Update: In 2014 McAfee renamed Endpoint Encryption for PC (EEPC) to McAfee Drive Encryption (MDE). These instructions are valid for both versions.
EEPC 6.1 patch 2 introduces a new capability to turn the pre-boot authentication screen on or off with a client-side command. This eliminates the need to change the policy in ePO, and fully automates patching and other client management scenarios where unattended reboots are required. This is extremely valuable because it allows administrators to continue managing their systems in the same way they did before the systems had pre-boot authentication.
High Level Process
- Enable Temporary Automatic Booting in the General tab of the Product Settings policy
- Deploy EpeTemporaryAutoboot.exe
- Write a script or use a client management application to run EpeTemporaryAutoboot.exe
Step By Step Procedure
- Download and install EEPC v6.1 patch or later. If it is your first time setting up the product, follow this Quick Start Guide to get up and running https://community.mcafee.com/blogs/danlarson/2009/11/30/unofficial-quickstart-gu ide-for-mcafee-eepc-v6
- Extract McAfeeEEPC612.zip and open the Endpoint Encryption Misc directory. Then open the Endpoint Encryption Admin Tools directory. Then extract EEAdminTools.zip and locate the EpeTemporaryAutoboot.exe file. This is the file that must be distributed to your client systems.
- Login to McAfee ePO and go to Menu > Policy > Policy Catalog and select Endpoint Encryption 1.1.2 (or later) from the Product drop-down menu. Then select Product Settings from the Category drop down. Click on the policy that you want to change.
- In the General tab, check the box for Allow Temporary Automatic booting. If this is not enabled, then all attempts to use EpeTemporaryAutoboot.exe on the client will fail. This is an extra security measure designed to prevent unauthorized use of the feature.
- Wake up the agents so that they recieve this new policy.
- The client systems are now ready to use the feature. There are two basic options available. Please note that these must be run with admin privileges on the client system.
Option 1: Tempoarily reboot for X number of reboots. Example syntax: EpeTemporaryAutoboot.exe --number-of-reboots 3
Option 2: Temporarily reboot for X number of minutes. Example syntax: EpeTemporaryAutoboot.exe --timeout-in-minutes 15
The systems will then automatically boot for the duration specified. After that, they will go back to having pre-boot authentication enabled.
What if Some Systems Need to Automatically Boot More than Others?
In some environments, systems may be found in a variety of states. Some may be woefully out of date and will need to automatically boot 25 times. Others may be more up to date and will only need to automatically boot once. To accommodate this situation, we have provided the EpeTemporaryAutoboot.exe --clear command. This allows the administrator to stop automatic booting whenever they want, instead of having to wait for the specified number of reboots or the specified number of minutes. I like to think of this like opening and closing a door. Running EpeTemporaryAutoboot.exe --timeout-in-minutes 15 will open the door for 15 minutes. To close the door, you can either wait 15 minutes or you can run the --clear command.
The --clear function will allow administrators to create a single process that will work on all systems, regardless of how many reboots each system needs. The idea is to enable automatic booting with a number big enough to accommodate all systems (say 32 reboots, or 10080 minutes), but then use the --clear function to precisely stop the automatic booting when the systems management task is complete. The task if identifying when the task is complete is up to the administrator, but once that condition is met they simply have to run EpeTemporaryAutoboot.exe --clear.
Please see KB73220 for more details on the Temporary Automatic Booting feature of EEPC https://kc.mcafee.com/corporate/index?page=content&id=KB73220&actp=search&viewlo cale=en_US&searchid=1320272925332