1 2 Previous Next 14 Replies Latest reply on Jun 15, 2009 8:41 AM by Fascination

    Boot protection set to Disabled (Q)

      Hi guys,

      I've got a question regarding when Boot protection is set to Disabled. I was in impression that when I deploy such installation set to a machine it will install Safeboot and will sit silently on the machine until we activate the protection (i.e. move a machine to a group which has some policies assigned). However I can't see any machine with this particular set installed within the management console.

      Is this expected behavior? I ask because I want to have pre-installed all the laptops with deactivated EEPC on users machines and activate them only when IT support guys come to them and give them basic howto.

      Or is there any way how to silently deploy EEPC without pre-boot loader activated?

      Tried to find it in the docs but no luck.


      EEPC 5.1.8
        • 1. RE: Boot protection set to Disabled (Q)

          here is what possibly can be done:

          1. Create a post install script to move the machine from the Default machine group to the appropriate group.
          2. Add the user to that machine.
          3. Place the SBADMCL.exe on the machine's disk, locally.
          4. Start the CRYPT for C Drive, using the admcl and passing appropriate parameters.

          We have automated the entire procedure in our environment to manage the new installations. You will have to explicitly start the disk encryption on that laptop.

          I hope this helps.

          • 2. RE: Boot protection set to Disabled (Q)

            perhaps $autoboot$ user and its addition to the newly created machine can be an answer, till the time encryption starts...

            • 3. RE: Boot protection set to Disabled (Q)
              disabled means the product is disabled, ie no boot protection - only the software is there.

              a machine entry is only created in the db when the product is enabled.

              You might want though as the previous poster said, to deploy them ENABLED but autobooting (no pre-boot). That will give you admin and scripting control over the configuration.
              • 4. RE: Boot protection set to Disabled (Q)
                Ok, thanks. Not really what I wanted to hear ...

                Can anyone in corporate environment tell me how they deploy EEPC? What I see is that it doesn't matter whether you deploy it with ePO or SMS (or any other method) you still have to visit users computers to explain what to do, how to login, how to synchronize ... so interaction with IT support guys is necessary right after the client installation. Obviously you can't plan any mass deployment (even 50 machines is too many).

                Any hints?
                • 5. RE: Boot protection set to Disabled (Q)
                  I think you'd be better of getting some prof services. Most customers deploy thousands of endpoints a day, so the problems you're struggling with must be resolvable.

                  I fear for you though if you have to train your users how to login - most people have experience of that through normal Windows use, but if this is the first time your users are going to be needing ids/passowords you are indeed in for a challenge.
                  • 6. RE: Boot protection set to Disabled (Q)
                    Prof services ... I think you are referring to McAfee Gold support? Yeah, they're amazing!

                    I've no problem to deploy anything with anything, either ePO (terrible!), SCCM or bloody psexec batch. Whatever. You didn't really get my point ... to make it as much painless as possible for the enduser.

                    So you basically say that it's no problem to deploy EE to 1000 users within a day (or hours? why not ...) and those users will find out after the reboot some McAfee screen? Great, I would expect 1000 phone calls right away.
                    • 7. RE: Boot protection set to Disabled (Q)
                      I think you're misunderstanding the ability of $autoboot$; users wont see a pre-boot screen (at least not for a long, you may note a loading bar appear briefly).

                      The best way I've found so far when rolling out large deployments is to use $autoboot$ and then once all machines are created successfully and synching you then begin user education at say department at a time.

                      You're going to have to explain to the users how SafeBoot works sooner or later! One alternative (though I personally dont recommend this) is where by you have a Windows theme for your safeboot pre-boot screen and then enable SSO. Its a sad fact but a lot of users wont notice the difference as long as the colours look the same. silly
                      • 8. RE: Boot protection set to Disabled (Q)
                        I'm guessing Petr that this is being forced on you? :-)

                        Yes, I'm saying that thousands of enterprise customers, including more than half of the Fortune 50 have deployed this exact solution to thousands of users without hand holding each one through the process. It's not as big a deal as you think it is. There are a lot of things you can do to smooth out the process, from completely automating it (autodomain) to writing a simple email to the user telling them what's going on.

                        The only change it makes to their lives is moves the login from Windows to Preboot (if you choose to enable the pre-boot login, you could go insecure and use $autoboot$). There's nothing else the user has to do.

                        No, I'm not suggesting you seek deployment advice from Gold Support - their job is to read and explain the manual to you. You should seek advice from the people who've organised enterprise class deployments, the McAfee Professional Services team. They will come to you and do the job for you if you want so you don't have to spend time learning the product.
                        • 9. RE: Boot protection set to Disabled (Q)
                          A lot of things is forced on me, so no big deal :)

                          I was just seeking something like best practice and not recommendation for the McAfee services as I don't have problem with deployment, writing emails to end users or configuration of the product. It's not about learning something (I've read the docs many times and they lack these small details I'm asking), the product is running and I'm quite happy with that.

                          You know we had had done (mid-east) POC for us here by McAfee appointed company and their knowledge was very limited (in fact after reading the docs I was on the same level). It might work in the US or EU but not definitely here. And I must be very careful when implementing such thing and double test it on all the configurations we got and try as many scenarios as possible to document for support team when something goes wrong.

                          Ok, I've tried autoboot (before I posted here). This works fine however there's like 30 secs delay. Can I change that timeout? (again there's nothing in the docs).

                          Regarding autodomain, does it come with EE? Or its some 3rd party tool?

                          Thanks both of you
                          1 2 Previous Next