2 Replies Latest reply on Nov 10, 2016 10:22 AM by ph1llies05

    Standalone offline Encryption 7.1.3

    ph1llies05

      Hi everyone,

       

      I have a question concerning the offline encryption process for standalone machines that will have NO connectivity to ePO.  I followed the instructions outlined in https://community.mcafee.com/community/business/data/epoenc/blog/2012/12/19/offl ine-activation-for-endpoint-encryption-for-pc-v7-eepc--steps offline encryption process and was able to encrypt my standalone machine.  I have a question concerning the Mcafee password options, which appears to require the user to change the password every 30 days even though Windows local policy are set for every 90 days.  Is there a way to update the offline encryption EpeOaGenxml file to make Mcafee use the Winodows local policy password settings?

       

      I tried updating the encryption user based policies before exporting the policy file from the ePO server but when I run the EpeOaGenxml application, the xml file that gets generated still shows the default password is set to 30 days.  I tried manually changing this to something else, before running the offline activation, but it doesn't appear to change anything.

       

      I also look at the offline encryption FAQ and it doesn't state that the password settings can be updated so I'm at a lost.  Has anyone had any success using the offline encryption?

       

      EEPC v7.0 FAQ - Offline Activation

        • 1. Re: Standalone offline Encryption 7.1.3
          jhall2

          The policy in ePO is exported to capture the ePO public key which is contained in the policy. This is used to encrypt the recovery information that can be generated upon activating MDE using the offline activation exe.

           

          All policy options are set using command line switches on the EpeOaGenXml.exe. There is not an option to change the number of days from 30. Please submit an Idea to the Idea Forum to request this functionality be added:

           

          Intel Security Ideas Forum

           

          Below are the options that can be set. These can be seen by running the --help switch on EpeOaGenXml.exe.

           

          EpeOaGenXml.exe --help

          Copyright (C) 2012-2013 McAfee, Inc.  All Rights Reserved.

          Offline Activation:

           

          Info:

            --help                Display help message

            -v [ --version ]      Display version

            -p [ --platform ] arg Select target platform:

                                  - PC (default)

                                  - MAC

           

          Policy Configuration Options:

            --BackupMachineKey arg Enable backup of encrypted machine key <true>

            --Recovery arg        Valid path to recovery file <C:\EERecovery.xml>

            --TempAutoboot arg    Enable temporary autoboot <false>

            --Autoboot arg        Enable autoboot <false>

            --DontDisplayUser arg  Do not display the previous username <false>

            --OpalPbfsSize arg    Set PBFS size (MB) for Opal drives <50>

            --RequirePwdChange arg Require user changes their password <true>

            --UserSelfRec arg      Enable User Self Recovery Enrollment <true>

            --UseScPin arg        Use smartcard PIN <false>

           

          PC only options:

            --Sso arg            Enable single sign-on <false>

            --BootMgr arg        Enable boot manager <false>

            --PbfsSize arg        Set PBFS size (MB) <50>

            --MatchUsername arg  Username must match Windows logon username <true>

            --PrebootUsb arg      Enable USB in preboot <true>

            --DisablePF arg      Disable power-fail recovery during initial encryption

                                  <false>

            --SkipUnused arg      Skip unused sectors during initial encryption <false>

                                  By using the SkipUnused feature you accept the risk

                                  that sensitive data present in sectors unused by the

                                  filesystem will not be protected.

           

          User Config File:

            --user-file arg      User file <name:token>

                                  Available Tokens...

                                  - Password

                                  - Gemalto

                                  - ActivID

                                  - PIV

                                  - CAC

          • 2. Re: Standalone offline Encryption 7.1.3
            ph1llies05

            Thanks for the update, I was aware of the options under EpeOAGENXML.  Was hopting that there was some way to update or remove the McAfee password policies prior to activation.  Thanks