I'm trying to find the best solution to encrypt desktops that will be used by multiple users and autoboot but is also secure. If I encrypt with MDE, enable autoboot and select TPM required. We are still presented with the preboot screen when the ePO administrator rolls out a new version of DE, hotfix, update, or Microsoft updates the Windows boot Loader during a Windows update/upgrade. If the motherboard is changed or the boot measurements have changed, preboot screen is displayed. If we remove TPM from the equation, the password is in plain text during auto booting. Not secure enough.
McAfee mentions in the FAQ for MDE to use Reactive Autoboot, but then recommends to enable the Intel AMT Location Aware and you use that functionality, and not reactive autoboot. How do we enable ATM to connect to the ePO server? I think Intel ATM required ePO Deep Command and extensions, which is end of life a long time ago. or is there another way to enable Intel ATM for drive encryption.
TPM autoboot will be active only after a successful login by an user. Example, ePO admin assigns an user to a system. Now, the enduser has to login with his credentials then TPM becomes active and user won't see PBA login page. This is per design. Let me know if you are seeing something different action.
Actions like Windows update, DE update, motherboard swap will disable TPM autoboot because, they are modifying the autoboot file. Autoboot is successful only until the file is not modified.
You are right, Intel ATM required Deep command which is not supported anymore.
JaganA McAfee Employee
Was my reply helpful? If yes, click "Accept as Solution" in my reply and together we can help other members?
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.