the database about the encryption state, status, and various logs to create the report you require.
Does version 6.x have any standard reports?
Yes. EEPC 6.x provides some standard reports. These reports can be used as a basis for customized reports that you can configure to your specific requirements. Some examples of the standard reports are: EEPC versions that are installed, machines that have EEPC installed (or not), status of machines that have EEPC installed, and so on.
Is there scripting functionality in version 6.x?
IMPORTANT: No. The scripting functionality that was available in EEPC 5.x is not available in version 6.x. Currently ePO does not have a scripting interface.
In version 5.x there was an example AutoDomain script - what happens to the functionality the script provided?
The AutoDomain example script has now been implemented as native product functionality in several places in EEPC 6.x. The non-compatible products functionality detects competitive products and other products that are known to have incompatibilities. The auto-assigning of users to clients is now available as a policy setting.
How can I initialize tokens?
There isn't any option to explicitly initialize a token from ePO. After assigning a token to a user, the token will be initialized on first use.
Are there any changes to the way PKI tokens work in version 6.x?
In general, PKI tokens work the same way in EEPC 6.0 as they did in version 5.x. In some instances, token initialization will occur in the preboot environment and not require the certificates to be in Active Directory. Unless the token you are using has this functionality mentioned explicitly, the functionality remains the same as version 5.x.
What tokens does EEPC 6.x support?
For a list of the supported Tokens used for authentication in Endpoint Encryption for PC 6.x.x, see KB71555.
What Readers does EEPC 6.x support?
For a list of the supported Readers used for authentication in Endpoint Encryption for PC 6.x.x, see KB71554.
Will all PKI tokens use self-initializing functionality in the pre-boot environment?
EEPC 6.0 architecture allows for self-initializing PKI tokens. Unless McAfee has specifically added this functionality to a token, it will retain the same functionality as in version 5.x. If a token is not explicitly listed as supported for self-initialization, it will not self-initialize.
Can I assign two RSA tokens (with different keys in each token) to one user?
No. You must create a new user ID to handle the other token / keys.
Can I partially encrypt the hard disk with EEPC 6.x?
With the release of EEPC 6.2 and later, when you use only Software Encryption, you can partially encrypt the hard disk with the new option Selected Partitions.
NOTE: Prior to EEPC 6.2 only the following encryption options are available:
- Encrypt No disks
- All disks
- Just the boot disk
- All disks except the boot disk
In the Product Settings Policy, why can’t I choose individual drives for encryption?
These product settings are used by other applications as well as EEPC. They are also used by other Encryption products as they are introduced or fully integrated into ePO. For example, Endpoint Encryption for Mac OS/X: On Mac systems there is no concept of drive C: or D:, so these cannot be specified. This is why you see the different options for which drives to encrypt. For software encryption only, this is now possible with EEPC 6.2 and later. Note that on a Windows computer, the volume name can also be chosen; but on the Mac, only the volume name can be chosen.
Does an encrypted drive have to be decrypted before extending a partition?
Yes. When a partition runs out of space and has to be increased, you must remove the encryption software because encryption is implemented at the sector level. The recommended procedure is to remove EEPC, increase the partition size, and then reinstall EEPC.
What cryptographic algorithms are available in EEPC 6.x?
For details, see KB72723.
How do I know if AES-NI is supported on the hardware I have?
For earlier EEPC 6.0.x versions you have to look it up in the processor specs. In EEPC 6.1.1 and later the ePO console will show if AES-NI is being utilized on the client
Does EEPC 6.x support compressed drives?
EEPC supports compressed drives only if the root directory (c:\) of the boot drive is not compressed.
Can EEPC 6.x protect individual files and directories on the hard disk?
Yes, EEPC can protect individual files and directories on the hard disk. When full hard disk encryption is used, every file and directory (every physical sector) on the hard drive is encrypted. Administrators can select to encrypt certain partitions and not others, or in the case of multiple disk systems, certain drives or partitions.
Can I use EEPC 6.x in a workgroup?
No, you cannot use EEPC, which is a fully ePO-managed product, without Active Directory. However, using the Endpoint Encryption Manager (EEM) 5.x with EEPC does work with a workgroup.
