I am working with the release v6 now for a week and it seems a little, how should I say, brattish.
I push the client task for the EEPC Agent and Host package to my machines and there are a couple quirks. When the McAfee Agent checks in for new policies the EEPC Host installs first and prompts for a reboot. This if fine but the EEPC Agent does not install right after EEPC Host. The machine may get rebooted and will not be active. This means after a reboot and the McAfee Agent will check for policies/ updates again and finally install the EEPC Agent. So it will be a good practice to schedule the EEPC Agent to install first and the EEPC Host to install after.
Now when both are installed I notice it takes very long time for EE to become active and start encryption. This is even with checking for policies, enforcing policies, Collect and send props, and updating security. I have everything properly configured. My EE Product Settings and UBP are assigned to my systems and the proper EE users are assigned to the systems. I see that the EE policy is being updated but no activation and encryption. After a few minutes I reboot (no MEE PBA as of this point) and logon to Windows as user that has MEE UBP assigned through ePO. This was the same user I used as when I was installing EE Agent and Host. Sometimes it finally starts encryption and sometimes it does not. Sometimes I have to log off and log back in as a different user to kickstart the encryption. Every time I notice the encryption progress bar was already 1/4 complete. It is like the activation/encryption did start after the first reboot but the EE Agent did not show it on the Quick Settings status screen. This can be a problem for administrators and users to tell if the machine is truly activated or what stage of encryption status. In v5 you could tell right away after the first synchronization occured and the encryption progress from the MEE Client Status window.
The systems are Windows XP SP3. Anyone else seeing this issue?Message was edited by: chris.schaber on 11/25/09 9:18 AM
Here's what we know about activation in v6.
In my own experience I have seen the ASCI complete, then there is a pause of between 30 seconds and 2 minutes before the EEPC status window says activation has started. I think it is doing some additional communication/work that isn't displayed in the status monitor.
Also, you are correct about the deployment task. Do EE Agent first, then EEPC component. You are also correct that this is different than in v5. We are now bound by the ePO agent's communication behavior, and that means we have to wait for that ASCI.
Finally, can I ask you to rename this topic title to "activation problems in v6"?Message was edited by: DLarson on 11/25/09 9:08 AM
Thanks for the quick response and advice DLarson.
I have responded below each of your points.
1. It will not happen if you have not assigned a user. So be sure to add some users in your Group User list. If you are having trouble with users, then just enable automatic booting. This eliminates the need for a user to be assigned.
I have users assigned to my EEPC systems per the documentation and still encounter the same problem.
2. It requires an ASCI. So after that first reboot, it will do nothing until the ASCI interval. By default this is 60 minutes. You can force it with a collect and send props, or an agent
wake up call.
Yes, I have completed the ASCI immediately after boot up after EEPC Agent/ Host installation. The policy is updated but no activation or encryption (even after 30+
seconds). This never happens until I perform many steps as stated in my last reply.
3. It is dependent upon data being send via the ePO data channel. If there are any errors in that communication, activation won't happen. You can troubleshoot this by enabling
EEPC logging on the endpoint.
Good point. Something I have not looked at. I will enable EEPC logging and troubleshoot.
Overall I am happy with this release. I have encountered few problems and I am pleased with the ePO integration.
BTY - The title has been renamed.Message was edited by: chris.schaber on 11/25/09 9:42 AM
Below are the steps to enable logging. If you are able to reproduce these issues I would highly recommend creating a support ticket so the log files can be analyzed and more cases of this presented to development.
Create a new registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee EndPoint Encryption\MfeEpeHost\Configuration
And insert a DWORD value with the name "LoggingLevel". The possible values are from 0 to 4. 0 being no logging and 4 being the highest level of logging.
Immediately after setting this registry setting, logging will commence. This is logging for the host and will contain various pieces of information. A file will be created in the following location:
Directory: C:\Program Files\McAfee\Endpoint Encryption Agent
Update on my activation problem:
I deployed the EEPC Agent and the EEPC Host to another client. I enabled EEPC logging on the client and set it for debug 4. I noticed that the log file was up to 4MB in about 1/2 hour when setting the debug to 4. After EEPC Host installation and reboot it took about 5 minutes for Activation. The disk encryption started a few seconds after. This was after two or three Policy Update and Collect and Send Props. There were no communication errors between the Agent and the ePO server.
I looked at the logs and I found that it had to assign the policies and users to the machine before activation and encryption. I had about 300 users assigned to the machine so it had to wait until all the users were assigned before activation. So just like the in the v5 days that all the policies and users will have to synchronize down before the boot protection finalizes and encryption starts.You will get the error message that assigning many users is not recommended when performing the task in the Data Protection menu. This makes sense but I wanted to test this scenario even though there are security risks.
I deployed to another system and only assigned 4 administrative users. It took only one Policy Update and Collect and Send Props before EEPC activation and encryption. This happened in under a minute and works like a champ. I highly recommend that you pre-assign very few users such as administrators and desktop support to your systems. Use the Add local domain users for user assignment thereafter.
Mink- make sure you are deploying in 2 seperate tasks per the deployment instructions. It may be that the installation is getting corrupt when installing in 1 single task.
Hey Chris, Thanks for your time on this. Yes, i configured users to the machine before enabling the policies.
I managed to resolved the issue, found out there is a bug in ePO 4.5, which if the user name used to create the registered LDAP Server does NOT include the domain, ePO API call for getting policy for users will fail (but I was able to browse and assign users for the client).Aperently this has been addressed in ePO 4.5 Patch1.
When I included the domain and did full props my VM XPSP3 client got activated and encryption started!!! I didn't do any changes othe than adin domain name when specifying hte user in
Today I did a pilot at a Cx place, assigned users from 2 ADs (2x LDAP registered servers + 2x LDAP sync server tasks) everything worked smoothly! Encryotion started after issues 2 props + 15~20Sec !!
Btw, [0xEE000005] means Bad XML - I am not sure what it means