How To Install McAfee Drive Encryption During the PC Build Process

Version 1


    Introduction

    This document explains how to install McAfee Drive Encryption when building, imaging or re-imaging a PC. This process was designed through consultation with customers doing real world deployments. While the process in this document is considered a best practice, it is not the only way to install McAfee Drive Encryption. For example, many customers choose to exclude McAfee Drive Encryption from the build process and simply deploy it through automated deployment tasks in McAfee ePO or through systems management utilities like Microsoft SCCM. This document is for customers that want to make the installation of MDE and the encryption of the hard drive part of the PC build process.

     


    High Level Process

    This process is built around the assumption that you will collect the pieces of the McAfee solution and then install them using other utilities or scripts that you use for imaging or building PCs. The steps for installing these components are as follows:

    1. Build McAfee Drive Encryption policies
    2. Build McAfee Drive Encryption offline activation installer
    3. Add the temporary automatic booting application to the offline activation files
    4. Begin the PC build process


    Build McAfee Drive Encryption Policies

    You will need two create two policies. The first will be incorporated into the offline activation files, and the second will be used when the system eventually connects to the ePO server.

     

         Create the policy to be used by the offline activation process
         An example policy is attached to the bottom of this post. You can import this policy into ePO rather than creating a new policy with the steps below.

      1. Login to ePO and go to the Policy Catalog
      2. Select Drive Encryption from the product drop-down list
      3. Find the McAfee Default policy in the Product Settings category and click Duplicate
      4. Name the new policy MDE - Offline Activation and click OK to proceed
      5. Click on the new policy and make the following changes:
        1. In the General tab
          1. Enable all three options to Harden against cold boot attacks
          2. Enable the option to Allow users to create endpoint info file
        2. In the Encryption tab
          1. Select the All disks radio button
          2. Grab the PC Opal row and drag it above the PC Software row. This ensures that the product will manage Opal drives if present, rather than using software encryption.
        3. In the Log On tab
          1. Enable the feature to Allow temporary automatic booting
          2. Set the option to Use TPM for automatic booting to "If available"
          3. Enable the on screen keyboard
          4. Disable pre-boot authentication when not synchronized for: 30 days. This will lock the system and require a helpdesk call to unlock it if it does not reach the ePO server within 30 days of the build process. This is a good security measure in case assets get lost or stolen.
      6. Save the changes to the policy and return to the Policy Catalog for McAfee Drive Encryption
      7. Find your newly created policy and click the Export link
      8. Right-click on the file download link and choose to save the file as
      9. Name the file ePO_Policy and save it to the Desktop
      10. This file will be included with the other offline activation files in a later step

     

     

    Create the policy to be used when the system reaches ePO
    An example policy is attached to the bottom of this post. You can import this policy into ePO rather than creating a new policy with the steps below.

     

      1. Return to the Policy Catalog for McAfee Drive Encryption
      2. Find the McAfee Default policy in the Product Settings category and click Duplicate
      3. Name the new policy MDE - Online Activation and click OK to proceed.
      4. Click on the new policy and make the following changes:
        1. In the General tab
          1. Enable all three options to Harden against cold boot attacks
          2. Enable the option to Allow users to create endpoint info file
        2. In the Encryption tab
          1. Select the All disks radio button
          2. Grab the PC Opal row and drag it above the PC Software row.
        3. In the Log On tab
          1. Enable the feature to Allow temporary automatic booting
          2. Set the option to Use TPM for automatic booting to "If available"
          3. Enable the on screen keyboard
          4. Set the Add local domain users feature to "Add all previous and current local domain users of the system"
          5. Enable SSO and also enable
            1. Must match user name
            2. Synchronize Drive Encryption password with Windows
            3. Allow user to cancel SSO
        4. In the Out-of-Ban tab
          1. Enable the option if you intend to use Drive Encryption with ePO Deep Command. If the Deep Command extensions are not installed in ePO then this option will not be available.
        5. In the Companion Devices tab
          1. Enable the option
        6. Click Save to complete the policy
        7. Go to the System Tree and select the My Organization level
        8. Click on the Assigned Policies tab and select Drive Encryption from the product drop-down list
        9. Find the row for Product Settings and click the Edit Assignment link
        10. Choose the option to Break inheritance and then select MDE - Online Activation from the drop-down list. This ensures that all systems get this policy when they sync with ePO. Click Save to complete this task.

     


    Build McAfee Drive Encryption Offline Activation Installer

    This process is built around the offline activation feature of Drive Encryption. The benefit of this feature is that it allows the system to be encrypted without ever having to sync with the ePO server. This is helpful for organizations that outsource their PC build process to a partner who does not have access to their ePO server. It also speeds the overall activation process by eliminating the dependency on synchronization with the ePO server.

     

    Another benefit of offline activation is that it offers faster initial encryption. For systems that are built on a workbench where they are plugged into power, we recommend using the "DisablePF" option. This disables the power fail protection of MDE and this dramatically increases encryption speed. However, because the power fail protection is now disabled, you will have to re-build the machine if it ever loses power or reboots during the encryption process. You can also consider using the "SkipUnused" feature. This will result in MDE only encrypting sectors that have data on them during the initial encryption process (the other sectors will be encrypted on-the-fly in the future when data is written to them). On typical Windows 7 and 8 systems, this means initial encryption will complete it about 15 minutes.We only recommend using this feature on brand new systems or on systems that have gone through a secure erase process. This ensures that data isn't lingering on sectors that are marked unused by the file system but actually contain traces of old data.