Can I synchronize EEPC6.x with EEFF 3.x (usernames and passwords)?
No, you cannot synchronize them because there is no relationship between ePO products and EEM-managed products.
Can I update the Master Boot Record when EEPC 6.x is installed and the disk is encrypted?
No. Although EEPC replaces the original Master Boot Record (MBR) with its own code to allow the preboot authentication environment to start, it does not prevent other applications from updating the MBR. This is because the operating system uses the MBR to store disk information, and many types of applications might have to read and write to it.
WARNING: If you have EEPC installed, never reset or replace the MBR using FDISK /MBR or FixBoot /FixMBR f because it disables the preboot authentication that EEPC requires to operate. If this happens, you must perform an emergency boot to fix the issue.
Can I import a customized theme created for EEPC 5.x into ePO 4.5 to use with EEPC 6.x?
No, the format is different and you must recreate any themes to be imported into ePO 4.5 for use with EEPC 6.x.
Why isn't the Reject Suspend/Hibernate Requests option available for EEPC 6.x?
In previous versions of EEPC 5.x, there was an option to Reject Suspend/Hibernate Requests, which stopped your computer from entering Hibernation Mode.
NOTE: This option is not supported in Windows Vista.
This option was never implemented in EEPC 6.x because it now supports Secure Hibernation. Secure Hibernation allows all data to be protected when the client goes into hibernation.
Does EEPC 6.x support Wake-on-LAN?
No. EEPC does not support Wake-on-LAN (WOL) because WOL would have to bypass the preboot login process and this would leave a security hole. Therefore, these two technologies are fundamentally incompatible.
To allow your computer to boot up without any authentication would negate the protection provided by EEPC, but you can configure planned reboots using EEPC. To do this, an administrator or scripted process is allowed to temporarily disable the preboot authentication.
There are some products that, after waiting for a period of time at the preboot login screen, automatically reboot your computer without any user input. However, you have to store the encryption key in an easily accessible format on the computer. Therefore, this is also a security hole and negates the need to encrypt your computer.
If WOL is important to you, use Endpoint Encryption for Files and Folders (EEFF) instead of EEPC. EEFF only encrypts the data on the drive and does not affect the preboot sectors.
Does version 6.0 use the Connector Manager and Connectors?
No. These are replaced by ePO native functionality for integrating with Active Directory and other LDAP servers.
Does version 6.0 use the same database as version 5.x?
No. The version 5.x file based database has been completely removed, and EEPC now stores its information in the ePO database. The ePO database is implemented using MS SQL Server.
EEPC 5.x has 32 discreet levels of administration - does version 6.x have role-based access controls?
Yes. The management console for version 6.0 is ePO and ePO has role based administration. You can use the ePO functionality to manage this requirement. EEPC adds some new roles, but ePO is responsible for the implementation and enforcement of those roles.
Single Sign On (SSO) is a critical feature for my environment - are there any changes to how this works in version 6.0?
No. SSO works the same in EEPC 6.x as it did in version 5.x. It continues to work with other non-Windows GINAs in the same way as it did in version 5.x. There are no changes to the way it captures and synchronizes the Windows password.
Is the user password stored in the ePO database encrypted?
Is there still application control functionality in version 6.x?
EEPC version 5.x contained some basic application control functionality. This has been removed from version 6.0 as there are other McAfee products that provide a much better implementation of the functionality.
Can I still use the version 5.x Backup Tool to back up my EEPC encryption information?
No. The Backup Tool is not available in EEPC 6.x. You can back up EEPC information using any supported ePO backup methodology.
Is there any support in version 6.x for hardware encryption?
EEPC 6.x includes architecture to support different forms of hardware encryption. For example, Self-Encrypting Hard Disks. Although EEPC 6.0 contains this architecture, the plugins to deliver management functions for using these encryption devices will be available after version 6.0 has been released. Support for self-encrypting Opal drives is supported from EEPC 6.2 and later. For details refer to the Opal section below or see KB75045.
Why can’t I find communication settings in the policies for version 6.x?
EEPC 6.x does not contain communication functions because the McAfee Agent and the ePO server are responsible for communications. The settings are not specific to EEPC, but are ePO settings.
