9 Replies Latest reply on Jun 26, 2014 10:34 AM by mvm_101

    MDE 7.1: Machine key re-use


      Hi everyone,


      Our desktop support team re-image laptops on a regular basis as an effective way to remediate broken systems.


      Just to make sure I've understood correctly: If I enable machine key re-use in MDE 7.1.1, what will happen if we were to re-image a laptop that was already provisioned with MDE? Would I re-use the existing machine key? If so, would our license count remain unaffected by a machine re-image?


      Message was edited by: mvm_101 on 6/25/14 4:32:57 PM CDT
        • 1. Re: MDE 7.1: Machine key re-use

          I shuld add that our laptops all have just one drive (C:)

          • 2. Re: MDE 7.1: Machine key re-use

            If you just have one *partition* then you should not use this option. It's only for the situation where you have more than one partition, and want to reimage the OS without decrypting other partitions first.

            1 of 1 people found this helpful
            • 3. Re: MDE 7.1: Machine key re-use

              Interesting discussion....


              I have about 50K managed endpoints and no real control of how many systems have a secondary hard drive in the media bay. We are in the process of upgrading to MDE7.1.1 from EEPC6.2.x. How could I leverage the Machine key reuse? In previous version, I would simply tell my PC techs to suck it up and decrypt the secondary disk using WinPE. If I could make life easier for everyone, I would like to do that.

              • 4. Re: MDE 7.1: Machine key re-use

                Ok, thanks for the quick reply.


                The remaining question then is:


                What happens to machine keys and license count in the use case of an encrypted laptop being reimaged?


                If a system called "Laptop101" has been fully provisioned with MDE, and then for whatever reason is re-imaged, will we now have used 2 licenses, or just 1?

                • 5. Re: MDE 7.1: Machine key re-use

                  Not sure what your question is Flinstone - did you read the section of the product guide on key reuse? It's designed for the situation you mention, where you overwrite the OS drive with a fresh image, and want to re-connect a 2nd drive to a new activation of MDE/EEPC

                  • 6. Re: MDE 7.1: Machine key re-use

                    Nothing happens to the keys MVM - nothing ever happens to them. They stay in EPO for ever. As for licences, if you keep the machine in EPO then yes you will have used two licences. If you delete it, or run a job to delete it, then you won't.


                    Not sure where your licence questions are coming from though - are you being auditied?

                    1 of 1 people found this helpful
                    • 7. Re: MDE 7.1: Machine key re-use



                      My questions around keys and licenses are driven by how we have to do things with our current disk encryption solution (which is an old PointSec product). With our current solution, the admin has to manually sift through all keys to find the duplicate keys that are automatically created in PointSec when we re-image and re-encrypt a systemt. From what I have learned so far, it seems that PointSec treats one licese as a key and vice versa.


                      Another reason is that we are pretty close to having used ALL our licenses for our existing solution, so we can't afford to have duplicate keys / licenses, and finally our IT helpdesk procedures are to re-image a system to fix errors so we do see a fair amount of systems being re-imaged. With our current solution, this is the source of a lot of duplicate keys and licenses being consumed.


                      When we complete the migration ot MDE, we will still be in a position where we are very close to using all our licenses.


                      For these reasons, I want to make sure I really, deeply, understand how the re-image scenario works with respect to license usage and machine keys and that I understand whether we will have to "reclaim" licenses that would otherwise have been consumed by re-imaged systems.


                      Message was edited by: mvm_101 on 6/26/14 10:23:53 AM CDT
                      • 8. Re: MDE 7.1: Machine key re-use

                        No you don't have to reclaim - EPO handles licensing very differently. The number of active nodes is the key thing - as long as you don't have more active nodes than you paid for, there will be no problems.

                        • 9. Re: MDE 7.1: Machine key re-use

                          Awesome, thanks.


                          Next: Figure out how to really use Deep Command with MDE but that's an entirely different story


                          Thanks again for your help