EEPC v7.0 FAQ - Windows 8

Version 1

    General

     

     

    Q: Which version of EEPC will support Windows 8?

    EEPC version 7.0 will introduce support for Windows 8 roughly 30 days after the anticipated Windows 8 GA from Microsoft.

     

     

    Q: Will other EEPC versions support Windows 8?

    No. The legacy EEPC version 5.x product will definitely not support Windows 8. At this time there are no plans to have version 6.x support Windows 8.

     

     

    Q: I’m told Windows 8 is a big change for encryption. Why is that?

    There are many new features that Microsoft has introduced with Windows 8. The ones that impact encryption the most are:

    1. A UEFI Boot Process
    2. GPT Disk partitioning
    3. Secure Boot
    4. Hybrid Boot
    5. Modern UI
    6. Windows 8 Tablets

     

     

    Q: So Windows 8 has two possible boot methods?

    That is correct. Depending on your device’s configuration and capabilities Windows 8 will either install the capability to boot with the new UEFI Boot process or the legacy BIOS boot process.

     

     

    Q: Can I just change a configuration setting and swap Windows from one boot process to another?

    No, you need to completely re-install Windows due to the change in partitioning mechanism.

     

     

    Q: Does that mean that there are two EEPC Pre-boot environments now?

    Yes, EEPC v7.0 has a pre-boot to handle the UEFI Boot Process and a pre-boot to handle the BIOS boot process. The EEPC Intelligent Client will examine which boot process the system is configured to use, and determine which pre-boot needs to be installed. This allows an administrator to deploy EEPC to devices and know that the appropriate pre-boot will be installed automatically.

     

     

    Q: Is the deployment of EEPC to Windows 8 any different to previous versions of Windows?

    No, deployment of EEPC is the same regardless of operating system.

     

     

    Q: Does EEPC v7.0 use the Modern User Interface?

    EEPC does not have much user interface on the client once Windows has loaded. The tray status monitor remains the only UI in Windows 8 and it is only available on the desktop. It is not available in the Modern UI.

     

     

    Q: When I read information on Windows 8 I see some references to “eDrives”. Does EEPC support eDrives?

    No, EEPC v7.0 does not support eDrives.

     

     

    Q: What is an “eDrive”?

    An eDrive is an Opal version 2.0 drive operating in a single user mode and managed via the OS.

     

     

    Q: Does EEPC v7.0 also detect Windows 8 BitLocker and stop the activation of EEPC?

    Yes. EEPC will detect Windows 8 BitLocker during the EEPC activation process and stop the activation of EEPC if BitLocker is active.

     

     

    Q: What about support for Windows Server 2012?

    EEPC v7.0 does not support Windows Server 2012 as a client operating system. This means that the EEPC client cannot be deployed to Windows Server 2012 systems.

     

     

    Q: What about support for WinPE 4?

    Yes, McAfee has validated the use of WinPE 4 for the same use cases as per WinPE 3.

     

     

    Q: Automatic Repair is on by default in Windows 8. Can I use it safely?

    No. On Windows 8 systems, we recommend that you disable Automatic Repair.  The reason for this is that Automatic Repair of an encrypted disk may inadvertently destroy the encrypted operating system files and cause permanent boot problems.  Whereas previous versions of Windows asked whether you wished to repair your system before starting the repair, Windows 8 will launch into Automatic Repair immediately a problem is detected, leaving little scope to prevent destruction of encrypted data.

     

     

    Q: How do I disable Automatic Repair?

    To disable automatic repair, issue the following command from an administrative command prompt:

    bcdedit /set {current} recoveryenabled No”

     

     

    UEFI

     

     

    Q: What is UEFI?

    UEFI (Unified Extensible Firmware Interface) defines the next generation firmware interface for your personal computer. The Basic Input and Output System (BIOS) firmware, originally written in assembly and using software interrupts for I/O, has defined the PC ecosystem since its inception – but changes in the computing landscape have paved the way for a “modern firmware” definition to usher in the next generation of tablets and devices.

     

    UEFI is managed through the UEFI forum, a collection of chipset, hardware, system, firmware, and operating system vendors. The forum maintains specifications, test tools, and reference implementations that are used across many UEFI PCs.

     

    The intent of UEFI is to define a standard way for the operating system to communicate with the platform firmware during the boot process. Before UEFI, the primary mechanism to communicate with hardware during the boot process was software interrupts. Modern PCs are capable of performing faster, more efficient block I/O between hardware and software, and UEFI allows designs to utilize the full potential of their hardware.

