Update: In 2014 McAfee renamed Endpoint Encryption for PC (EEPC) to McAfee Drive Encryption (MDE). These instructions are valid for both versions.

 

Introduction

Out Of Band Remediation is a new feature in EEPC v7. It is one of the three new Out Of Band management features that are available if you have Intel vPro hardware and McAfee Deep Command in place. The idea of Remediation is to allow administrators to perform EE Tech recovery operations remotely, without having to have physical access to the system. It was also implemented with automation in mind; it has the capability to perform recovery operations on multiple systems simultaniously.

 

Out Of Band Remediation currently allows administrators to perform two EE Tech recovery operations. Both operations do the same thing as when they are done manually in the EE Tech interface, but invoking them by Out Of Band Remediation allows them to happen automatically and without the need for administrative interaction (i.e. there is no need to enter pre-boot credentials or use a recovery file).

 

Remediation: Emergency Boot

If the administrator selects this, then the damaged McAfee pre-boot file system (PBFS) will be replaced with a known-good one that will allow the system to boot into Windows and then sync with the server to re-initialize the PBFS.

remote remediation 003 emergency boot.PNG

 

Remediation: Restore

The option to restore the Endpoint Encryption MBR can be used if the MBR is modified. This can be caused by other applications, malware, or even administrative error made by support personell while working with EE Tech. Remotely restoring the encryption MBR will restore the EEPC MBR, but it is important to know that the partition table (while also stored on sector zero of the disk) is not included in this restore operation. There are unique MBRs for the different architectures that McAfee EEPC supports (BIOS, UEFI and OPAL). There is logic built into this recovery operation to automatically select the correct one, so "Automatic" is the recommended option. You should only manually select a recovery image if automatic selection fails.

remote remediation 004 restore ee mbr.PNG

 

 

Workflow

  1. Administrator selects system(s) in System Tree
  2. Actions > Endpoint Encryption > Out Of Band Remediation
  3. McAfee ePO writes the action to the Out Of Band Work Queue
  4. McAfee ePO attempts a Server Initiated Local Access (SILA) connection to Intel vPro network interface on the managed endpoint
    1. If this connection attempt is successful, then the action will proceed
    2. If this connection attempt fails, then the action will remain in the work queue until the client initiates a connection (either CILA or CIRA)
  5. Out Of Band Remediation powers on the system via McAfee Deep Command
  6. Out Of Band Remediation instructs the system (via Intel IDE Redirection) to boot to a small EE Tech disk image that resides on the ePO server
  7. The Out Of Band Remediation version of EE Tech loads and uses McAfee Deep Command operations to authenticate with the server
  8. After authentication, Out Of Band Remediation performs the recovery operation and reboots the system
  9. Windows loads and the McAfee Agent syncs with ePO to complete the recovery operation

 

 

Demo Video

 

 

Other Resources

EEPC v7.0 FAQ - Integration with Intel AMT for Out of Band Management