Is it possible to export the recovery keys for all systems as a regular backup task, and can this be automated?
No EEPC recovery key back up task exists, but since the keys are stored in the ePO database, undertaking a database backup will achieve this. Refer to the following articles to back up your database. For how to back up the ePO 4.0 database using:
If the ePO server is down, can administrators recover a user's encrypted computer?
No. This is because the administrator must log in to the ePO console to export of the computer's recovery key from the ePO database. An administrator can recover the system if the local file system is still intact.
Why do certain numbers like (0, 1, 8 and 9) never appear in the client side recovery response codes?
This is implemented to avoid confusion with other similar alphabetic characters. For details, see: KB72776.
What Recovery options are available?
At this time, EETECH (Standalone) and EETech (WinPE V1 and V3) are available.
What is the difference between the standalone and WinPE?
The standalone version is built on the same operating system as the preboot environment, where WinPe is based on native Windows drivers.
Can a previous EEPC recovery disk version be used on a later EEPC release?
No. You have to use the EEPC recovery version designed for the version installed on the client.
Do I need a different recovery CD for Opal and normal drives?
Yes. For Opal, a different CD is required. For more details, refer to the relevant release of the EETech User Guide for use with ePO. See the Related Information section in this article for links to the documentation site.
Is it possible to build the recovery disk on a USB instead of floppy or CD?
Support for bootable USB drives is available with EEPC 6.2 and later. For instructions and restrictions, refer to the EEPC 6.2 EETech User Guide in PD23751.
Why is it not possible for McAfee to provide customers with a WinPE Recovery CD?
A valid Microsoft license is needed.
When I need to perform an Emergency-Boot using EETech (WinPE V1 and V3), the option is missing.
An Emergency-Boot can only be performed using EETech Standalone.
What is the EEPC client recovery information retention period?
The recovery information is never deleted, even if you delete the system from within the ePO console. The McAfee Agent has logic built in to re-associate that key with the computer in case it ever syncs with ePO again. it is also possible to also accomplish this re-association manually by using the Key check value process.
What is EEGO?
The Endpoint Encryption GO (EEGO) tool allows you to determine if a client has the required hardware to support installation and activation of EEPC 6. The utility indicates the readiness of the system to install either EEPC. It provides an indication of readiness but not a definitive indication that no errors will occur. The utility provides some initial testing of the system to verify that it will be ready to install and activate the product. It does not pick up EEPC error states, such as failing to activate because no users are assigned to the system. For more information about EEGO, see KB72777.
How often does EEGO transmit it collated data to the ePO Server?
The data is transmitted when either the client or the EEPC service is restarted.
What types of checks does EEGO undertake on the client?
Checks made by EEGO include:
- Data Channels (to verify communication in both directions is working)
- Incompatible product installed. For more information, see KB68271.
- Self-Monitoring, Analysis, and Reporting Technology (SMART) to check a computer system hard disk drive to detect and report on various indicators of reliability, with the aim of anticipating failures
- Partition/Disk/MBR compatibility
- Opal drive compatibility
- Overall Ready (Yes/No)
What types of reports are available at the ePO server for EEGO?
The following ePO reports are available to allow the data uploaded from the EEGO checks to be reported upon:
- Endpoint Encryption GO: Compliance
- Endpoint Encryption GO: Data Channel Status
- Endpoint Encryption GO: Incompatible products
- Endpoint Encryption GO: Test Failures
Should I remove EEGO if EEGO has reported that there were no issues on the client and that EEPC was installed successfully?
Normal best practice would be yes because it reduces the number events being sent to the ePO server. However, you might prefer to leave it installed because of the test failure check: SMART Status (PredictFailure Attribute). You can utilize this in the report to identify any client that indicates an impending disk failure.
To troubleshoot EEGO deployment issues, is there a debug mode that I can enable?
Yes. Logging levels are controlled on the client by either the command line or the registry on Windows clients, and only via the registry on the ePO server. Debug logging produces significantly more log entries, whether or not there is an error. This allows for more granularity. For more information about how to enable debug logging, see KB73165.
What is Opal?
Opal is the name of a specification related to self-encrypting drives that has been developed by a standards body named the Trusted Computing Group (TCG).
