The McAfee Drive Encryption 7.1 Patch 3 (DE 7.1.3) release package contains ePO extensions and client components. The DE 7.1.3 extensions are compatible with previous DE 7.1.x clients.
System Transfer of Encrypted DE 7.1.3 (and above) systems across ePO Servers
With any versions of EEPC and earlier versions of DE, transferring a system from one ePO server to another will replace the user assignments and user token data on the system with data from the destination server, potentially losing user assignments and changing user credentials in the preboot environment.
Drive Encryption 7.1.3 (and above) provides the ePO Administrator with a new capability to allow systems to be transferred from one ePO server to another whilst preserving user assignments and user data.
If the feature is enabled, a DE 7.1.3 system will detect a server change, and request that the new DE 7.1.3 managing server automatically assigns users to the system within the context of the new managing server. Once the assignment is successful, the system will send its user token data up to the new managing server. Any systems that have failed the system transfer process will be highlighted on the destination server via an intuitive out of the box report. A separate document is included in the release that describes this system transfer process in detail. Please refer to McAfee Drive Encryption 7.1.3 Client Transfer between ePO Servers Guide – PD25905.
Detect and Notify of Password Changes in Windows Active Directory
Drive Encryption users and Windows users are two separate entities, so changing a password in preboot changes the DE password only. Whilst password changes made on an endpoint can be captured by DE and synchronized to the DE user, Windows password changes made within Active Directory cannot be synchronized to the related DE user.
DE 7.1.3 can be configured by ePO policy to detect when a user’s password changes in Active Directory, once this happens a “pop-up” notification will request that the logged in user Lock (Win+L) and Unlock their screen. This allows DE to capture the (new) Windows password and synchronize it to the DE password, allowing the user to login through preboot with their (new) Windows password.
The introduction of this feature also adds the benefit of capturing SSO data for all logons (including screen unlocks), and not just the first logon after the system is powered on. The combination of these two features ensures that the user passwords will remain synchronized with Windows passwords at all times.
Ignore DE password rules during password sync for Single Sign On (SSO)
Ensuring that Windows and DE passwords remain synchronized can be a challenge for some customer real world deployments. Additionally when password changes take place, to manage and message end users can present additional overhead.
Prior to DE 7.1.3, the password synchronization from Windows to DE will silently fail if the Windows password does not meet the criteria as defined in the Drive Encryption User-Based Policy.
With this release DE introduces the ability to ignore the User-Based Policy password settings within ePO when synchronizing passwords from Windows to DE, which will help to reduce password synchronization issues and therefore helpdesk calls.
Enhanced Support for UEFI High Resolution Screens
Many new tablets, convertibles and laptops are now able to support high resolution screens. Devices such as Microsoft Surface Pro and Panasonic Toughbook support On Screen Keyboards (OSK) that can render small in size when used in conjunction with these screens making them difficult to use. The enhanced support offered within DE enables the correct screen size rendering for ease of use.
Auto power down preboot
DE 7.1.3 client now supports automated power down of preboot after a policy-defined interval. If preboot detects no user inputs (mouse/keyboard) for the defined period, a system shutdown will be triggered.
Server 2012 Support
DE client now supports deployments on Windows Server 2012 (Non R2).
Remove DE Duplicate Users via ePO
Occasionally customers can experience difficulties when their LDAP servers are configured in a particular way that can lead to duplication of DE user entries within ePO i.e. the same user name, but from different registered LDAP servers. This new feature enables customers to clean up their environment if such a situation arises by running a query on ePO to identify user names where duplicates exist. The Administrator can then select a single user, and remove all other matching users who come from different AD servers.
For further information about how to identify and remove duplicate users and groups, refer to McAfee KnowledgeBase article KB84531.
Support has been added for the Imprimerie Nationale IAS ECC 6-36761 PKI Smartcard. IAS-ECC cards comply with the Advanced Electronic Signature EU Directive 1999/93/EC and the European Citizen Card specification created by CEN in June 2007 to ensure interoperability of e-Services cards throughout Europe.
Windows 10 Ready
With this release of DE we are pleased to announce support for Microsoft Windows 10. This will enable our customers to seamlessly move to Microsoft Windows 10 whist enjoying the uninterrupted benefits of DE. Please refer to McAfee KnowledgeBase article KB84419for further details.