yes? Reenablesecurity and disablesecurity ONLY work offline - they don't talk to the DB at all.
You need to make sure in your machine policy you have the "allow local control of autoboot" (sic?) enabled though - it's DISABLED by default to prevent this exploit.
The nice thing is that if the machine does come online and sync - it will remove the "disablesecurity" feature automatically and revert back to pre-boot enabled (unless the central EEM policy has an autoboot user assigned to the machine of course).
According to the "McAfee® Endpoint Encryption Scripting Tool User Guide" on page 45, states that the Connection is required and the example shows a full SbAdminConnection section.
<Database>SafeBoot Admin Database</Database>
I tried the command again but without the SbAdminConnection section and it worked. The documentation needs to be updated to clarify this difference.
you are correct. I'll submit an FMR for this.