We are currently working out our new protection stack for Windows 10 which consists of the following
- ENS 10.5.3 (Threat Prevention & Firewall)
- Management of Native Encryption 4.1.2 (to manage Bitlocker)
- DLP 11 HF 130 (to manage who can use an USB drive on their PC/laptop)
- McAfee Agent 5.0.6 (how would it work otherwise )
Everything above is configured perfect and works without a problem.
Because MNE does not support Bitlocker To Go (yet), we try to implement File & Removable Media Protection 5.0.4 to encrypt our USB sticks.
Here is where we got some difficulties, we want to work with User Personal Keys so that every USB is encrypted personally and that the encrypted stick is unlocked automatically when inserted into a pc where the user is logged in.
We succeed in creating a UPK for the user, but our question is which authentication type should we pick (OS or password) for the thing that we want to use.
We made a removable media policy where we chose password and UPK as authentication method, but when we insert an USB stick and want to encrypt it, I get the message "key not available" and I can't continue to initialize the stick. Why is it giving this error? If I use a regular encryption key it works without a problem, but we don't want this as we have to create a policy per user which is time consuming and prone to mistakes.
Is UPK perhaps incompatible with one of our other products in the security stack?
I'm having the same issue right now. I've just tried several different things to try and get it working. If I look at the Status Report in available keys it has my default recovery key and the Personal Key for my user, but when trying to initialize media it shows key not available.
If I change my Removable Media policy to point to my personal key instead of "User Personal Key" then it lets me use that, but only if I had converted it to a regular key as well. I also did a force os token authentication for first time login since we upgrade from 4 to 5 and it was suggested in the guide.
McAfee ePO administrator has the flexibility to mandate that the user authenticates using the Active Directory user name and password for the first time that the OS token is used on a given Windows system. This can be configured from the OS Token tab of the Authentication policy.
If you had any luck feel free to share! We'll probably open a ticket if we can't figure it out.
So I may have spoken to soon, after enabling the "Require authentication using Active Directory credentials at first logon" option in OS token in the authentication policy and did another reboot it seems to be loading the UPK key properly. Now I also was implementing a disable policy for the McAfee Full Disk Encryption, so I'm unsure if that had an impact as well. I will test with another system tomorrow to confirm.
We deployed to a couple test systems, making sure that the UPK key did not have regular key selected, and also we re-did the assign UPK for out test users and selected just OS for the authentication method. This won't show up in the "show" selection in the keys menu, but if you do an audit report it will show you that it's an OS Auth mode.