4 Replies Latest reply on May 7, 2015 12:52 PM by mbouchard71

    Progammatically tell if a drive is encrypted

    mbouchard71

      Is there a way for me to reach out to a remote system and tell if the HD is encrypted?  Run Save machine info remotely?  I have several systems that are reporting as inactive and I am trying to determine how big an issue we may have.  I.e. do we have an unencrypted drive in the wild or is EEPC just borked for some reason.  The plan is get EEPC working I just need to know the severity.

        • 1. Re: Progammatically tell if a drive is encrypted
          mitch_reid

          I look at a few things to see the health of encryption. The first is to verify that the "McAfee Drive Encryption Agent" service is running. Then I check to see if encryption is activated by looking in the registry: "SOFTWARE\Wow6432Node\McAfee EndPoint Encryption\MfeEpePC\Status\Activated". Finally I check "SOFTWARE\Wow6432Node\McAfee EndPoint Encryption\MfeEpePC\Status\CryptState" to see the status of the volumes. This can be implemented many ways though scripting/automation.


          (This was from 64bit Windows with DE 7.1.1)

          • 2. Re: Progammatically tell if a drive is encrypted
            mbouchard71

            Thanks for the reply Mitch, but one of the systems I am looking into that is reporting to EPO that it is inactive and the Show Drive encryption status status shows as both Inactive and No Volume Information also has the regkeys Activated = Yes and CryptState = Volume=C;State=Encrypted.  Is there another place for me to look?

             

            Also, in case this might help, this is the bottom of the log for the system in question

             

             

            2015-05-07 13:14:28,678 ERROR   MfeEpeCoreEncryptionPlugin           --- Activation Aborted, provider is already active ---

            2015-05-07 13:14:28,678 ERROR   StatusService                        Activation has failed: Failed to locate an encryption provider

            2015-05-07 13:14:28,678 WARNING MfeEpeCoreEncryptionPlugin           Provider is already active

            2015-05-07 13:14:28,678 ERROR   StatusService                        Failed to process a batch of user data received

            2015-05-07 13:14:28,678 ERROR   EpoPlugin                            userHandler: failed to process batched user data response: [0xEE010000] Provider is already active

            2015-05-07 13:14:28,678 INFO    EpoState                             == End of policy enforcement ==

            2015-05-07 13:14:28,678 INFO    StatusService                        Policy enforcement has completed

            2015-05-07 13:14:31,423 INFO    EpoPlugin                            userHandler: handling GetAllUsers response

            2015-05-07 13:14:31,423 INFO    StatusService                        Received data for assigned users

            2015-05-07 13:14:31,782 ERROR   EpoPlugin                            userHandler: failed to process batched user data response: [0xEE000006] No policy store

            2015-05-07 13:14:31,782 ERROR   StatusService                        Failed to process a batch of user data received

            2015-05-07 13:14:31,782 INFO    EpoState                             == End of policy enforcement ==

            2015-05-07 13:14:31,782 INFO    StatusService                        Policy enforcement has completed

            2015-05-07 13:14:33,529 INFO    EpoPlugin                            userHandler: handling GetAllUsers response

            2015-05-07 13:14:33,529 INFO    StatusService                        Received data for assigned users

            2015-05-07 13:14:33,748 ERROR   EpoPlugin                            userHandler: failed to process batched user data response: [0xEE000006] No policy store

            2015-05-07 13:14:33,748 ERROR   StatusService                        Failed to process a batch of user data received

            2015-05-07 13:14:33,748 INFO    EpoState                             == End of policy enforcement ==

            2015-05-07 13:14:33,748 INFO    StatusService                        Policy enforcement has completed

            • 3. Re: Progammatically tell if a drive is encrypted
              jhall2

              It seems possible the PBFS UEFI partition was not removed prior to reimaging the system. This issue is outlined in KB81759.

              • 4. Re: Progammatically tell if a drive is encrypted
                mbouchard71

                Thanks for the reply, but looking at the KB article the system is showing as active in EPO while the system I was looking at is showing as inactive in EPO and locally (edit meant to add, we clean the drives when we reimage systems).  Even though it appears that the drive is encrypted (prompted to log into PBFS).

                The only place that is showing as active is in the registry.  on top of this, before we went ahead and reimaged the system, we deployed 7.1.1 (had 7.0.2 installed).  Once 7.1.1 was installed the system started reporting correctly.  I have 2 others I am working on so far and both have the same behavior: inactive in EPO and locally but active in registry.

                 

                I can easily deploy 7.1.1 to the others but would like to understand why this is happening.