Update: In 2014 McAfee renamed Endpoint Encryption for PC (EEPC) to McAfee Drive Encryption (MDE). These instructions are valid for both versions.
EEPC v6.1.1 was released on July 11th, 2011 and EEPC v7.0 was released on December 20th, 2012. Both of these versions of EEPC provides a seamless upgrade path from the legacy SafeBoot Device Encryption or McAfee Endpoint Encryption for PC v5 software. The upgrade capability was originally built in to EEPC v6.1, but this release was not able to preserve the end user's password and SSO information during the upgrade process. Version 6.1.1 and later does preserve this information, offering the end user a seamless upgrade experience. In this post I will address the common questions about the upgrade process and also provide step-by-step instructions for performing the upgrade.
Before we get into the detailed discussion, I must make one point in advance. It is NOT required to do a full decrypt and re-encrypt of the system as part of the version upgrade. This is the most commonly asked question about the upgrade process, so please understand that this is not required. The client upgrade process requires nothing more than for the administrator to deploy the EEPC v7 agent. The server side upgrade, however, involves more steps and that is what most of this document is dedicated to explaining.
Steps in the Upgrade Process
- Understand the new platform requirements
- McAfee ePO
- McAfee Agent
- Active Directory
- Understand and implement the new platform architecture
- Understand feature differences between the versions and know when not to upgrade
- Understand the two upgrade methodologies
- Make special considerations if you are running in Autoboot mode (pre-boot authentication disabled)
- Install and configure EEPC v7 in ePO
- Train helpdesk on new recovery interface
- Build and distribute new recovery tools
- Export data from the v5 Endpoint Encryption Manager with the Endpoint Encryption Migration utility
- Consider doing database cleanup before attempting the data export
- Import the v5 data into ePO
- Deploy the client v7 client packages to systems you wish to upgrade
- If required, you can deploy via third-party tool
- Track upgrade progress with reports and dashboards in ePO
Tip: Watch the upgrade videos before you start the process!
- Upgrade Video 1: Endpoint Encryption for PC v5 to v6 Upgrade Considerations
- Upgrade Video 2: Endpoint Encryption for PC v5 to v6 UpgradeDemo
New Platform Requirements
Endpoint Encryption for PC v7 is fully managed by McAfee ePO. The minimum supported version is ePO 4.5 patch 4 hotfix 1. ePO 4.6 and all later versions are also supported.
Like all other McAfee endpoint security products, EEPC v6 leverages the McAfee Agent for its policy enforcement and communication with ePO. This is seen on the endpoint as a red shield in the system tray. As part of the upgrade, the old silver-and-blue endpoint encryption icon will disappear. The minimum supported version of the McAfee Agent is 4.5 patch 2. McAfee Agent 4.6 and later are also supported.
Note: The McAfee Agent must be deployed to all endpoints and those endpoints must be visible in the ePO console before you attempt the data import or client upgrade steps of the upgrade process.
Unlike the legacy Endpoint Encryption Manager, ePO does not provide a standalone user management system. Instead, it references Active Directory for user and identity management. This creates a new requirement for the platform: all EEPC users must exist in Active Directory. EEPC does not require that the system be a member of a domain, and it does not require that the users authenticate to the domain when logging into Windows. The users simply need to exist in Active Directory.
Note: ePO will warn you during the data import process if any of the legacy endpoint encryption users do not exist in Active Directory.
New Platform Architecture
Endpoint Encryption for PC v6 is built upon McAfee's common management architecture. This is represents a change in every level of the stack, from the underlying database to the client communication methodology.
|Function||EEPC v6 and v7||EEPC v5|
|Database||MS SQL||Proprietary Object Directory|
|Administration||McAfee ePO||Endpoint Encryption Manager|
|Active Directory integration||McAfee ePO (required)||Endpoint Encryption Connector Manager (optional)|
|Helpdesk||McAfee ePO||Endpoint Encryption Manger or Web Helpdesk (proprietary or Apache)|
|Database backup||Any supported SQL backup method||Object Directory Backup Utility|
|Client communication ports||443|
5555 (or custom)
|Communication with internet-connected systems||Agent Handler in the DMZ||Port forwarding via firewall rule|
|Endpoint Agent||McAfee Agent||SafeBoot Client Manager|
|Licensing||No license file, audit system||SafeBoot license file (.slc)|
I recommend reading the ePO Best Practices Guide before implementing a new ePO environment or upgrading an existing ePO environment in preparation for a new EEPC v7 deployment. It covers everything, including hardware recommendations and scalability considerations. I also recommend reading the ePO 4.6 Hardware Sizing and Bandwidth Guide so that you properly size your ePO server before trying to implement EEPC v7.
This architecture is designed to support endpoints on a local area network and internet-connected endpoints. All EEPC functionality is supported, including installation and activation, on remote systems (even if they never VPN in or connect to the LAN).
Feature Differences that May Prevent You from Upgrading
Because of the entirely new management platform, some product differences have been introduced. Most of these are discussed in the EEPC v6 FAQ but I'll cover the major items here.
