Loading...

Knowledge Center


How to use the McAfee SysPrep Utility (MFESysPrep)
Technical Articles ID:   KB89860
Last Modified:  5/16/2019
Rated:


Environment

McAfee Endpoint Security Threat Prevention 10.6.x, 10.5.x
McAfee SysPrep Utility 1.x

Summary

To use the McAfee SysPrep Utility locally:
  1. Download the McAfee SysPrep Utility from the Downloads tab of the ServicePortal: https://support.mcafee.com/downloads.
  2. Right-click the ZIP package and click Properties.
  3. Click Unblock if the option is present.
  4. Extract the ZIP package.
  5. Open the extracted package.
  6. Right-click setupSysPrep.exe and select Run as administrator.
  7. Review and collect the following logs from %temp%\McAfeeLogs:
    • McAfee_SysPrep_Bootstrapper_<timestamp>.log
    • MFESysPrep.log
    • MFESysPrep_child.log

To use the McAfee SysPrep Utility with ePolicy Orchestrator (ePO):
  1. Download the McAfee SysPrep Utility from the Downloads tab of the ServicePortal: https://support.mcafee.com/downloads.
  2. Right-click the ZIP package and click Properties.
  3. Click Unblock if the option is present.
  4. Check the ZIP package into the ePO Master Repository.
  5. Create a Product Deployment task to push the McAfee SysPrep Utility to the required systems.
  6. Wake up the systems or wait for the scheduled task to complete.
  7. Review and collect the following logs from C:\Windows\Temp\McAfeeLogs:
    • McAfee_SysPrep_Bootstrapper_<timestamp>.log
    • MFESysPrep.log
    • MFESysPrep_child.log
What occurs when the utility runs:
  • It automatically updates the McAfee Trust store for third-party injectors that McAfee recognizes and that exist on the system. It sends Event ID 1095 for these injectors and writes them to the logs.
    • You can verify that trust has been added here: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\McAfee Trust
  • It identifies any unknown injectors, and determines if they are signed or unsigned. It sends Event 1092 for these injectors and writes them to the logs.
    • Lines indicating failure to add trust are denoted with an '[E]' following the date and time stamps.
Additional information:
  • Events created by this utility do not populate to the Endpoint Common policy.
  • Any entries in the Endpoint Common policy are injectors in the environment that Endpoint Security has already identified. If no measures have been taken to trust that certificate or remove the third-party software from the environment, the application might cause issues for Endpoint Security sporadically throughout the environment.

Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.