DE v7.1 FAQ: Upgrade to v7.1

Version 2

    General

     

    Q: What is the minimum EEPC version that can upgrade to Drive Encryption v7.1?

    The minimum version that can upgrade to DE v7.1 is EEPC v7.0.0. All EEPC v7.0.x versions can upgrade to DE v7.1, although depending on your desired ePO version you may need to go via v7.0.2.  You will also need to ensure that before upgrading to DE 7.1, the EEPC extensions are upgraded to 7.0.4. For further info see Product guide.

     

     

    Q: What are the legacy EEPC versions that can migrate to Drive Encryption v7.1?

    The legacy versions that can perform a direct migration to DE v7.1 are 5.2.6, 5.2.12 and 5.2.13.

     

     

    Q: What do I need to do if I am running EEPC v6.x?

    If you are using EEPC 6.1.2 or later, you must first upgrade all extensions to either EEPC 7.0.2 or 7.0.3. You do not need to upgrade the EEPC 6.1.2 clients before initiating the DE 7.1 upgrade process.

    Make sure you follow thedetailed instructions in the DE 7.1 Product Guide (PD24867),although you should alsocheck the corresponding Doc Correction KB article KB79912 for updates and corrections to the Product Guide content. This describes the steps needed to upgrade to DriveEncryption 7.1, a process that also requires installation of the EEAdmin 7.0.4 extension.

     

     

    Q: What is the high level overview of the upgrade process?

    Below are the high level steps that are required to upgrade to DE v7.1. It is assumed that you’re running at least ePO 4.6.4 (the minimum supported ePO version for EEPC v7.0) and you’re running EEPC v7.0.x

    1. If you’re running EEPC v6.x, first upgrade to v7.0.2 on both the clients and servers
    2. If you’re running EEPC v7.0.0 or v7.0.1, upgrade the ePO Extensions to v7.0.2
    3. Backup the ePO database/server
    4. Install EEPC v7.0.4 extensions
      1. For more information see the EEPC v7.0.4 section below
    5. Upgrade to your ePO version of choice (4.6.7 or5.1)
    6. Run the User Data Upgrade Task
      1. For more information see the User Data Upgrade section below
    7. Upgrade to DE v7.1

     

     

    Q: Do I also need to upgrade the version of the McAfee Agent on all of my clients?

    The minimum version of the McAfee Agent is version 4.6.2. Any version above that is also fine.

     

     

    Q: Should I review the product documentation and plan the upgrade accordingly?

    Yes, the product guide contains detailed information about this process and it is recommended that you plan the upgrade to v7.1 properly.

     

     

    Q: Why is the process so complicated?

    Because there are interdependencies with newly introduced ePO functionality to handle the new LDAPSync and User Directory functionality.

    ePO Questions

     

    Q: What are the minimum ePO Versions that are supported with DE v7.1?

    ePO v4.6.7 and ePO 5.1

     

     

    Q: Why do I need to upgrade to the latest and greatest versions of ePO to run DE v7.1?

    This is due to the new LDAPSync and User Directory functionality. The basis to these core technologies is implemented in ePO and DE v7.1 “sits on top” of those technologies and extends them with encryption related actions/tasks.

     

     

    Q: What are the benefits of the new LDAPSync and User Directory functionality in ePO/DE?

    There are many benefits from the new underlying architecture. From the encryption side, it frees you of the relying on ActiveDirectory for users. Administrators can now create “standalone” users (not ePO Users) and OU’s directly inside ePO for the purposes of pre-boot authentication.

     

    On the ePO side there are benefits such as:

    • Agent Handlers in a DMZ no longer require a connection to the LDAP Server
    • Faster policy assignment rules calculations
    • Etc.

     

     

    Q: And do I need to upgrade to ePO 4.6.7 or 5.1 if I’m not going to use the User Directory?

    Yes. Regardless of whether you will make use of this functionality or not you need to upgrade your ePO version.

     

     

    Q: A new user structure, does that mean that the user data will need to be updated?

    Yes. For customers that have existing user data they will need to run User Data Upgrade process in order to upgrade all existing user data to the new internal structures.

     

     

    Q: Where can I find more information about the User Directory?

    An FAQ on the User Directory can be found here:

    DE v7.1 FAQ: User Directory

    A video on the User Directory can be found here:

    https://community.mcafee.com/videos/1700

     

     

     

    EEPC v7.0.4 Questions

     

    Q: There is an EEPC v7.0.4?

    Yes. There will be an EEPC v7.0.4 launched at the same time as DE v7.1.

     

     

    Q: And why is this needed?

    Because of the changes to the LDAPSync and User Directory there needs to be a migration of existing encryption related user data across to the new structures. EEPC v7.0.4 includes a task called “User Data Upgrade” that will move any existing data across to the new structures.

     

     

    Q: Is this only an ePO Extension or are there also client upgrades?

    This is an ePO extension only. There are no client updates required with EEPC v7.0.4.

     

     

    Q: Is this EEPC 7.0.4 extension backward compatible to manage clients running previous EEPC client versions?

