Q: What is the Pre-boot Smart Check?
The Pre-Boot Smart Check (PBSC) is functionality in EEPC that will perform various pre-boot hardware compatibility checks to ensure that the EEPC pre-boot environment can work successfully on a device. It will test the areas that have been identified to cause incompatibility issues in the past.
Q: What is the goal of the Pre-Boot Smart Check?
The goal of the Pre-Boot Smart Check is to assist in providing a hassle free deployment of EEPC full disk encryption by checking for common error conditions in the pre-boot environment. Without the checks enabled, productivity could be impacted where deployment issues may lock users out of the system. Pre-Boot Smart Check will de-activate Endpoint Encryption if there is an issue, and allow the system to roll back to Windows only authentication.
Q: Is this functionality enabled by default?
No, it is not enabled by default because it will introduce one or more reboots into the activation process. Some customers can accept this, and otherss may not.
Q: If SmartCheck finds a problem, what does it do? What is the workflow?
If a problem is found, either a failure to load preboot or a problem handing over to windows, the machine will reboot automatically, or the user will need to forcibly restart the machine.
This will allow PBSC to try a different set of compatibility configurations to overcome the problem. If any configuration works, and the machine boots into windows, the EEPC becomes fully activated, and the encryption policy is enforced. If all compatibility configurations are tried and unrecoverable problems are encountered, EEPC preboot is bypassed, the machine will boot into windows and EEPC is deactivated. At this point an audit is sent to ePO alerting the failure, and subsequent activations on the machine are blocked. Audit info will be found on ePO at EPE_AUDIT_TYPE_FAILURE, EPE_AUDIT_EVENT_SAFEFAIL_FAILED_DEACTIVATED (30061).
Q: What happens when a device passes the Pre-Boot Smart Check?
It will activate EEPC and enforce the encryption policy.
Q: What happens if a device fails the Pre-Boot Smart Check?
If a device fails the Pre-Boot Smart Check it will not activate EEPC. Therefore EEPC activation (and encryption if set in the policy) will not proceed, and the system will ‘roll-back’ to Windows only authentication. Appropriate messages would be logged in logon appropriate messages in EPE_AUDIT_TYPE_FAILURE, EPE_AUDIT_EVENT_SAFEFAIL_FAILED_DEACTIVATED (30061).
Q: If a device fails the Pre-Boot Smart Check, will it keep attempting to activate EEPC at the next policy enforcement?
Yes.but activation will be immediately abandoned. All subsequent activations will be immediately abandoned until either a) PBSC is disabled from policy, or b) the registry value Software\McAfee Full Disk Encryption\MfeEpePc\SafeFailStatus\Status is deleted.
Also, a workaround could be to setup an “automatic response” in ePO based on the event ID. That way, whenever an event arrives in ePO (the event that indicates PBSC failure), ePO can automatically assign a new policy to that system. That policy would be configured to disable EEPC, and thus stop future activation attempts. Please see ePO documentation for further information.
Q: Is a device tagged in ePO once the Pre-Boot Smart Check fails?
Q: Are the results from one machine shared with another?
No, each machine is individually tested. Currently there is no functionality to share a common configuration for machine types. So it is not possible to validate a specific hardware configuration and share the results from the Pre-Boot Smart Check among similar devices.
Q: How can I know if the Pre-Boot Smart Check made any changes to the configuration or it the machine worked straight out of the box?
This information is not exposed in version 7.0. It is transparent to the end user and happens automatically.
Q: If the Pre-Boot Smart Check has not made any changes and the device worked “out of the box” does that indicate that I can disable that check for deployment purposes?
It is at the discretion of customers whether they do this or not. However, variability is common among systems that have the same model number. For example, a user could have gone into the BIOS and changed their USB settings. This might impact our integration with that BIOS, so keeping PBSC would add value here. However, if you use BIOS passwords to keep your users from making changes like this then you might be safe to not use PBSC.
Q: What will an Administrator see in ePO for a machine that is still running through the Pre-Boot Smart Check?
The Administrator will see in the device is not activated and not encrypted. They can view the audit log to get the latest information on any progress from the last time the device synchronized with ePO. The audit log can be found at EPE_AUDIT_TYPE_FAILURE, EPE_AUDIT_EVENT_SAFEFAIL_FAILED_DEACTIVATED (30061).Q: Will an Administrator know that a machine has not activated because it failed the Pre-Boot Smart Check?
Yes. The failure is audited in EPE_AUDIT_TYPE_FAILURE, EPE_AUDIT_EVENT_SAFEFAIL_FAILED_DEACTIVATED (30061).
Q: Where will an administrator see that a machine has failed the Pre-Boot Smart Check?
The administrator can view this in the audit log for the machine at EPE_AUDIT_TYPE_FAILURE, EPE_AUDIT_EVENT_SAFEFAIL_FAILED_DEACTIVATED (30061).
Q: Is the device encrypted before the tests begin?
No, EEPC is not activated so the disk is not yet encrypted.
Q: What is the end user experience whilest the test are running?
