I have a question concerning the offline encryption process for standalone machines that will have NO connectivity to ePO. I followed the instructions outlined in https://community.mcafee.com/community/business/data/epoenc/blog/2012/12/19/offline-activation-for-e... offline encryption process and was able to encrypt my standalone machine. I have a question concerning the Mcafee password options, which appears to require the user to change the password every 30 days even though Windows local policy are set for every 90 days. Is there a way to update the offline encryption EpeOaGenxml file to make Mcafee use the Winodows local policy password settings?
I tried updating the encryption user based policies before exporting the policy file from the ePO server but when I run the EpeOaGenxml application, the xml file that gets generated still shows the default password is set to 30 days. I tried manually changing this to something else, before running the offline activation, but it doesn't appear to change anything.
I also look at the offline encryption FAQ and it doesn't state that the password settings can be updated so I'm at a lost. Has anyone had any success using the offline encryption?
The policy in ePO is exported to capture the ePO public key which is contained in the policy. This is used to encrypt the recovery information that can be generated upon activating MDE using the offline activation exe.
All policy options are set using command line switches on the EpeOaGenXml.exe. There is not an option to change the number of days from 30. Please submit an Idea to the Idea Forum to request this functionality be added:
Below are the options that can be set. These can be seen by running the --help switch on EpeOaGenXml.exe.
Copyright (C) 2012-2013 McAfee, Inc. All Rights Reserved.
--help Display help message
-v [ --version ] Display version
-p [ --platform ] arg Select target platform:
- PC (default)
Policy Configuration Options:
--BackupMachineKey arg Enable backup of encrypted machine key <true>
--Recovery arg Valid path to recovery file <C:\EERecovery.xml>
--TempAutoboot arg Enable temporary autoboot <false>
--Autoboot arg Enable autoboot <false>
--DontDisplayUser arg Do not display the previous username <false>
--OpalPbfsSize arg Set PBFS size (MB) for Opal drives <50>
--RequirePwdChange arg Require user changes their password <true>
--UserSelfRec arg Enable User Self Recovery Enrollment <true>
--UseScPin arg Use smartcard PIN <false>
PC only options:
--Sso arg Enable single sign-on <false>
--BootMgr arg Enable boot manager <false>
--PbfsSize arg Set PBFS size (MB) <50>
--MatchUsername arg Username must match Windows logon username <true>
--PrebootUsb arg Enable USB in preboot <true>
--DisablePF arg Disable power-fail recovery during initial encryption
--SkipUnused arg Skip unused sectors during initial encryption <false>
By using the SkipUnused feature you accept the risk
that sensitive data present in sectors unused by the
filesystem will not be protected.
User Config File:
--user-file arg User file <name:token>
Thanks for the update, I was aware of the options under EpeOAGENXML. Was hopting that there was some way to update or remove the McAfee password policies prior to activation. Thanks