     

    UEFI allows for modular firmware design that enables hardware and system designers a greater flexibility in designing firmware for the more demanding modern computing environments. Whereas I/O was limited by software interrupts, UEFI promotes the concept of event-based, architecture-neutral coding standards.

     

     

    Q: Is UEFI implementation the same across all vendors?

    No, UEFI implementations differ by hardware vendors. Depending on the UEFI implementation we have seen issues ranging from missing protocols required to support Opal drives to issues in USB support provided in the pre-boot environment used by EEPC when operating in native UEFI mode.

     

     

    Q: What versions of Windows support a UEFI Boot Process?

    Windows 7 64-bit and Windows 8 (32 + 64-bit)

     

     

    Q: What version of UEFI does EEPC support?

    EEPC v7.0 supports UEFI version 2.3.1 and above.

     

    If you plan to install EEPC on a Windows 8 system using native UEFI we recommend that you only use native UEFI mode if the system is explicitly Windows 8 certified.  We also recommend upgrading your UEFI systems to the latest UEFI firmware level and testing on a specific native UEFI capable machine before wide scale deployment.

     

     

    Q: Does a device with a UEFI boot process work with MBR partitioned disks?

    No.  Windows requires a new mechanism for disk partitioning called GPT in order to boot under UEFI.

     

     

    Q: I’ve heard mention that the EEPC pre-boot is an application, can you please explain?

    That is correct. Consider UEFI like an Operating System, so the EEPC pre-boot becomes a UEFI native application. In comparison the BIOS pre-boot version is an OS of itself. In both, the EEPC pre-boot needs to execute first so that after a successful authentication the encryption key can be loaded and the boot process can continue. In the UEFI world, when a user successfully authenticates at the EEPC pre-boot, the EEPC pre-boot application simply terminates and allows the next application in the chain to execute (traditionally the OS Boot Loader).

     

     

    Q: Can an end user know if they are using the BIOS based pre-boot or the UEFI pre-boot?

    No. Both pre-boots look and behave exactly the same. An end-user would not be able to tell the difference between the UEFI pre-boot and the BIOS pre-boot.

     

     

    Q: Are all the same tokens and readers supported in UEFI?

    Yes, all of the tokens and readers should work in both BIOS and UEFI with the exceptions documented below:

    • All biometric tokens
    • SafeNet’s eToken USB tokens

     

     

    Q: Are all the same touch screen devices supported in UEFI?

    If you think of UEFI more akin to an Operating System then the OEM’s will need to provide “drivers” for the hardware contained in that device. For UEFI the pre-boot will support both the Simple Pointer Protocol and the Absolute Pointer Protocol. One or both of these are expected to be implemented for all touch screen devices encountered. If a manufacturer/OEM of the UEFI implementation has failed to implement either of these mechanisms then support for the touch screen will not be guaranteed.

     

    Please note however that McAfee has found in its own internal testing that not all UEFI implementations from OEMs actually implement these Interfaces. In these instances, the creator of the UEFI implementation on that device is leaving out sections of the UEFI specification.

     

     

    Q: Are Opal drives supported in UEFI?

    Support for Opal self-encrypting drives on UEFI systems is only available on Windows 8 logo compliant systems that were fitted with an Opal self-encrypting drive when manufactured.  Support for Opal self-encrypting drives under UEFI is not offered when retrofitting Opal drives to pre-Windows 8 systems, or to Windows 8 systems that were not shipped with Opal drives from the manufacturers.

     

    This is because a UEFI security protocol that is required for Opal management is only mandatory when a self-encrypting drive is fitted at the time of shipping. Without the security protocol Opal management is not possible. 

     

    This does not affect support for Opal drives under BIOS.

     

    Please refer to KB75045 for a list of supported drive models. (https://kc.mcafee.com/corporate/index?page=content&id=KB75045)

     

     

    Q: Are there different recovery tools for a device with a UEFI boot process?

    Yes. As it is a different boot process a different recovery tool is required to handle the different boot processes.

     

     

    Q: Does that mean EETech is also a UEFI application?

    Yes, there is an EETech application that is used for recovery on devices with a UEFI boot process.   Note that you cannot use the (legacy) BIOS EETech tools with a UEFI booting system.

     

     

    Q: GPT Drives go hand in hand with UEFI. Are they supported too?

