8 Replies Latest reply on Jan 27, 2010 10:48 AM by davei

    Decryption via ePO


      Hi all


      I'm confused here and can't find diddly in the documentation for this.


      I am testing 3x devices with EEPC 6 from epo 4.5 P1 (with MA4.5)  Deployment is fine and works as expected to two desktops and a laptop (all Dell).  They encrypt fine.  A few gripes in general but most have already been mentioned on this forum... so will worry about them later.


      I now wish to expand my trial to encompass most of IT Dept (all different Dell laptops and different OS's).  Before i do so, i want to prove that i can decrypt and remove the software on-demand whenever i choose.  But i'm struggling.  Nothing in product guide about decrypting.


      I have created a new 'Product Settings' policy in ePO that contains the following settings, and have assigned it to the relevant computers in question:


      Enable Policy: Not ticked
      Encrypt: None
      Enable Automatic Booting: Ticked, no expiration
      All other tick boxes on the 'Log on' tab in ePO Policy are not ticked.


      This policy is assigned to the computers in question in ePO.  (a dedicated group in the system tree).


      Agent-Server comms is working fine.  I have used ePO since v2 with vscan etc. so would like to think i have a vague idea about normal ePO operations...


      Quick Settings from the Agent icon shows the product is activated, C: drive is encrypted and last policy update time is recent enough.


      After several restarts, log offs, on, doing the rain dance, sacrificial lamb etc. and then leaving over night, i've come in this morning to find no change in the encrypted state.

      Can anybody point out where i'm going wrong?


      Some sort of guide (even high-level guide) on what steps are requried to decrypt a machine would be most useful.  I can't push this out and encrypt even the trial devices unless i know for a fact i can reliably decrypt and remove the software for any reason whenever i want.  I'm not encrypting my bosses laptop unless i can decrypt it! :-)


      Thanks for any help



        • 1. Re: Decryption via ePO



          Decrypting via ePO

          It´s possible to make two ways.

          1) Create group (for example "DECRYPT_PC")

              In Endpoint Encryption 1.0.0 > Product Settings > you have to set
              Enable Policy: check   (client must received polisy about decrypt)
              Encryption : None
             This steps (after WakeUp Agent) will start decrypt your HDD.
             But McAfee EA1 and EE6 is not removed. (only decrypted)


          2) Create group (for example "REMOVE_ENCRYPTION")
              Disable yours Install task for EncAgent 1 and EndpEncr 6
              Create new client task "Remove_EE" (Product deployment EA1 and EE6 but with action "Remove")
              Now you can move your computer to "REMOVE_ENCRYPTION".
              Because product may by removed only decrypted so first action is decrypt and after then remove task "Remove_EE" (EA1 and EE6).

          It is my experience.


          • 2. Re: Decryption via ePO

            Thanks Michal.  I understand the volumes need to be decrypted first, and the product marked as 'inactive' before the software can be removed.


            I swear i have tried your suggestion previously, leaving the 'enabled' checked but the encryption set to 'none'.  But got nowhere.


            Before moaning anymore, i will re-visit all my settings right now and try what you have suggested.


            Will post back here in a bit.


            Thanks again.



            • 3. Re: Decryption via ePO


              Now i tried


              1) Picture 1

              2) Move PC to group DECRYPT  (there is the same policy ..but there is set Encrypt: None)

              3) After that I did WakeUp Client

              4) wait about 1min

              5) Picture 2



              • 4. Re: Decryption via ePO

                That is correct approach. Detach (break inheritance) existing EE product policy for that system and change encryption to none. Upon policy renewal it should start decryption.

                If it doesn't work that way, debug.

                • 5. Re: Decryption via ePO

                  Yes having enabled logging level 4 on the three machines in question i can see that the wrong policy is in effect (or at least, listed in the debug log).


                  Interestingly, these polices bare no resemblance to the policies assigned in the ePO system tree.  The policy to decrypt (configured as per Michal's post above) is assigned, but a completely different policy is listed in the debug log on all three machines.


                  Do i specifically need to break inheritance on the individual systems in question?  I had created a group in the system tree called 'eepc-test', and moved these systems into that group.  I then assigned the decrypt_all policy i created to that group.  If i look at 'modify policies on a single system' in epo, it seems that the correct policy is currently applied ie. no inheritance breaks.


                  i have just searched my system tree for duplicate objects, wondering if an AD sync had pulled duplicate objects into the system tree, but there are none.  So confused as to where it is getting this other policy from!


                  PS.  If it is of any relevance, the log file on all three devices are full of the following error:


                  2010-1-27 12:15:33,849 ERROR EpoPlugin [0xEE000005] Failed to deserialize type.  The best info i've found so far is that 0xEE000005 translates to 'bad xml' but means nothing to me.


                  The devices are 1x WinXP SP3 Desktop (Dell Optiplex something-or-other), 1x WinXP SP3 Laptop (Dell Latitude D600 family, an older one) and 1x Vista SP2 Desktop (Optiplex 760).


                  I am starting wo wonder if this is more an ePO<->Agent issue.  But have never had any problems with policy assignment for our other products (VSE+addons, HIPS in trial) over many years now.

                  • 6. Re: Decryption via ePO

                    Locking the inheritance in ePO on my 'eepc-testgroup' group did not result in the correct policy being downloaded by the client.


                    Will start moving things around the system tree and see if i can find out what i've done wrong\differently.

                    • 8. Re: Decryption via ePO

                      Thanks Peter, interesting.


                      I know why the machines are not decrypting - the wrong policy is being applied, as shown in the log file.  So i guess that aspect is working as designed.


                      However i now need to figure out why the wrong policy is being downloaded by the agent.  I've moved the systems around the system tree, assigned other policies at the group level but broken inheritance on the individual systems and tried it that way, no joy.  Redeployed the agent to the machines from ePO, no change in policy that is downloaded.


                      If i look in the Policy Catalog in ePO, i can see the policy that these machines are downloading - but under the Assignments column, it says 'None'.




                      Will keep at it and post anything i think will be of interest back to here.  Thanks for the help so far guys.