McAfee Endpoint Encryption for PC version 6.1 is scheduled for release in Q1 2011. This is the first version of the product to offer an upgrade path for customers currently using version 5. EEPC version 6 is a major upgrade. The agent, the server and the database all receive significant updates – most notably, of course, is the change in management console. Version 6 is fully managed by McAfee ePO; this means you can retire your version 5 server and say goodbye to the proprietary SafeBoot database.

This upgrade was a hot topic at McAfee Focus 2010. By far, the most commonly asked question was “Do I need to decrypt and re-encrypt my machines?” The answer is no. Here’s a quick summary of the commonly asked questions.

Do I need to decrypt and re-encrypt my machines?

No. The upgrade process is designed to simply transfer the key from the old agent to the new agent. This is how we have always done upgrades. If you recall, the upgrade from v4 to v5 worked similarly.


What version 5 build do I need to be on in order to upgrade to v6.1?

5.1.7 is the minimum supported version for clients and server.


What version of ePO do I need?

ePO 4.5 patch 4 or later and McAfeeAgent 4.5 patch 1 or later.


What impact will it have on the end user?

With the release of v6.1.1 the end user no longer has to reset their password as part of the upgrade process. Now the EE Migration utility can export all user information (including passwords and SSO details) to ePO. This means the upgrade process is now completely transparent to the end user.


Can I do the upgrade in phases or will the upgrade be immediately deployed to all endpoints?

ePO allows you to do phased deployments . You can push to a single system or to a test group. ePO also allows you to track the upgrade progress with reports and dashboards. Also, you can use a third-party tool to deploy the v6 installers in a phased manner.


What are the steps involved in the upgrade?

First, understand that the upgrade is easy. You simply deploy the v6 agent over the top of the v5 agent. It is that simple. We have an upgrade document (attached) that fully explains the process, but this is how I see most upgrades happening:

  1. Install and configure the EE and EEPC components in ePO, following this guide: ide-for-mcafee-eepc-v6
  2. Manually create EEPC v6 policies based on your v5 policies
  3. Create a deployment task that targets the upgrade to a small test group of systems
  4. Wake up the test agents
  5. The endpoints will receive v6 and prompt for a reboot after the install
  6. After the reboot the v5 agent gives the encryption keys to the v6 agent, and then v5 is uninstalled. The v6 agent then registers those keys with ePO and the agent upgrade is complete.
  7. On the next reboot, the user will see the v6 pre-boot environment.


Note: Other tasks like setting up role-based access control and creating reports should also be done as part of the upgrade, but are not necessary in order to test the process.


Note: The upgrade document focuses an upgrade tool. This tool is primarily designed to preserve user-to-machine mappings. This tool will be useful for organization with complex user provisioning schemes, but I think most customers can do the upgrade without this tool. EEPC v6 has the ability to automatically provision currently logged in users and cached profiles to the system (in v5 we used custom scripts or the autodomain script to do this). This feature allows us to ignore the user mappings that were established in v5 because the v6 agent will simply recreate them as part of the upgrade.


How do I transfer my policies?

You don’t. The policies are different in ePO, so part of the upgrade process is to manually port your v5policies to v6. For most customers, this will be a 20 minute task.


Are there any reasons to stay with version 5 and not upgradeto 6.1?

Yes. EEPC v6 requires Active Directory. If you dot use Active Directoryfor user management, then you should stay on version 5. There are some plans on the roadmap to support other LDAPs, but those will not be immediately available in v6.1 so stay tuned.


Will WinTech and SafeTech work on endpoints encrypted with v6.1?

No. You will need to upgrade your support tools. The new tool is called EE Tech, and like the previous tool it will be available as a standalone version and also as a Windows application that can be built into PE environments or run from a "recovery workstation" so that you can rescue data from "slaved" drives.



If you have additional questions or concerns please post a comment!