1 2 3 Previous Next 28 Replies Latest reply on Feb 14, 2013 2:19 PM by ron.sokol

    Activation problems in v6

      I am working with the release v6 now for a week and it seems a little, how should I say, brattish.

       

      I push the client task for the EEPC Agent and Host package to my machines and there are a couple quirks. When the McAfee Agent checks in for new policies the EEPC Host installs first and prompts for a reboot. This if fine but the EEPC Agent does not install right after EEPC Host. The machine may get rebooted and will not be active. This means after a reboot and the McAfee Agent will check for policies/ updates again and finally install the EEPC Agent. So it will be a good practice to schedule the EEPC Agent to install first and the EEPC Host to install after.

       

      Now when both are installed I notice it takes very long time for EE to become active and start encryption. This is even with checking for policies, enforcing policies, Collect and send props, and updating security. I have everything properly configured. My EE Product Settings and UBP are assigned to my systems and the proper EE users are assigned to the systems. I see that the EE policy is being updated but no activation and encryption. After a few minutes I reboot (no MEE PBA as of this point) and logon to Windows as user that has MEE UBP assigned through ePO. This was the same user I used as when I was installing EE Agent and Host. Sometimes it finally starts encryption and sometimes it does not. Sometimes I have to log off and log back in as a different user to kickstart the encryption. Every time I notice the encryption progress bar was already 1/4 complete. It is like the activation/encryption did start after the first reboot but the EE Agent did not show it on the Quick Settings status screen. This can be a problem for administrators and users to tell if the machine is truly activated or what stage of encryption status. In v5 you could tell right away after the first synchronization occured and the encryption progress from the MEE Client Status window.

       

      The systems are Windows XP SP3. Anyone else seeing this issue?

       

       

      Message was edited by: chris.schaber on 11/25/09 9:18 AM
        • 1. Re: v6 behaving a little brattish

          Here's what we know about activation in v6.

           

          1. It will not happen if you have not assigned a user. So be sure to add some users in your Group User list. If you are having trouble with users, then just enable automatic booting. This eliminates the need for a user to be assigned.
          2. It requires an ASCI. So after that first reboot, it will do nothing until the ASCI interval. By default this is 60 minutes. You can force it with a collect and send props, or an agent wake up call.
          3. It is dependent upon data being send via the ePO data channel. If there are any errors in that communication, activation won't happen. You can troubleshoot this by enabling EEPC logging on the endpoint.

           

          In my own experience I have seen the ASCI complete, then there is a pause of between 30 seconds and 2 minutes before the EEPC status window says activation has started. I think it is doing some additional communication/work that isn't displayed in the status monitor.

           

          Also, you are correct about the deployment task. Do EE Agent first, then EEPC component. You are also correct that this is different than in v5. We are now bound by the ePO agent's communication behavior, and that means we have to wait for that ASCI.

           

          Finally, can I ask you to rename this topic title to "activation problems in v6"?

           

           

          Message was edited by: DLarson on 11/25/09 9:08 AM
          • 2. Re: Activation problems in v6

            Thanks for the quick response and advice DLarson.

             

            I have responded below each of your points.

             

            1. It will not happen if you have not assigned a user. So be sure to add some users in your Group User list. If you are having trouble with users, then just enable automatic booting. This eliminates the need for a user to be assigned.

                      I have users assigned to my EEPC systems per the documentation and still encounter the same problem.

             

            2. It requires an ASCI. So after that first reboot, it will do nothing until the ASCI interval. By default this is 60 minutes. You can force it with a collect and send props, or an agent

                wake up call.

                       Yes, I have completed the ASCI immediately after boot up after EEPC Agent/ Host installation. The policy is updated but no activation or encryption (even after 30+

                        seconds). This never happens until I perform many steps as stated in my last reply.

             

            3. It is dependent upon data being send via the ePO data channel. If there are any errors in that communication, activation won't happen. You can troubleshoot this by enabling

                EEPC logging on the endpoint.