    Yes, you can still manage and report on any existing EEPC 7.0.x or 6.x clients (EEPC 6.1.2 or later) while the 7.0.4 ePO extension is installed. However this situation should only persist if the 'User Data Upgrade' task has failed for some reason, preventing completion of the upgrade to either ePO 4.6.7 or 5.1.

     

     

    Q: What ePO versions will v7.0.4 support?

    All ePO versions from v4.6.4 to 4.6.7 and all ePO versions from 5.0.1 to 5.1. However the main functionality and tasks of v7.0.4 will only work on ePO 4.6.7 and ePO 5.1.

     

     

    Q: How long should I stay on v7.0.4?

    As short a time as possible is the answer. Essentially you will only use v7.0.4 for a short period of time while you perform the User Data Upgrade. Once that is complete you should immediately upgrade to DE v7.1.

     

     

    Q: So v7.0.4 is essentially a stepping-stone to get to v7.1?

    Yes that is correct.

     

     

    Q: What happens if I attempt to go to DE v7.1 without first going to EEPC v7.0.4?

    Firstly, the install of the DE v7.1 extension will fail because it won’t run on your ePO version. Secondly, you couldn’t update ePO to the minimum version because your existing ePO extensions for encryption won’t support it. EEPC v7.0.4 is a compulsory step in upgrading to DE v7.1. And thirdly, you won’t be able to upgrade because it will detect that you have not run the User Data Upgrade task successfully.

     

    User Data Upgrade Questions

     

    Q: What is the User Data Upgrade?

    The User Data Upgrade is a server side process that will migrate all existing encryption user information to the new LDAPSync and User Directory internal structures.

     

     

    Q: Why do I need to run this?

    The existing user data must be updated to the new data structures used by the User Directory and LDAP Sync. This is a one-time process that must complete before you can upgrade to DE v7.1.

     

     

    Q: On what ePO versions can the User Data Upgrade be run?

    It can only be run on ePO v4.6.7 and ePO v5.1. It is possible to install EEPC v7.0.4 on earlier versions of ePO but you won’t be allowed to run this task until you’ve upgraded your ePO server to v4.6.7 orv5.1.

     

     

    Q: Can it only be run with EEPC v7.04? Can I run the task on an earlier version of EEPC?

    No. The functionality is only available in v7.0.4 and the task can only be run on ePO v4.6.7 or v5.1

     

     

    Q: Is this an ePO only task, or do I also need to do something on the clients?

    This is an ePO only task, and in fact we are simply moving data around internal structures in SQL Server. The data is moved to the new structures and then verified for accuracy and completeness before completion.

     

     

    Q: Do I have to take down my ePO server to run this?

    No, it can be run on a live ePO server.

     

     

    Q: How long should it take to run the User Data Upgrade?

    That depends on how much user information you have in your database. As a rough indication:

    • 2,000 Users will take approximately 5 minutes.
    • 10,000 Users will take approximately 8 minutes.

     

    The performance will vary depending on the specification of the SQL Server and it’s current workload. These figures were from a system with an i5 processor and 4GB of RAM.  Other items that can impact the time are the inclusion of other pieces of user token data such as SSO data, self-recovery data, etc.

     

     

    Q: And I can only upgrade to DE v7.1 once the User Data Upgrade Task is finished?

    Yes, that is correct. Attempting to upgrade to the DE v7.1ePO extensions will fail installation in ePO if this step has not been completed.

     

     

    Q: If something goes wrong how will I know?

    The ‘Server task log’ shows the failed status for the Upgrade task run. You will also see the Audit log entry with failed status for the same task. It is not possible to revert the extensions from 7.0.4, but they can stay at 7.0.4

     

     

    Q: If the User Data Upgrade fails, can I run it again?

    If the User Data Upgrade fails you can run the task again.  If it fails it will automatically roll back the data and re-enable all of the user related functions automatically. It can be run as many times as necessary until it has completed successfully.

     

     

    Q: While the User Data Upgrade Task is running, can I perform any User related encryption actions?

    No. While the User Data Upgrade Task is running all User related actions are disabled in ePO.

     

     

    Q: When are the user related actions enabled again?

    They will only be enabled when the User Data Upgrade task completes successfully and the ePO Extensions have been upgrade to v7.1. Alternatively if it has failed and rolled back the data operations then the user related actions will also be enabled.

     

     

    Q: Is there anything else that gets disabled in ePO while the User Data Upgrade task is running?

    • No new users will be processed by Add Local Domain Users
    • No user related work will be performed (i.e. new passwords or other related user token information)
    • User related WebAPI’s are also disabled.

     

    However the following will still be available:

    • Export machine keys
    • Challenge / Response (machine only)
    • Any non-user recovery functionality (AMT or non-AMT)

     

     

    Q: Does the client experience any changes during the User Data Upgrade task?

    • On the client, the existing received policy will continue to be enforced.
    • New policies will come down to the client while the User Data Upgrade task is running; however they will not be enforced.
    • Newly captured passwords, or other token data cannot be sent to ePO and propagated to other systems during this time.

     

    In the event of a recovery, a machine recovery is still available as is a self-recovery. A challenge/response for resetting a password will not be available.

     

     

    Q: What happens if I try one of these things on the client or ePO during this time?

    All of these will fail gracefully, or be disabled/blocked inthe ePO UI.