What is an Opal drive?
An Opal drive is a self-contained, standalone hard disk drive (HDD) that conforms to the TCG Opal standard. The drive is always encrypted but might or might not be locked. In addition to the HDD standard components, an Opal drive contains extra components (such as an onboard cryptographic processor) that perform all of the necessary encryption/decryption of data on the HDD itself. In addition to regular spinning media (HDDs), SSDs may also support the TCG Opal standard.
Is Opal a standard or a brand?
Opal is a standard or specification that details the commands the drives requires to respond to and the standard behavior. The standard has been created and ratified by the Trusted Computing Group Storage Working Group.
Is an Opal drive a self-encrypting drive?
Yes. It is one type of self-encrypting drive. However, it is not the only type. There are plenty of proprietary self-encrypting drives available.
What threat model does an Opal drive address?
The primary use case is lost or theft of laptop/desktop computers. It covers similar threats as Software Full Disk Encryption and is designed for protection of data at rest.
What usage scenarios are best suited for Opal drives?
Opal drives are well suited for users who require extremely high disk Input/Output (I/O) for extremely performance sensitive applications. Examples of these users are software developers, video editors, and aeronautical engineers. These users will most likely also use SSDs instead of spinning HDDs.
How does McAfee support Opal drives?
The driving factor was to make it easy for an administrator to know that they have a supported configuration. The majority of customers surveyed are planning to bring Opal support into their organization via new hardware purchases. EEPC will specify its support for Opal drives in specific hardware models (in other words, EEPC will support a Dell E6420 that comes shipped with an Opal drive). That way, an administrator can easily know that new computers they purchase are supported by EEPC if the hardware includes an Opal drive.
What happens if I have one Opal drive and one non-Opal drive in the computer?
Software encryption is the only option if you have Opal and non-Opal drives in the same computer and will automatically be chosen.
Is the preboot for Opal different to the preboot for software encryption?
Yes and No. The preboot has to know how to unlock an Opal drive to allow the operating system to boot. However, the rest of the preboot looks and behaves the same as with software encryption. In fact, much of the preboot code is shared between software and Opal preboot applications.
Are there multiple versions of the Opal standard?
Yes. What is currently implemented is version 1.0.
What is the EEPC experience like with an Opal drive?
The day-to-day tasks of an administrator are exactly the same regardless of whether the device has an Opal drive or a normal HDD. The same policy, method of deployment, and management are all the same, but the recovery process changes slightly. However, the procedures an Administrator performs in a recovery scenario are the same.
I am very technical and I would like to read the Opal Standard. Where can I find it?
For more information, go to http://www.trustedcomputinggroup.org/resources/tcg_storage_security_subsystem_cl%20ass_opal_version_100_revision_200.
With respect to Opal drives, who or what is the TCG?
The TCG is a not-for-profit organization formed to develop, define and promote open, vendor-neutral, industry standards for trusted computing building blocks and software interfaces across multiple platforms.
Is a TCG-compliant self-encrypting drive the same as an Opal drive?
Which version of EEPC will support Opal drives?
EEPC 6.2 specifically support the TCG Opal 1.0 specification. Future iterations of the Opal specification will be supported in future versions of EEPC.
Will EEPC support other types of self-encrypting drives?
Currently, there are no plans to support other types of self-encrypting drives other than those implementing the TCG Opal Standard.
What models fitted with OPAL drives will be supported by EEPC?
McAfee will be testing the following models explicitly: Dell E6420, E6520, E5420, and the following HP Models: ProBook 4230s, 4330s, 4330s, 4436s, 4436b, 4530s, 5330m, 6360b, 6455b, 6535s, 6560b, 8460w, 8460p, 8560w, and Elite 8200.
What about forensics software from third-party companies - can they work with an Opal drive?
McAfee has been working with companies that provide forensic software and our interaction with them remains approximately the same. Instead of those applications asking EEPC for the encryption key, they will ask EEPC for the necessary credentials to unlock the drive.
Will EEPC support Opal drives on all the supported operating systems for EEPC?
No. EEPC 6.2 and later will support Opal drives on Windows 7 SP1 systems only. There are no plans at this time to support Opal on other operating systems.