                         Good point. Something I have not looked at. I will enable EEPC logging and troubleshoot.

             

            Overall I am happy with this release. I have encountered few problems and I am pleased with the ePO integration.

             

            BTY - The title has been renamed.

             

             

            Message was edited by: chris.schaber on 11/25/09 9:42 AM
            • 3. Re: v6 behaving a little brattish

              You can troubleshoot this by enabling EEPC logging on the endpoint.

              How would you do that?

              • 4. Re: v6 behaving a little brattish

                Below are the steps to enable logging. If you are able to reproduce these issues I would highly recommend creating a support ticket so the log files can be analyzed and more cases of this presented to development.

                 

                Create a new registry key:

                HKEY_LOCAL_MACHINE\SOFTWARE\McAfee EndPoint Encryption\MfeEpeHost\Configuration

                 

                And insert a DWORD value with the name "LoggingLevel". The possible values are from 0 to 4. 0 being no logging and 4 being the highest level of logging.

                 

                Immediately after setting this registry setting, logging will commence. This is logging for the host and will contain various pieces of information. A file will be created in the following location:

                 

                Directory: C:\Program Files\McAfee\Endpoint Encryption Agent

                Filename: MfeEpe.txt

                • 5. Re: v6 behaving a little brattish

                  Your instructions worked well. Thank you.

                  Do you know which EE v6 document will include this and similar information in the future?

                  • 6. Re: v6 behaving a little brattish
                    mink

                    Client XPSP3

                    User based polices are configured,

                    Policy Enabled, Encryption enabled, Automatic Boot enabled

                    LDAP sync successful (after 3Hrs of trying all possible combinations -doing it again and again) - samaccountname (used in `User Name` and `Display Name`)

                    Single Deployment task (Agent and PC)

                    Reboot prompted

                    After reboot -Collect and Send properties more than couple of times

                    Waited more than 180 mins

                    Agent is still NOT Activated - System State: Inactive, Volume Status: No Volume Information

                     

                    Enabled Level 4 logging (Thanks Dan), Below error message found in the MfeEpe.log file.

                    " ERROR EpoPlugin [0xEE000005] Failed to deserialize type"

                     

                    Q1: What does it mean?

                    Q2: Any help to interpret MfeEpe.log?

                    Q3: what I am doing right (wrong)?

                     

                     

                    • 7. Re: Activation Problems in v6

                      Sorry I am going off track from your questions but I did not see in your steps that you assigned any users to your systems. Did you do this task before deployment?

                      • 8. Re: Activation Problems in v6

                        Update on my activation problem:

                         

                        I deployed the EEPC Agent and the EEPC Host to another client. I enabled EEPC logging on the client and set it for debug 4. I noticed that the log file was up to 4MB in about 1/2 hour when setting the debug to 4. After EEPC Host installation and reboot it took about 5 minutes for Activation. The disk encryption started a few seconds after. This was after two or three Policy Update and Collect and Send Props. There were no communication errors between the Agent and the ePO server.

                         

                        I looked at the logs and I found that it had to assign the policies and users to the machine before activation and encryption. I had about 300 users assigned to the machine so it had to wait until all the users were assigned before activation.  So just like the in the v5 days that all the policies and users will have to synchronize down before the boot protection finalizes and encryption starts.You will get the error message that assigning many users is not recommended when performing the task in the Data Protection menu. This makes sense but I wanted to test this scenario even though there are security risks.

                         

                        I deployed to another system and only assigned 4 administrative users. It took only one Policy Update and Collect and Send Props before EEPC activation and encryption. This happened in under a minute and works like a champ. I highly recommend that you pre-assign very few users such as administrators and desktop support to your systems. Use the Add local domain users for user assignment thereafter.

                        • 9. Re: Activation Problems in v6

                          Mink- make sure you are deploying in 2 seperate tasks per the deployment instructions. It may be that the installation is getting corrupt when installing in 1 single task.

                          1 2 3 Previous Next