6 Replies Latest reply on Jul 1, 2011 3:25 AM by redbaron51

    EEPC6.1 Policy Enforcement

    redbaron51

      Hi all,

       

      *** Still in the testing environment ***

      ePO 4.5.4HF1

      MA 4.5.0.1499

       

      I have re-imaged a laptop and prior to that deleted the object from ePO.

       

      During the build process we deploy EEPC6.1 agent then EEPC6.1 host packages. It installs fine.

       

      However it seems that the policy enforcement is not loading completely. The EEPC status is stuck on “Created add local domain users event”

       

      Event forcing a “Collect and Send Props” + “Enforce Policies” do not do the trick.

       

      eepc61.JPG

       

      Checking the laptop + group on ePO I can clearly see that both Endpoint Encryption Poilicies (Product Settings + UBP) are linked to this group/machine.

       

      Agent ID GUID matches fine.

       

      Extract from MfeEpe.log

       

      2011-06-29 10:30:58,867 INFO    EpoPlugin                            enforcePolicy: new policy store created (session 1309339575).

      2011-06-29 10:30:58,929 INFO    EpoPlugin                            enforcePolicy: Waiting for OptIn users before enforcing policy.

      2011-06-29 10:30:58,945 INFO    EpoState                             Setting enforcement state to TRUE

      2011-06-29 10:30:59,008 INFO    EpoPlugin                            enforceUserPolicy: Dispatching enforce policy event.

      2011-06-29 10:30:59,008 INFO    EpoPlugin                            policyHandler: handling EnforcePolicy event

      2011-06-29 10:30:59,305 INFO    EpoPlugin                            themeHandler: theme ID change detected (old: 1, new: C69BEFE1-94E7-4A47-9BB2-0FF09711FF26).

      2011-06-29 10:30:59,305 WARNING EpoPlugin                            themeHandler: no theme package found

      2011-06-29 10:30:59,305 WARNING EpoPlugin                            themeHandler: failed to unzip new theme file.

      2011-06-29 10:30:59,305 INFO    EpoPlugin                            userHandler: handling AddLocalDomainUsers event

      2011-06-29 10:30:59,320 INFO    EpoPlugin                            userHandler: dispatching EPOAddDomainUsers event to AgentHandler

      2011-06-29 10:36:00,665 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

      2011-06-29 10:36:00,681 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

      2011-06-29 10:41:01,833 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

      2011-06-29 10:41:01,848 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

      2011-06-29 10:46:03,154 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

      2011-06-29 10:46:03,169 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

      2011-06-29 10:48:57,426 INFO    EpoPlugin                            collectProperties: dispatching disk list to AgentHandler

      2011-06-29 10:48:57,629 INFO    EpoPlugin                            epoAudit: dispatching audits to AgentHandler

      2011-06-29 10:51:04,553 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

      2011-06-29 10:51:04,569 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

      2011-06-29 10:51:16,326 WARNING MfeEpeEsEncryptionInformationService ..\..\..\Src\EpeFsmHostErrorHandler.cpp: EPE_fsm_host_error_handler::handle: 71: Received service unavailable exception: The service MfeEpeEncryptionInformationServiceClient is currently unavailable

      2011-06-29 10:52:09,000 WARNING MfeEpeEsEncryptionInformationService ..\..\..\Src\EpeFsmHostErrorHandler.cpp: EPE_fsm_host_error_handler::handle: 71: Received service unavailable exception: The service MfeEpeEncryptionInformationServiceClient is currently unavailable

      2011-06-29 10:56:05,819 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

      2011-06-29 10:56:05,834 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

      2011-06-29 10:59:29,050 INFO    EpoPlugin                            collectProperties: dispatching disk list to AgentHandler

      2011-06-29 10:59:31,473 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

      2011-06-29 10:59:31,488 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

      2011-06-29 11:04:32,432 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

      2011-06-29 11:04:32,447 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

      2011-06-29 11:09:33,401 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

      2011-06-29 11:09:33,417 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

      2011-06-29 11:12:52,713 INFO    EpoPlugin                            collectProperties: dispatching disk list to AgentHandler

      2011-06-29 11:12:58,042 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

      2011-06-29 11:12:58,073 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

      2011-06-29 11:17:58,876 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

      2011-06-29 11:17:58,892 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

      2011-06-29 11:22:59,757 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

      2011-06-29 11:22:59,757 INFO    EpoPlugin                            enforcePolicy: Policy Enforcement already in progress, skipping.