- Active Directory Requirement. If your users aren't in Active Directory, then you cannot use EEPC v7.
Two Upgrade Methodologies
It is possible to upgrade with the Endpoint Encryption Migration utility, or without it. Using the utility during the upgrade ensures that your end user data is retained. This includes everything from their pre-boot password, to their SSO details, and their user-to-machine assignments. In short, this ensures that users in your new environment work exactly like they did in your old environment.
However, you may not want your new environment to work like your old one. The upgrade could be an opportunity to improve the implementation. A common problem, for example, is having too many users assigned in the pre-boot environment. This happened frequently because we didn't have a good way to do one-to-one user mapping (i.e. assigning just one user to their laptop). This resulted in groups of users having pre-boot access to groups of laptops. This could be considered a security concern, so many organizations undertook efforts to remove the unnecessary user assignments. You could achieve this very simply during the v7 migration. It would be done by enabling the "add local domain users" feature in the system settings policy. Then as part of the v7 deployment, the agent would automatically assign the currently logged in Windows user and all cached profiles as pre-boot users on that system. Since you did not use the migration utility, none of the other users from the v5 environment would be assigned - effectively reducing the total number of users assigned to that system. The only problem is that those newly assigned users would be created with default passwords. So as part of this implementation, you would have to communicate that new login experience to your end users.
The other benefit of not using the migration utility is speed. Exporting data from the v5 Endpoint Encrption Manager and importing it into ePO takes time. If your end users don't mind a password reset during the upgrade, or if you are deploying in Autoboot mode, you can save a lot of time by not using the migration utility and just pushing the v7 agent to the endpoints.
These two upgrade methodologies are discussed at length in the Endpoint Encryption for PC Migration Guide that comes with the product. I recommend reading that before deciding on an upgrade methodology. If you have any doubts, then use the migration utility.
Note: If you are in "Autoboot mode", then you do not need to use the migration utility. Autoboot is now a feature of the pre-boot instead of a special user account. Since you aren't using a user account, then you don't need to migrate users with the migration utility. Before you upgrade, though, make absolutely sure that you have checked the "Enable automatic booting" option in the product settings policy (it is not checked by default). If you do not do this, then every one of your upgraded users will get stuck at the pre-boot authentication screen and call the helpdesk.
Install and Configure EEPC v7 in ePO
Follow the Quick Start Guide to get EEPC installed and configured.
Note: You must create new EEPC policies in ePO. Policies are not migrated with the migration utility. If you need help translating your EEPC v5 policies into v7 policies, please contact your McAfee representative or consider a McAfee Professional Services engagement.
Select a user provisioning strategy. The policy in the Quick Start Guide will enable the Add Local Domain Users feature, and this will address your end user provisioning needs. But I recommend also implementing your administrators as Group Users. See my post on user provisioning to learn how to do this.
Setup role based access control. McAfee ePO implements role based access control with a feature called Permission Sets. I have example permission sets in my Setting Up Role Based Access Control post.
Train Helpdesk on New Recovery Interface
Recovery operations for Endpoint Encryption for PC v7 are done in ePO. This is a new interface and migrating to this new interface creates two tasks for administrators. First, administrators must grant helpdesk administrators access to ePO. This is done via the Permission Sets feature of ePO. Second, all helpdesk personnel will need to be trained on the new interface. Attached to this post is a template document that can be used for updating or replacing any documented helpdesk procedures that you may already have in place. One nice feature of EEPC v7 is that if you create permission sets that only allow access to the Endpoint Encryption Recovery screen, then users in that permission set will land on the recovery screen immediately after they login to ePO. This simplifies their experience and makes the transition to the new interface easier.
Note: Please be aware that unique EE Tech utilities now exist for BIOS, UEFI and OPAL. This is a change from v5 where there was only a single EE Tech utility.
Build and Distribute New Recovery Tools
SafeTech and WinTech will not work on endpoints encrypted with EEPC v7. These have been replaced with a new recovery tool: EE Tech. EE Tech can be used as a stand alone utility (like SafeTech) or as Windows application run in a PE environment (like WinTech). The EEPC v6.x download will include an EE Tech admin guide. I also recommend viewing these posts. Please note that the instructions are the same for v6 and v7.
- How To Create an EE Tech Standalone ISO for EEPC 6.1
- How to create an EE Tech recovery disk for McAfee EEPC 6 using WinPE 3
Export data from the v5 Endpoint Encryption Manager
The Endpoint Encryption Migration utility allows you to export user and machine data from the Endpoint Encryption Manager. This data can then be imported to ePO. This ensures that correct user data (pre-boot passwords, SSO details, ect.) are in ePO, ready to be downloaded by the system as part of the client upgrade process.
The data export process is fully documented in the Endpoint Encryption Migration Guide, but I'll also give a high level overview here.
Note: Before attempting to export data, you should consider checking the health of your Endpoint Encryption v5 database.
Using the Endpoint Encryption Migration Utility
- Ensure that your Endpoint Encryption Manager server is at least version 5.1.7. This is the minimum supported version.
