Dear McAfee Community,
We have a Windows 10 laptop, reasonable spec - i7 CPU, 8GB RAM, 300GB+ HDD etc but which is failing to activate for Drive Encryption.
The device is managed by an ePO server running v5.9.1 and has the following products installed:
The BIOS has been upgraded to the latest supported version. In ePO it reports the version of MDE to be 126.96.36.199 for the Encryption software, the Agent and DEGO however, under the Drive Encryption tab it still says Inactive.
The user sent across the MfeEpe.log from the device, the last few lines of which are shown below (they tend to repeat themselves).
Also, I've checked the MDE (Product Settings) policy applied and this is below also (for where there are settings configured; the tabs not shown are blank. This same policy is applied to over 1,000 devices on the estate. The device has been rebooted several times since MDE was installed.
I look forward to hearing to your thoughts, guys!
Most probably the machine just needs a reboot as per below article:
In that case, probably another error in the MfeEpe.log can show us the reason about that. Can you upload it so I can take a look?
Please see below a link to the MfeEpe.log from the laptop where Activation is failing, for McAfee Drive Encryption.
One other thing, I ran a couple of DEGO queries yesterday and here is the results from that.
And the DEGO DataChannel status is below.
Are you familiar with the Server log on the ePO server - that may shed light on this issue?
Unfortunately the one drive locations are blocked for me and I could not review MfeEpe.log but I have some ideas.
Was the DEGO initially disabled and later switched off? Do you see errors for failed health checks?
Regarding the data channel issue, it is a known one - even for simplified environments with great connectivity, I have seen that failing but still activating later in case DEGO is disabled.
Try restarting the MDE Agent service, open "Show DE Status" and "Agent Monitor", then click few times first four buttons of the Agent Monitor and wait for a message in the Status window. If all prerequisites are met, it should start activating.
So what I did was I removed MDE using a standard removal task (no need to use the PRT tool or anything fancy) then I re-deployed MDE to the device and it activated pretty quickly afterwards.
The only other change which was made prior to the removal and redeployment was a Product Settings policy one - on the Encryption Providers tab all the options were disabled whereas on the policy which was previously applied two of these were enabled - Use Windows System Drive as Boot Disk and Enable Pre-Boot Smart Check.
Usually, I do not select any of the options on the Encryption Providers tab, but I cannot say for certain whether this would have been why it suddenly sprang into life.
Would you enable any of the options on the Encryption Providers tab at all?
In case most of your machines use BIOS mode, it is best practice to enable it. It edits the activation sequence and adds additional checks. You can refer to these best practices since they still apply: