cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 9
Report Inappropriate Content
Message 1 of 6

Drive Encryption and automatic booting option

Jump to solution

Dear all,

In march, we had an issue with our Windows 7 encrypted devices through Drive Encryption. Users were not able to pass the preboot screen. 

We opened a case on McAfee and they ask us to enable the "automatic booting" option in order to skip the preboot and goes directly on Windows authentication for few weeks, until we reduce the number of pending request on the server.

Then we had COVID lockdown so stakeholders have decided to keep the automatic booting option while users were working from home. 

In the meantime we are running a project to replace all our W7 devices by W10 devices without Drive Encryption. End date is planned for December 2020. 

Our security guy is asking what are the risk to keep the automatic booting until we replace all the W7 devices ? McAfee TSE explains that with autoboot, encryption key is stored in plain text so the security level is very low, but is there anything else ? I mean, what's happen if a disk is stolen ? Do you know if data will be accessible directly or if data are still protected ?

Thanks for your feedback/comments.

1 Solution

Accepted Solutions
Level 9
Report Inappropriate Content
Message 4 of 6

Re: Drive Encryption and automatic booting option

Jump to solution

Hi Cross,

Thanks for the feedback.

- " someone were to attempt unauthorized access, they would only need to locate the encryption key and then they could use it to access the contents of the drive"

--> you mean that this can be done with DETech right ? or even without any tools ?

- Using the TPM is a good option, but on these old W7 devices, i think we will create more trouble...

- Uninitialized user =  user configured with McAfee default password, right ?

 

Usually, we are using MDE preboot with provisionned users. Today, we can't disable automatic booting because McAfee password and Windows password are not synced.

While automatic booting is enable, then password sync between Windows and McAfee is not performed. And since we have enable the automatic booting, users have changed their Windows password. Disabling automatic booting will generate many calls to the helpdesk to reset user token.. 

I worked with McAfee TSE. We think about resetting McAfee user token remotely (through ePO) and then disabling automatic booting. On the next reboot, user will be prompt to define his new McAfee password, and this can be done without service desk.

Before to perform this action, we are trying to compare security risks vs activity to reset user token, create communication, etc... As we hope to get rid of these devices in 3 months, maybe we can accept this configuration until end of this year.

View solution in original post

5 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Drive Encryption and automatic booting option

Jump to solution

If you are using regular automatic booting (no TPM) then the MDE encryption key is stored in plain text as you had indicated above.  The sectors that comprise the volumes that are encrypted should still be encrypted, however, if someone were to attempt unauthorized access, they would only need to locate the encryption key and then they could use it to access the contents of the drive.  If you have a system stolen, of course, we do not know if the person that stole it has this knowledge or not but it is a great risk to take.  There are other risks to consider with automatic booting as well.  For example, if you have MDE preboot users assigned to the system but they have never logged in because it is in automatic booting mode, then those users remain uninitialized.  Of course, there are mitigating options in the policy like setting a default password that is different than the McAfee default and setting expiration times for users who do not initialize within a certain time frame but even then, the primary concern still stands.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 6

Re: Drive Encryption and automatic booting option

Jump to solution

While I certainly do not know all details and aspects of your specific situation, I would recommend trying to move to a more secure option, either MDE preboot (preferred) or it may be of value to discuss the use of TPM for automatic booting.  For the second option, it has its own considerations and of course, if some of the systems do not have TPM modules then it is not an option for them.  

Level 9
Report Inappropriate Content
Message 4 of 6

Re: Drive Encryption and automatic booting option

Jump to solution

Hi Cross,

Thanks for the feedback.

- " someone were to attempt unauthorized access, they would only need to locate the encryption key and then they could use it to access the contents of the drive"

--> you mean that this can be done with DETech right ? or even without any tools ?

- Using the TPM is a good option, but on these old W7 devices, i think we will create more trouble...

- Uninitialized user =  user configured with McAfee default password, right ?

 

Usually, we are using MDE preboot with provisionned users. Today, we can't disable automatic booting because McAfee password and Windows password are not synced.

While automatic booting is enable, then password sync between Windows and McAfee is not performed. And since we have enable the automatic booting, users have changed their Windows password. Disabling automatic booting will generate many calls to the helpdesk to reset user token.. 

I worked with McAfee TSE. We think about resetting McAfee user token remotely (through ePO) and then disabling automatic booting. On the next reboot, user will be prompt to define his new McAfee password, and this can be done without service desk.

Before to perform this action, we are trying to compare security risks vs activity to reset user token, create communication, etc... As we hope to get rid of these devices in 3 months, maybe we can accept this configuration until end of this year.

View solution in original post

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 6

Re: Drive Encryption and automatic booting option

Jump to solution

It could potentially be done within DETech or other custom tools. A person inclined to do so is probably specifically trying to steal data and likely already has something in mind.

The process you are talking about with resetting token and then having the preboot returned sounds like a good idea. I would recommend going in a "staged" rollout of that, with a small sample to start and watching the process closely.

Assuming all goes as expected then you can slowly expand further.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: Drive Encryption and automatic booting option

Jump to solution

Also, yes, when I refer to an uninitialized user, I am talking about a user who is still in the new/default state.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community