- Download and extract the EEPC 7.x files from the McAfee download site.
- Locate the Endpoint Encryption Migration folder and extract the EEMigration.zip file
- Copy the EEMigration directory to the Endpoint Encryption Manager server
- Launch the Endpoint Encryption Migration Utility
- On the first screen, end the path to your Endpoint Encryption Manager software. This is commonly C:\Program Files\McAfee\Endpoint Encryption Manager
- Use admin credentials to connect to your database. It is best to use a level 32 account (like the default SbAdmin or Admin account). Use of any other account may result in an incomplete data export.
- The next screen asks what you want to export. You can export machines, along with all of the users who are assigned to those machines. Or you could do the export based on users, along with all machines to which those users are assigned. It is most common to target the upgrade to specific systems (rather than users), so that's the approach I'll show here.
- The next screen allows you to select which machines you want to export. I strongly recommend doing the upgrade in small batches. Early testing indicates that it takes ePO about 20 seconds to process each system during the import - and that assumes the machine only has one user assigned. In that scenario, it would take 2.77 hours to import 500 systems. You can select entire groups of systems, or you can select individual systems by click the Select Members button.
- The next screen allows you to identify your CmSettings.xml file. This file only exists if you are using the Connector Manager to link the Endpoint Encryption Manager with Active Directory (or one of the other LDAP systems that v5 supported). This file is not required, but you should point to it if you were leveraging the Active Directory integration in v5. By default, it is stored in C:\Program Files\McAfee\Endpoint Encryption Manager. This screen also allows you to export audit data. I recommend not exporting audit data unless you absolutely have to. It has a major impact on the time it takes to export and import the data.
- Now that you have selected what you want to export, the next screen allows you to name the file that will contain your exported data. Since you will be doing this in batches, I recommend serializing the file names, or using some other naming convention so that you know which systems are in which output file.
- On the next screen, simply click the Finish button and the Endpoint Encryption Migration utility will export your data to a .zip file.
Import the v5 Data Into ePO
Before you can upgrade your clients, you must ensure that their data is in the ePO database. This is done by importing the data that was exported from the Endpoint Encryption Manager with the migration utility.
Importing v5 Data Into ePO
- In ePO, to to menu > data protection > encryption users.
- Click tasks > import v5 users
- Browse to the .zip file that you exported with the Endpoint Encryption Migration Utility.
- The next screen displays your bindings information. This reads the information out of your CmSettings.xml file to help find your users in Active Directory. If you didn't enter a CmSettings.xml file in the data export process, you'll see the following message. Since the CmSettings data is not required, it is safe to proceed.
- If you didn't use the CmSettings file, you need to create a rule for matching users. In almost all cases, you will simply need to select V5 User Name from the left pane, and then choose samaccountname for the attribute. This instructs ePO to look for samaccountnames in Active Directory that match the user names that exist in your .zip file.
- ePO will now attempt to assign the users from .zip file to machines in ePO. Because this involves Active Directory lookups and ePO system tree queries, it is the most time consuming part of the import process. The time consumed during this step can only be reduced by importing smaller batches of data. Notice that there are two tabs on this screen; one for machines, and another one for users. If any systems in the .zip file do not exist in ePO, then you will see an error here.
Then look in the users tab. If any users in the .zip file do not exist in Active Directory, you will see an error here.
- The final step is the results screen. If there were any problems, the result column will say something other than "Success".
Deploy the v7 Client Packages to Systems You Wish to Upgrade
The EEPC client upgrade is done by simply installing the v7 packages on a system that is already running v5. This can be done with a product deployment task in ePO or by deploying the agent via a third-party tool. This means that you can use the same deployment process for both new client installs and for upgrading systems that already have v5 installed.
Note: You do not need to decrypt and re-encrypt systems as part of the client upgrade. It is a simple over-the-top installation. The EEPC v7 client files simple replace the EEPC v5 client files.
Building the ePO Product Deployment Task
- In ePO, go to the System Tree and select the My Organization level.
- Select actions > new client task assignment
- Select McAfee Agent > Product Deployment > Create New Task.
- Name the task Deploy EEPC v7. Then select Endpoint Encryption Agent for Windows in the products drop-down menu. Then click the + button to add another product, and select Endpoint Encryption for PC. Then click save and you'll return to the previous screen.
- Click next to configure the schedule. Set the status to Disabled. For the type, select Run Immediately from the drop-down menu. Then click next and review the settings. Click save to finish the task.
- The task is now set for all of your systems, but it is disabled. I recommend selectively enabling it only on those systems that you want to upgrade. This can be done by breaking inheritance in the System Tree (select the system > actions > agent > modify tasks on a single system).
Track Upgrade Progress
ePO makes it simple to track the progress of your upgrade project. You can check in the EEPC v5 detection extension for ePO (attached at the bottom of this post). This will allow ePO to report on both your v5 and v7 endpoints. When the v5 pie chart indicates 100% "Not installed" then your upgrade is over. At that point you can decommission all of your old v5 servers and processes.