Why do I need Windows 7 SP1 installed?
Some Opal drives are 512e drives (in other words, they are actually drives with sectors of size 4096 bytes, but which emulate old-fashioned 512-byte sector drives). Windows 7 SP1, includes crucial driver fixes that allow these 512e drives to function correctly.
What happens if I try to activate EEPC on an Opal drive while running an operating system other that Windows 7 SP1 or later?
If EEPC detects an incompatible or unsupported combination of operating system and Opal drive, it will abandon the activation process.
Will Opal drives be supported on Mac OS X?
No. Apple currently does not ship their devices with Opal drives so Opal is not supported on Endpoint Encryption for Mac.
Does EEPC 6.2 support S3 with Opal drives?
Yes. NOTE: S3 is a power state, commonly known as Standby, Sleep, or Suspend to RAM. A system in an S3 state appears to be turned off. The CPU has no power, the RAM is in a slow refresh mode and the power supply is in a reduced power mode.
Is S3 a proprietary implementation of S3 Support?
Is deployment any different to an Opal drive?
No. Deployment is exactly the same regardless of whether the client has an Opal drive or a normal HDD.
Does an administrator have to manage systems with Opal drives differently to ones with a normal HDD?
No. Administrators do not have to treat Opal drives any differently to normal HDD. The same policy can be used on laptops with Opal drives and laptops with normal HDD.
In the policy there is a priority order for Encryption Providers - what does that do?
It allows the Administrator to tailor how the EEPC Intelligent Client will decide how it is going to enforce the policy on a client.
If Opal is higher priority than software encryption, then the EEPC client will first search for an Opal drive. If all of the attached drives support Opal, it will use the Opal functionality to enforce the encryption policy. If the drives do not meet this criterion, it moves on to the next Encryption Provider in the list, which means it will then use software encryption to enforce the encryption policy. By changing the priority order and making software encryption the highest priority, an Administrator can specify that all computers will use software encryption regardless of whether there is an Opal drive or a normal HDD in the computer.
Back to Contents
Does an Opal drive have a concept of users?
Yes. After the drive is locked, you have to use a username and PIN to unlock the drive.
Where are the users for the Opal drive maintained?
Each user is specific and local to each Opal drive. The application managing the Opal drive has to also manage the Opal Users.
Does EEPC do all of the necessary management for me?
Opal drives lock when they have no power - isn’t that a problem?
Yes. It is difficult to restart Windows when the drive is Locked and Windows does not have a way to unlock it. The TCG does not have a common and agreed solution to the S3 issue.
What happens if I have an Opal and a normal HDD inside the one computer - will EEPC use the native Opal functionality on the Opal drive and software encryption for the normal HDD?
No. This is what is described as a mixed-mode environment. EEPC needs to make a decision as to how it is going to enforce the encryption policy on the computer.
Does EEPC support a mixed-mode?
Yes. A mixed-mode is defined a situation where a computer has more than one physical HDD drive and also has a combination of Opal drives and Normal HDD. The lowest common denominator is always Software Encryption. If in doubt the Software Encryption functionality will be used to encrypt both the Opal drive and the Normal HDD.
How long does it take to go from an Unencrypted to Encrypted status with an Opal drive?
Approximately one minute. This is because the drive is technically already encrypted. The time to go from an unencrypted to an encrypted state is the time required to active the native Locking mechanisms of the Opal drive.
Would an SSD Opal drive preserve the performance of an SSD without compromising security?
Yes. For the most sensitive of users, an SSD implementation of an Opal drive can retain the speed and performance of an SSD while retaining all of the security and encryption of an Opal drive. However, because an Opal drive is always encrypted by the onboard crypto processor, it is difficult to ascertain exactly what performance degradation (if any) is levied by the onboard crypto processing.
Will I see any difference in preboot depending on whether I have a standard hard disk or an Opal drive?
No. The Preboot looks and behaves exactly the same. You can be completely unaware of the hardware that is powering the encryption on their computer.
Is there a maximum number of Opal Users?
Yes. You can only assign a few Opal users to a single Opal drive. Opal drives from different manufacturers vary as to the maximum number of users they can support.