The tests are largely transparent to the user, but 3 things may be seen. If Pre-Boot Smart Check is successful, an EEPC Pre-Boot Authentication screen will show. If Pre-Boot Smart check finds failures and doesn’t find a viable solution, the user will see a Windows login screen. If a Pre-Boot Smart Check failure causes a crash, a black screen or error message may occur. Then a manual reboot will be needed.
Q: What does PBSC do when one of its tests finds a failure?
This depends on where the Pre-Boot Smart Check cycle is at. If it is at the end and all tests have failed, EEEPC will be de-activated and Windows login will show. If it is in the middle of the checks, the subsequent checks will be carried out.
Q: How many additional reboots will it take get to a working system?
There are around 10 different configurations that can be tested, so at most, approximately 10 reboots will occur before activation is abandoned.
Q: What tests does the Pre-Boot Smart Check perform?
The first set of early configuration combinations are:
- Aligned disk read/writes with no default IRQ handlers installed.
- Aligned disk read/writes with default IRQ handles installed
- Unaligned disk read/writes with no default IRQ handlers installed.
- Unaligned disk read/writes with default IRQ handlers installed.
If these tests all fail it is unlikely that any preboot will be seen at all.
Once a combination of these configuration succeeds the following configurations are applied (which relate mainly to handover problems, i.e., preboot seen but hangs on booting windows after authentication):
No configuration changes – use default hardware compatibility settings.
- EPE_USB_COMPAT_NO_HANDBACK with EPE_USB_COMPAT_USE_BASEBOARD_INFO
- EPE_USB_COMPAT_NO_HANDBACK and EPE_USB_COMPAT_SET_BIOS_AS_OWNER and EPE_USB_COMPAT_CLEAR_SMI_ENABLE and EPE_USB_COMPAT_USE_BASEBOARD_INFO
- EPE_USB_COMPAT_DISABLE_SMI_ONLY with EPE_USB_COMPAT_USE_BASEBOARD_INFO
Q: What constitutes a Pre-Boot Smart Check failure? Is it failing a single test or a number of tests?
Any configuration that fails to boot through to Windows is considered a fail. If the configuration allows a successful boot into Windows it is a pass.
Q: How does the user get back into Windows if PBSC finds an incompatibility
The system will automatically boot into Windows, or if the system crashes or hangs during its final check, a reboot will put the system into Windows.
Q: If a device fails the Pre-Boot Smart Check, does the administrator know in ePO that the device failed and the reason why?
An audit event will be logged at EPE_AUDIT_TYPE_FAILURE, EPE_AUDIT_EVENT_SAFEFAIL_FAILED_DEACTIVATED (30061).
Q: What should a customer do if they find a device where activation of EEPC fails, even with the Pre-Boot Smart Check?
If normal activation, and activation with Pre-Boot Smart Check fails on a device it will not activate and won’t encrypt. While this allows the end user to continue working, it does present Administrators with the challenge of the device not adhering to company policy of being encrypted. A workaround may be file level encryption with Endpoint Encryption for Files and Folders.
Customers should raise a support ticket with McAfee support with the details of the device and any error conditions from the audit log.
Q: Does the end user have any indication of the progress through the various tests?
Q: If an Administrator enables the Pre-Boot Smart Check, how long will activation take?
The bare minimum amount of time added by the process is the time it takes to reboot the system once. After that, time is only added if the hardware fails one of the PBSC tests. After a test failure the machine will be “stuck” and the user will need to reboot it (so the time here is dependent upon the user). On the next reboot, pre-boot smart check will try an alternative configuration. If this is successful, the system will boot into Windows and will activate the next time the McAfee Agent synchronizes with McAfee ePO. If that alternative configuration fails, then the system will again be stuck and the user will have to reboot it. The user can go through this cycle up to 10 times. If all 10 attempts fail, then on the 11th reboot, PBSC simply abandons activation and restores the Windows MBR so that the system can boot directly into Windows.
Q: What should an end user do if the machine appears to freeze during a test or the boot process?
If certain tests fail the result could be that the device appears to be frozen. Simply restart the device and it will reboot and perform the subsequent Pre-Boot Smart Check tests or, if at the end of the tests, will boot into Windows.
Q: Will I need to use the EEPC Recovery Tools to recover a machine if it fails a Pre-Boot Smart Check test?
No, simply reboot the machine and it will boot into Windows if all checks are done. If a test fails before completion of Pre-Boot Smart Checks and the system hangs, a reboot will ensure the remaining tests are run transparently.
Interaction with Endpoint Encryption GO
Q: Should the Pre-Boot SmartCheck be used in conjunction with Endpoint Encryption GO (EEGO)?
The Pre-Boot Smart Check can be used in conjunction with EEGO to give administrators peace of mind during initial deployments. EEGO will perform checks and validation in the Operating System, and the Pre-Boot Smart Check will perform checks/validations outside of the Operating System. The combined usage can give administrators the highest confidence of a successful deployment.
Q: Do I need to use the Pre-Boot Smart Check with EEGO?
No, both can be used independently.
Q: What configuration would give an Administrator the most confidence that their deployment will go as smoothly as possible?
They should use EEGO in combination with the Pre-Boot Smart Check and ensure that the EEPC activation is dependent on a successful result from EEGO.