    Yes, the UEFI pre-boot in EEPC v7.0 will support GPT drives. They will be supported as boot or secondary disks.

     

     

    Q: Can the BIOS pre-boot also support GPT drives?

    As a boot disk – No.

     

    As a secondary disk – Yes. Additionally it is up to the OS to support the secondary drive in GPT mode, and for the BIOS to support large disks for EETech (Standalone) to be able to recover them

     

     

    Secure Boot

     

     

    Q: What is Secure Boot?

    Secure Boot is a feature enabled by UEFI but Microsoft mandates specific implementations for x86 (Intel) PCs. Any device with a Windows 8 logo sticker has Secure Boot enabled.

     

    UEFI has a firmware validation process, called Secure Boot, which is defined in Chapter 27 of the UEFI 2.3.1 specification. Secure Boot defines how platform firmware manages security certificates, validation of firmware, and a definition of the interface (protocol) between firmware and the operating system.

     

    It creates a root of trust starting in UEFI, which validates the next module in the chain before loading and executing it to ensure that it hasn’t changed since it was digitally signed. With the Secure Boot architecture and its establishment of a chain of trust, the customer is protected from malicious code executing in the boot process by ensuring that only signed, certified “known good” code and boot loaders can execute before the operating system itself loads.

     

     

    Q: Does EEPC v7.0 support Secure Boot?

    Yes. Earlier versions of EEPC will not support Secure Boot.

     

     

    Q: Does this mean that EEPC is signed so the Secure Boot process trusts it?

    Yes.

     

     

    Q: Does Secure Boot work on a Windows 8 BIOS based system?

    No, it only works on UEFI based systems.

     

     

    Hybrid Boot

     

     

    Q: What is Hybrid Boot?

    In previous versions of Windows, a traditional shutdown would close all of the user sessions, close services and devices and the kernel to prepare for a complete shutdown. In Windows 8, the difference is that Windows closes the user sessions, but instead of closing the kernel session, Windows hibernates it. The result is faster shutdown and boot up times.

     

     

    Q: Does EEPC v7.0 support Hybrid Boot?

    Yes. Earlier versions of EEPC will not support Hybrid Boot.

     

     

    Q: Does SSO work in a Hybrid Boot?

    No. EEPC does not support SSO on a resume from hibernate.

     

     

    Q: Historically EEPC took some time to resume from hibernate, does it still slow down Hybrid boot?

    EEPC v7.0 includes enhancements across all areas of performance. These are best experienced in conjunction with an AES-NI capable processor. In internal testing McAfee has experienced comparable encrypted/non-encrypted boot times using Hybrid Boot.

     

     

    Windows 8 Tablets

     

     

    Q: What is a Windows 8 Tablet?

    A Windows 8 Tablet is a tablet style device capable and certified to run Windows 8. There are two major categories of Windows 8 tablets:

    1. Tablets powered by Intel processors
    2. Tablets powered by ARM processors

     

     

    Q: I see references to Windows RT, what is it?

    Windows RT (formally known as Windows on ARM) is a version of Windows 8 for ARM devices.  Only software written for the Windows 8 Modern UI interface will run on Windows RT with the exception of Microsoft Office 2013 RT and Internet Explorer 10.  Any application written using the Win32 APIs (the vast majority of current applications) will not run on Windows RT.

     

     

    Q: Does EEPC v7.0 support Windows 8 tablets using an ARM processor and Windows RT?

    No.

     

     

    Q: Does EEPC v7.0 support Windows 8 tablets using an Intel processor?

    Yes, these will be seen as any other Windows device. However there are some cautions that customers should examine:

    1. CPU Capability
    2. Touch screen support

     

     

    Q: What about CPU Capability?

    McAfee has noted that some previews of Windows 8 tablet devices from manufacturers contain lower powered processors, some of which do not have AES-NI capabilities. Customers should be aware of CPU capabilities to ensure that the end user will have an optimal experience once the device is encrypted.

     

     

    Q: What about Touch Screen Support?

    This is all about an end user authenticating at pre-boot. Some Windows 8 tablets have keyboards so this won’t be an issue. For the devices that do not have keyboards, they will require the end user to authenticate using the touch interface in pre-boot. Please read the comments above in the question “Q: Are all the same touch screen devices supported in UEFI?”

     

     

    Q: What version of Windows 8 will the Intel based tablets be running?

    Technically they can run any of the Windows 8 versions capable of running on Intel based processors. It will be a choice the manufacturer will make when they create/ship the device.