Please see the KB 66700 https://kc.mcafee.com/corporate/index?page=content&id=KB66700&actp=search&viewlo cale=en_US&searchid=1346337523465 for a consolidated list of common questions and answers
In Preboot section it states:
When should I use Autoboot versus Preboot?
Autoboot enables automated patching on the computer. It is not designed as a mode of perpetual operation, because it offers zero effective security, and no protection from data protection regulations.
On a very high level, the thought behind preboot vs non preboot encryption is that the preboot environment is a hardened, minimal code environment so as to minimize vulnerabilities. If you do bot use preboot then you are giving potential attackers access to your windows install that they might be able to use a windows vulnerability to authenticate or bypass authentication. With preboot installed an attacker has access only to the preboot environment and encrypted data.
I'm not specifically familiar with eepc in autoboot mode.
thanks Jenny & Mat
So basically the EEPC software installed on a laptop without preboot authentication is not doing anything? i.e. if a laptop without preboot authentication gets stolen or lost then the other person can wipe off the data and reinstall the OS?
Which I think is not the case with EEPC in preboot as it wont let the attacker to replace the os or even reach the system bios because its locked down pretty good.
Jst trying to figure out the purspose of EEPC without preboot, is it good for anything?
The short answer is no, it's not good for anything. One of the main advantages of EEPC over bitlocker and others is it's superior flexible preboot environment.
As for your statements... The bios comes before preboot so they can still access, change, flash it but if they change it in a way that interferes with preboot at all then preboot will prevent interaction and throw an error requiring administrator intervention. Reinstalling OS, while I have read that you are not supposed to be able to reinstall, I have personally never had a problem formatting the drive and reinstalling. But at no point will they have access to unencrypted data which is the important part.
If you have autoboot (or lack of preboot) then you have essentially taken the encryption out of the way and left them to deal with the operating system... about the only thing your preventing them from doing is removing the hard drive and placing it in another machine to copy it, because the data is still encrypted. But if they load the OS then they have decrypted the data and can now attempt to access it from that vector.
Thanks Mat! That was very helpful. I guess we'll continue with preboot mode. How is your experience with it so far? I heard from different people that it requires extra resources to manage user i.e. more helpdesk man power is needed...
Just recently updated to 6.2 from 5.2 and it's bean a dream. I only have 50 people so I wouldn't hire extra resources for it but I haven't had a single problem with 6.2 since rolling it out. Although on some high end laptops with raid controllers it has been a pain to get them set up initially. I also use the security questions so that users can reset thier own passwords if needed.
glad to know your upgrade went smooth. Did users bring their laptop on sight or you guys were able to do it remotely via VPN or a downstream EPO server in DMZ? We plan to roll it out starting from new laptops that will be issued from now onwards but we are still struggling figuring out a 100% success solution for users out in field who come to head office once in 6 months.
do they also have local admin accounts on laptops? because with single sign on and AD account things get complicated
The person who set up our 5.2 install used a wierd algorythm so I had to decrypt and reencypt. I was willing to accept a small window of decryption in the field. So I chose groups of users and send the decrypt and uninstall command on 5.2 then I watched that group in epo diligently and when I saw that 5.2 was no longer listed in the products I sent the install for 6.2 which would then prompt the user to reboot. I then watched the encryption status and if it didn't turn to active within a few hours I would call the user and have them reboot. Once they reboot the preboot file system is created and the drive encrypted automatically. Most users do have local admin but it really doesn't make any difference in this case.