Is an Opal User the same as an EEPC User or a Windows Domain User?
No. All three are completely separate entities.
What happens if I want to assign more EEPC Users to a device than are available as Opal Users?
The EEPC architecture allows you to assign as many users to the Opal drive, regardless of the technical limitation of Opal Users on the device. This complexity is hidden from the administrator and allows them to assign users to the device in the same manner as if it was a normal HDD. The recommendation and limitations for the number of users assigned to a device remains constant regardless of the type of hard disk drive used.
Can a user see that they are using Opal drive in the Encryption Status?
No, not directly. It can be implied from the list of volumes or drives that are encrypted in the Endpoint Encryption Status Monitor window.
Do all users in my organization need an Opal drive?
No. Software Encryption will suffice for most users. Most productivity workers will not notice or be impacted due to software encryption.
Can an Opal drive have more than one disk encryption key?
Yes it can. There is a section of the Opal specification which deals with Logical Block Addressing (LBA) but can also be referred to as Local Ranges.
Does EEPC ever know the key that encrypts the data?
No. The encryption key never leaves the Opal drive.
Is an Opal drive always encrypted?
Yes. Regardless of whether the drive is locked or unlocked it is always encrypted. It is not possible to have a decrypted Opal drive.
Can anyone, or anything, know the encryption key that is encrypting the data?
No. The key is created on the drive and it never leaves the drive. Applications or hardware cannot to ask the drive for its key(s).
How can an administrator tell if a client is using the Opal functionality or Software Encryption?
If an Administrator looks at the computer in ePO they can see which Encryption Provider is enforcing the encryption policy. If it states Opal, then it is using the Opal functionality.
Can you use software encryption on an Opal drive?
Yes. Until you enable the native locking mechanism of an Opal drive, an Opal drive responds and behaves exactly like a normal HDD. Nothing stops an administrator from encrypting the drive using Software Encryption instead of using the native functionality of the Opal drive. Technically speaking, the data will then be encrypted twice; first by Software Encryption and then by the Opal drive.
Why is EEPC still required if an Opal drive handles all of the encryption?
Opal drives have to be managed. Until an Opal drive is managed, it behaves and responds just like a normal HDD. The combination of EEPC and ePO provides versatile management, reporting and recovery functionality which are all critical to an Administrator. EEPC provides value by having a secure preboot that unlocks the Opal drive, performs Opal user management, ensures the organization’s encryption policy is continuously enforced and that in the event of loss prove that the device was encrypted at the last time it synchronized with ePO. Also, for organizations that will have a mixture of both Opal drives and normal HDDs, it is important that an administrator can utilize a single pane of glass to manage, enforce policies, report on devices and assess the company’s potential risk exposure; EEPC provides such a single pane of glass. In addition, EEPC offers an additional advantage in that it can support potentially many more users than are catered for by a non-managed Opal drive.
How does recovery work with an Opal drive?
The same EEPC recovery procedures and tools can be used to perform a recovery on an Opal drive and a Normal HDD. EETech is updated to know how to unlock an Opal drive, although you cannot decrypt it because the Opal drive never hands out the encryption key and never decrypts the disk. EETech only unlocks the disk to allow the operating system to boot.
Does EEPC help in recovery situations with an Opal drive?
All of the standard EEPC recovery mechanisms are available to users and administrators, regardless of whether the end user has an Opal drive or a normal HDD.
Can you restore an Opal drive to its default factory state?
All drives support this if a drive credential is known (known as reverting the disk), but not all drives support this if a drive credential is not known (known as a PSID revert). If the drive doesn’t support a PSID revert and you’re locked out (and for some reason EEPC’s normal recovery functions do not work), the drive is now a paperweight, your data is lost, and you need to purchase a brand new Opal drive. If the drive does support a PSID revert, then you can return it to a default factory state even without unlocking the drive first, but all of the data on the drive will be lost. Tools are available to do this (it is not a supported use-case in EEPC).
What happens if there is a physical hardware failure and the Opal drive stops responding to Unlock requests?
In this situation the drive is now a paperweight. There is nothing you can do to access the data. Consider the data lost and you’ll need to purchase a new Opal drive. This is because EEPC does not know the actual disk-encryption key; the disk-encryption key cannot be read from the drive.
