Update: In 2014 McAfee renamed Endpoint Encryption for PC (EEPC) to McAfee Drive Encryption (MDE). These instructions are valid for both versions.

 

Introduction

EE Tech is McAfee's recovery tool for disks encrypted with EEPC. It is provided as a standalone bootable utility and also as an application for Windows PE environments. The application is launched from bootable media like CD, USB and even floppy disks. This means that technicians need to have physical access to the system in order to perform recovery operations. This kind of desk side support is expensive and the alternative, shipping the system to a repair center, is time consuming. With McAfee ePO Deep Command and Intel vPro hardware, it is possible to run EE Tech remotely. This is done by leveraging the IDE Redirection and KVM features of Intel vPro hardware. Deep Command exposes these capabilities in ePO, and it is through this interface that we can use EE Tech remotely.

 

Setup

The best way to get started is to run the McAfee ePO Deep Command Discovery and Reporting utility in your environment. This is freely available to all McAfee customers. It will tell you if you have compatible Intel hardware in your environment. For example, only Intel vPro 6.x and later support the KVM feature. Discovery and Reporting will tell you which version of vPro you have in your environment (note that it is also referred to as AMT).

 

Requirements

    • McAfee ePO 4.6.4 or later
    • McAfee Agent 4.5.1 or later
    • Deep Command Discovery and Reporting 1.5 or later (free)
    • Deep Command 1.5 or later and the follow details must be in the Intel AMT Summary Dashboard in ePO
      • The system must be listed as Fully Configured
      • The system must have AMT version 6 or later (this is the minimum version for KVM support)
      • The system must support KVM (this indicates if the system is using Intel integrated graphics, which is a requirement for KVM)
    • McAfee KVM Viewer 1.5 or later (this is part of the Deep Command product download). Note that is is also possible to use an alternative VNC client like VNC Viewer+.
    • EEPC v5 or later
    • EE Tech recovery disk in ISO format that is compatible with your version of EEPC. This file must be shared on a network resource that the endpoint can reach.
    • Depending on the recovery operation, you may need the EE Tech code of the day. This is available via standalone application that comes with the EEPC product download.
    • The endpoint must be able to reach the ePO server
      • This is straightforward for systems that are on premise and connecting to the LAN
      • Additional considerations must be made for wireless. The Intel SCS profile must be modified to enable wireless and I recommend that it also be set to learn WiFi profiles, please see Intel SCS product guide for additional details.
      • Additional considerations must be made for internet-connected systems. Deep Command Gateway Services must be installed and configured on an Agent Handler in the DMZ, please see Deep Command product guide for additional details.

 

Workflow

Once Deep Command is fully deployed in your environment, you will have new options in the system tree. Under the Actions menu, you will see a section called AMT Actions.In this case, we are going to use the Boot/Reboot With Options action.

remote ee tech 001a.png

 

 

Our goal is to remotely power on the system and then tell it to boot to our EE Tech ISO rather than booting to the hard disk. This is done by using a feature of the Intel firmware known as IDE Redirection (IDE-R). In this screen we select the IDE-R option and then enter the UNC path to our EE Tech recovery ISO. Note that you can boot from any ISO; we are simply using EE Tech as an example.

remote ee tech 002a.png

 

 

At this point, ePO attempts to open a connection to the system. If ePO cannot reach the system, then the client will need to initiate the connection. This is done by the user pressing a combination of keys as the system boots (this is an Intel feature known as "Fast Call for Help" or Client Initiated Remote Access). The administrator can track the progress of this by looking at the AMTService.log file on the ePO server. You are looking for entries that look like this:

remote remediation 003a.png

 

Alternatively, you could track the progress by simply opening a KVM session. Then you can have a live view of what is happening on the endpoint. To open a KVM session, you need to leave ePO and open the McAfee KVM Viewer (MKV) application or an alternative VNC client like VNC Viewer+. If using the McAfee KVM viewer, you will need three pieces of information. You will need the FQDN of the endpoint, your Intel AMT Credentials (as established in your Intel SCS Profile), and you will also need to import the root and intermediate certificates from your Microsoft Certificate Authority (see Deep Command Product Guide for more details). Once you have these, you can establish a connection. This can happen even if the system is powered off. The image below shows the McAfee KVM viewer displaying the boot screen of a Windows PE disk (the text says "Press any key to boot from CD or DVD").

remote ee tech 004.png

 

Once the KVM session is established, you can perform your EE Tech recovery operation. One important limitation is that there is no native way to load a recovery XML file, so if token authentication fails you won't be able to proceed remotely. When you are done with your recovery, it is important to end your IDE Redirection session. This is done by going into ePO, selecting the system from the System Tree and choosing Actions > AMT Actions > Stop Image Redirection (IDE-R). This will immediately terminate the IDE-R session, but if you need to confirm that you can go back to the AMTService.log file and look for any entry like this:

remote ee tech 005.png

 

On the next reboot, the endpoint will resume booting from the hard disk rather than the EE Tech ISO. If this does not happen, then it is likely that you forgot to stop the IDE-R session - this is a very common mistake and we saw lots of people doing it the beta testing - so make sure that you remember to do this!

 

Demo Video

 

Other Resources

  1. Get started with McAfee ePO Deep Command https://community.mcafee.com/docs/DOC-5069
  2. McAfee Product Documentation Site
  3. EEPC v7.0 FAQ - Integration with Intel AMT for Out of Band Management