       

      Questions:

       

      1. When re-imaging a laptop do I need to deleted the object in ePO or it doesn’t matter?
      2. Where should I look at to troubleshoot this Policies Enforcement Issue?

       

      Help is much appreciated.

        • 1. Re: EEPC6.1 Policy Enforcement
          Timmah

          Hi Redbaron51,

           

          When the status message says "Created ... event", instead of clicking "Collect & Send" or "Enforce Policies", try clicking "Send Events".

           

          In this case though, a response hasn't been received from ePO for the event.

           

          Is the machine behind a firewall?

           

          Also, don't worry about the WARNING messages... they're a red herring.

           

          Take a look in the EpeEventHandler.log under DB\Logs for anything suspicious, and also in the orion.log.

           

          Let us know how you get on!

           

          Cheers,

           

          Tim

          1 of 1 people found this helpful
          • 2. Re: EEPC6.1 Policy Enforcement
            redbaron51

            Hi Tim,

             

            I forgot to mention on my post that I had also clicked "Send Events", no joy.

             

            EpeEventHandler.log:

            ===== Logging Service Started ===== 1, 1, 0, 248

            ===== Logging Service Started ===== 1, 1, 0, 248

             

            Nothing relevant on orion.log

             

            Still no joy. Read another thread talking about EEPC host install issues and suggesting re-installing it. Might give it a try.

             

            With regards to re-imaging a laptop: Do I need to delete the object from ePO everytime?

             

            Thanks

            • 3. Re: EEPC6.1 Policy Enforcement

              One other thing to check is the event parser service on the ePO side. There's an issue with Windows Server 2008 and R2 where the event parser service won't automatically restart. So if you ever reboot your server, or if it stops for any other reason ... you have to go start it again manually. This service MUST be running if you want EEPC to activate. Event Parser KB here https://kc.mcafee.com/corporate/index?page=content&id=KB71568&actp=search&viewlo cale=en_US&searchid=1309358325847

               

              As for the policy enforcement, I think this is might actually be expected behavior. EEPC only updates its policy on an ASCI, so I think it will keep saying "Policy Enforcement already in progress, skipping" or something like this until the next ASCI, or until you restart the MfeEpeHost.exe. This means that hitting either "collect and send" or "enforce policies" will do nothing to move the needle. Your only hope is to Send Events and wait for a response from ePO, restart the service, or reboot (which will restart the service). If don't this doesn't work, then I have misattributed the error message - but that's what I'd try in this situation.

              1 of 1 people found this helpful
              • 4. Re: EEPC6.1 Policy Enforcement
                redbaron51

                hi Larson,

                 

                I had read on another KB (forgot ref #) about event parser.

                 

                It looks as if there was a problem with the installation, as I created an uninstall task then re-deployed (agent + host) and it looks okay.

                 

                I will re-image this laptop again and see what happens.

                 

                Stupid Q again:

                 

                When re-imaging a machine do I need to remove/delete the object from ePO?

                 

                Will update the thread with results

                • 5. Re: EEPC6.1 Policy Enforcement

                  No need to delete from ePO before re-image. In fact, I'm pretty sure it will preserve your user assignments and policies if you don't delete from ePO. That is very helpful logic if you ever re-image and have to give it back to the original user (in the case of a BSOD, etc).

                  1 of 1 people found this helpful
                  • 6. Re: EEPC6.1 Policy Enforcement
                    redbaron51

                    Thanks again Larson. I will re-image the laptop and see how it behaves.