cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 10
Report Inappropriate Content
Message 1 of 3

Encrypting desktops, autoboot options

I'm trying to find the best solution to encrypt desktops that will be used by multiple users and autoboot but is also secure. If I encrypt with MDE, enable autoboot and select TPM required. We are still presented with the preboot screen when the ePO administrator rolls out a new version of DE, hotfix, update, or Microsoft updates the Windows boot Loader during a Windows update/upgrade. If the motherboard is changed or the boot measurements have changed, preboot screen is displayed. If we remove TPM from the equation, the password is in plain text during auto booting. Not secure enough.

McAfee mentions in the FAQ for MDE to use Reactive Autoboot, but then recommends to enable the Intel AMT Location Aware and you use that functionality, and not reactive autoboot. How do we enable ATM to connect to the ePO server? I think Intel ATM required ePO Deep Command and extensions, which is end of life a long time ago. or is there another way to enable Intel ATM for drive encryption.

Any guidance here would be great. Thanks!

2 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Encrypting desktops, autoboot options

@kblowe Thanks for choosing Community portal.

TPM autoboot will be active only after a successful login by an user. Example, ePO admin assigns an user to a system. Now, the enduser has to login with his credentials then TPM becomes active and user won't see PBA login page. This is per design. Let me know if you are seeing something different action.

Actions like Windows update, DE update, motherboard swap will disable TPM autoboot because, they are modifying the autoboot file. Autoboot is successful only until the file is not modified.

You are right, Intel ATM required Deep command which is not supported anymore.

 

 

JaganA
McAfee Employee

Was my reply helpful?
If yes, click "Accept as Solution" in my reply and together we can help other members?
Highlighted
Level 10
Report Inappropriate Content
Message 3 of 3

Re: Encrypting desktops, autoboot options

Ok, yes I understand how TPM functions. KB79784 needs to be revised. Misleading information that Intel ATM Location Aware is an option.

Going forward, I think Reactive Autoboot may be an option.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community