What are the valid states of an Opal drive within EEPC?
Unlocked and locked.
What is the difference between locked and unlocked?
This is best illustrated with an analogy. Consider a vanilla Opal drive, fresh from the factory, as a house which has a locked front door where the key is still in the lock. The front door adds no real security. When EEPC enables locking on the drive, and requires preboot authentication, it is like removing the key from the front door. Technically, the difference is access to the encryption key by the encryption processor onboard the drive. If the disk is unlocked, the on-board encryption processor has access to the disk encryption key and the drive behaves exactly like a normal HDD. A user would not be able to tell the difference at this state between an Opal drive and a normal HDD. If the disk is locked, the disk encryption key is protected and a preboot environment is required to unlock the disk before the data can be accessed and the operating system allowed to boot. Note that the disk-encryption key is kept internal to the drive; it is not possible to read it from the drive.
What is the default state for an Opal drive?
When you first receive an Opal drive, the state is Unlocked. For all intents and purposes, it will behave and respond exactly like a normal HDD. You need to explicitly lock the drive by enabling the native locking mechanism of the drive; one way of doing this would to use Endpoint Encryption for PC to manage the drive.
How can you take the drive from an Unlocked to a Locked state?
An application, such as McAfee EEPC, which has a preboot environment, has to perform the necessary steps to enable the native locking mechanism of the Opal drive. After unlocking the drive, a preboot environment is required to unlock the drive before the operating system can start its boot process. Without a preboot environment, there wouldn't be anything present to unlock the drive and allow the operating system to boot.
When a Locked drive is Unlocked, how long does it stay Unlocked?
The Opal drive will remain unlocked until the next power cycle. That means that after you unlock an Opal drive it remains unlocked until you turn off the device, or move to another power state where the Opal drive loses power. However, in EEPC, to ensure the same user experience as with EEPC software encryption, the drive is explicitly locked on a restart as well.
If the Opal drive is Locked and I can’t remember my password to get in. What can I do?
There are recovery mechanisms to assist. Please see the recovery section for more details.
What is a Local Range of an Opal drive?
A Local Range is a contiguous range of sectors that will each have a different encryption key. These ranges can be Locked, or can remain Unlocked. For example, you can apply a Local Range to a partition, but a range does not have to map exactly to a partition.
Why would I use Local Ranges?
If you want a specific part of the disk to always be available and accessible regardless of whether the disk is Locked or Unlocked.
A Local Range is a contiguous range of sectors - what happens when I define a new range?
A new encryption key is automatically generated for the new range. If the Opal drive supports re-encryption then the data is decrypted with the old key and re-encrypted with the new key. Re-encryption is an optional part of the standard, and at present we believe that no drives support it. If the drive does not support re-encryption you have now lost all of the data that was previously in that range since it has been cryptographically erased.
How many Local Ranges can there be?
The Opal Standard specifies at least five (including the Global Range).
Does EEPC support Local Ranges for specifying whether partitions are locked or not?
If I use a partition tool, can I lose all my data on an Opal drive if I’m using Local Ranges?
Yes, it is a possibility.
Can I format or partition an OPAL disk that has EEPC OPAL provider protection?
If the drive is locked, modifications like formatting or partitioning are prevented. Once the user authenticates at preboot, EEPC unlocks the drive to allow the hard-disk (HDD) to be formatted or partitioned.
IMPORTANT: If the drive is accessed from any location other than within Windows, it is not possible to take any format or partition actions.
Back to Contents
- This article now contains all the details that were in the FAQ article KB71629 which is now unpublished.
- Some details that were in KnowledgeBase article KB68016 has been integrated into this article.
If you require a change to this functionality in a future version of the product, you can submit a Product Enhancement Request (PER) by logging in at: https://mcafee.acceptondemand.com/.
To register as a new user, click McAfee Customers Register Here at the top of the page. For additional information, see KB60021.
Endpoint Encryption for PC 6.2 (EOL)
Endpoint Encryption for PC 6.1 (EOL)
Beta Translate with
Select a desired language below to translate this page.
Glossary of Technical Terms
Please take a moment to browse our Glossary of Technical Terms.