     

    Using the offline activation feature requires you to collect a set of files and to build an offline installer package. The steps for doing this are documented here: https://community.mcafee.com/community/business/data/epoenc/blog/2012/12/19/offl ine-activation-for-endpoint-encryption-for-pc-v7-eepc--steps. This process does not use any of the fast initial encryption options, so we recommend one change to the process. When running the EpeOaGenXml application, change it to one of the options below. These modifications will enable fast initial encryption and also ensure that temporary automatic booting is enabled.

     

    If you want to use the DisablePF feature, use this syntax:

    EpeOaGenXml.exe --user-file UserList.txt --DisablePF true --TempAutoboot true

    mde 7.1 offline activation disablepf.PNG


    If you want to use both the DisablePF and SkipUnused features, use this syntax:

    EpeOaGenXml.exe --user-file UserList.txt --DisablePF true --SkipUnused true --TempAutoboot true

    mde 7.1 offline activation disablepf and skipunused.PNG

     

    When you complete the process, you should have a set of files that looks like this. Note that the "ePO_Policy.xml" is the offline activation policy that was created earlier in this document.

     

    MDE 7.1 offline activation files.PNG

    Note: The FramePkg file will install the McAfee Agent. Many McAfee customers already build the McAfee Agent into their gold image, so it may be unnecessary to install this as part of the MDE installation process. Be sure to check to see if the McAfee Agent is already installed before proceeding. If it is installed, you can simply skip the step of running FramePkg.

     

     


    Add the Temporary Automatic Booting Application to the Offline Activation Files

    The temporary automatic booting application allows us to "hide" the pre-boot authentication screen during the PC build process. This simplifies the workflow for the administrator and also eliminates the need to do any user provisioning as part of the build process. The general approach with this process is to hide the pre-boot authentication screen until the system is delivered to the end user. Once it is in the end user's hands, then the automated user provisioning feature of MDE (known as the Add Local Domain Users feature) will take action and then make it safe to enable pre-boot authentication. The temporary automatic booting application gives us a scriptable utility that can hide the pre-boot authentication for a configurable number of reboots or a configurable amount of time. For example, during the build process you can call this application and tell it to hide the pre-boot authentication screen for 10 reboots. If you know your build process requires 9 reboots, then you can be assured that the pre-boot will be hidden when the end user first boots the laptop.

     

    To hide the pre-boot authentication screen for 10 reboots, use this syntax:

    EpeTemporaryAutoboot.exe --number-of-reboots 10

    mde 7.1 number of reboots.PNG

     

    In this example, the process would go like this:

      1. User powers on the laptop and does not see pre-boot authentication
      2. Since this was the 10th reboot and we set temporary automatic booting to 10, the next reboot will show pre-boot authentication
      3. User gets into Windows and the Add Local Domain User feature runs and provisions the end user to the system
      4. The next time the user reboots, they will see pre-boot authentication and will use their Windows username to login

     

    Tip: Temporary automatic booting can be canceled by using the --clear command. You can use this feature to programatically stop automatic booting when a condition is met. To learn more about the temporary automatic booting feature, please refer to this guide https://community.mcafee.com/community/business/data/epoenc/blog/2011/11/03/how- to-use-the-temporary-automatic-booting-feature

     

    The EpeTemporaryAutoboot application is delivered with the McAfee Drive Encryption product download. It is in the EEAdmin Tools directory. Select this file and copy it, then paste it into the directory that your offline installation files are in.

     

    mde 7.1 get temporary autoboot.PNG

     

    You now have all of the solution components needed to install Drive Encryption as part of the PC build process.

     

     

    Begin the PC Build Process

    The following steps should be followed, in order, to install McAfee Drive Encryption during the PC build process. At this point, we assume that the system already has an operating system. You can install Drive Encryption at any point, but we recommend doing it after all other applications are installed so that the disk encryption process does not slow the installation of other applications. Also, remember not to reboot the system during the encryption process if you are using the DisablePF feature (as described above). If you are not using the DisablePF feature, then it is safe to reboot during the encryption process.

     

    Follow these steps to install McAfee Drive Encryption during the PC build process:

     

    1. Install the McAfee Agent. This is done by running the FramePkg application. Note that this is not necessary if the McAfee Agent is part of your gold image.
    2. Install the Drive Encryption Agent from your collection of offline activation files. The file name is MfeEEAgent__.msi. Note that there are unique installers for the platform architecture (32bit vs. 64bit).
    3. Install Drive Encryption from your collection of offline activation files. The file name is MfeEEPc__.msi. Note that there are unique installers for the platform architecture (32bit vs. 64bit).
    4. Reboot
    5. Run the McAfee Drive Encryption offline activation application. This allows activation to occur even though the MDE agent cannot reach the ePO server.
    6. Run the temporary automatic booting application. This ensures that the pre-boot authentication is hidden for a specified number of reboots or amount of time.
    7. Wait for encryption to complete and then shutdown
    8. Deliver system to end user
    9. End user powers on the system and does not see pre-boot authentication because we have enabled temporary automatic booting
    10. User logs into Windows and is automatically provisioned as a valid pre-boot user
    11. On a future reboot, the pre-boot authentication will appear and the user will be able to login using their Windows username

    How Do I Re-Image a System that is Already Encrypted?

    The process described in this document will work for new systems and also for encrypted systems that are being re-imaged. However, McAfee offers another feature to make re-imaging encrypted systems even easier. We refer to this feature as the "OS Refresh" process and its primary benefit is that it allows systems to remain encrypted during the re-imaging process. This eliminates the need to re-encrypt the drive during the process. This is done by leveraging the hard link migration process that Microsoft makes available with its User State Migration Tool. In short, McAfee provides a tool that can be used during this process to ensure that our critical system files are preserved as part of the re-image. This process is fully documented here: https://kc.mcafee.com/corporate/index?page=content&id=KB73035.