Release Notes McAfee Drive Encryption 7.1.1 HF1005393 About

Release Notes
McAfee Drive Encryption 7.1.1 HF1005393
Contents
About this release
New Features
Resolved issues
Installation instructions
Known issues
Additional information
Find product documentation
About this release
This document contains important information about the current release. We strongly recommend
that you read the entire document.
Important
When installing a new version of a product, upgrading an existing product or performing any
complex changes to the environment, always ensure that a copy of the ePO Database is taken
for DR purposes. For more information on the backup process see KB66616 “ePO server backup
and disaster recovery procedure”.
Important
We do not support the automatic upgrade of a pre-release software version. To upgrade to a
production release of the software, you must first uninstall the existing version.
Release build – 7.1.1.470
This release was developed for use with:
Note
•
McAfee® ePolicy Orchestrator 4.6.7 and 4.6.8
•
McAfee® ePolicy Orchestrator 5.1 and 5.1.1
The UEFI binaries shipped with this release show the version number 7.1.1.466.
Purpose
This release of McAfee® Drive Encryption (DE) introduces new features and fixes issues that were
reported in the previous versions.
Rating
High Priority – McAfee considers this release to be high priority for supported Windows versions.
Failure to apply a high Priority update may result in potential business impact.
Read this before upgrading
Upgrade from EEPC 6.x.x
Customers using EEPC 6.1.2 or later only need to upgrade the extensions to either EEPC 7.0 Patch 2
or Patch 3 before initiating the upgrade process to DE 7.1 Patch 1. These clients can then be
upgraded directly from EEPC 6.1.2 or later to DE 7.1 Patch 1. Once the extension has been checked
in, follow the steps detailed in the Product Guide.
1
Before upgrading EEPC 6.1.x or 6.2.x clients to DE 7.1 Patch 1, McAfee strongly recommends that
you review KB81522.
Upgrade from EEPC 7.0 RTW or 7.0 Patch 1
Customers using EEPC 7.0 RTW or EEPC 7.0 Patch 1 only need to upgrade the extensions to either
EEPC 7.0 Patch 2 or Patch 3 before initiating the upgrade process to DE 7.1.1 HF1005393. These
clients can then be upgraded directly from EEPC 7.0.x to DE 7.1.1 HF1005393. Once the extension
has been checked in, follow the steps detailed in the Product Guide.
Upgrade from EEPC 7.0 Patch 2 or Patch 3
Perform these tasks to upgrade from EEPC 7.0 Patch 2 or Patch 3 to Drive Encryption 7.1.1
HF1005393:
1. Upgrade the EEPC 7.0 Patch 2 or Patch 3 EEAdmin extension to EEPC 7.0 Patch 4, which is
included in the DE 7.1.1 HF1005393 Package.
2. Follow the remaining upgrade steps in the Product Guide, which remain the same.
New Features
The following is a description of the new features introduced in 7.1.1 HF1005393.
•
Changes to preboot screen scaling
•
Allow Safesign smartcard users to change PIN in preboot
•
Improved support for AMT 9 chipsets.
Important
A complete reference of the new features introduced in Drive Encryption 7.1 Patch 1 is available
in the knowledgebase article McAfee Drive Encryption 7.1.1 – New features KB81901.
Resolved issues
These issues are resolved in this release of the product. For a list of issues fixed in earlier releases,
see the Release Notes for the specific release. This release includes all the fixes from previous
releases.
•
When using the Challenge Response functionality within ePO the error message “Unknown
Error” may be displayed. This has now been addressed. (Reference: 955755).
•
Using Opal based encryption the error message “0xEE7F001 Failed to connect” may be
displayed at preboot. This has now been addressed. (Reference 978458, 981152).
•
When using DEOpalTech to recover a machine the option to display Disk Information may
result in the machine rebooting. This has now been addressed. (Reference: 978555,
988823).
•
With McAfee Disk Encryption active a machine may not transition into Sleep mode correctly.
This has now been addressed. (Reference: 983564, 990465, 988843)
•
The ePO services do not shutdown as expected with McAfee Drive Encryption installed. This
has now been addressed. (Reference: 1005524).
2
With McAfee Drive Encryption active on a Fujitsu Q584 the machine may not complete a
successful boot into Windows. This has now been addressed. (Reference: 990018).
•
Installation instructions
For information about installing or upgrading McAfee Endpoint Encryption for PC, see McAfee Drive
Encryption 7.1 Product Guide - PD24867.
Requirements
Make sure that your system meets these requirements before installing the software.
Systems
Requirements
McAfee ePolicy
Orchestrator (ePO) server
systems
•
See the product documentation for your version of McAfee
ePO.
McAfee Agent
•
McAfee Agent for Windows 4.6 and later versions.
o Note Windows 8 support requires McAfee Agent 4.6.1
or above.
o Note Windows 8.1 and 8.1 Update support requires
McAfee Agent 4.8 Patch 1 or above.
Client systems for EEPC
•
•
•
CPU: Pentium III 1GHz or higher
RAM: 1 GB minimum (2 GB recommended)
Hard Disk: 200 MB minimum free disk space
o For more requirements on Intel® AMT Systems see the
product documentation for ePO Deep Command
product.
Software requirements
Software
Requirements
McAfee management
software
McAfee® ePolicy Orchestrator 4.6.7
McAfee® ePolicy Orchestrator 4.6.8
McAfee® ePolicy Orchestrator 5.1
McAfee® ePolicy Orchestrator 5.1.1
For the latest information regarding supported environments please consult
Supported Environments for Drive Encryption 7.1 KB79422.
Operating system requirements
Systems
Client
Software
For the latest information regarding supported environments please consult
Supported Environments for Drive Encryption 7.1.x KB79422.
3
Systems
Software
systems
Support for the following Operating systems is available in this release:
•
Windows 8.1 (32- and 64-bit)
Note
•
Drive Encryption 7.1 supports Windows 8.1 in UEFI boot mode only
on Windows 8 logo certified hardware.
Windows 8.1 Update (32- and 64-bit)
Note
Drive Encryption 7.1 supports Windows 8.1 Update in UEFI boot
mode only on Windows 8 logo certified hardware.
4
Known issues
For a list of known issues in this product release, refer to McAfee KnowledgeBase article KB81902.
Additional information
Product documentation
This release of DE 7.1 Patch 1 includes the following documentation set.
Standard product documentation
McAfee documentation provides the information you need during each phase of product
implementation, from installing a new product to maintaining existing ones. This release of DE 7.1
Patch 1 includes the following documents:
•
McAfee Drive Encryption 7.1.1 HF1005393 Release Notes (this document)
•
McAfee Drive Encryption 7.1 DETech User Guide (Rev B, EN-US only)
Knowledgebase articles
•
FAQs for Drive Encryption 7.1.x: KB79784
•
Drive Encryption 7.1.x Error Codes and Messages: KB79785
•
Supported Environments for Drive Encryption 7.1.x: KB79422
•
Opal-based disk drive support: KB75045
•
How to access Windows Safe Mode when Drive Encryption or Endpoint Encryption is installed:
KB73714
•
How do the recovery tools for Windows 8 interact with EEPC: KB76638
•
Note
Windows Recovery Console (F8 recovery) is not available on Samsung Slate 700T
tablets because technical issues prevent F8 recovery from working on this platform in
EEPC 7.x.
Note
For general information about the recovery tools available with McAfee EEPC 7.x
please refer to the FAQs for Drive Encryption 7.1 KB79784
Tablet Support for Endpoint Encryption for PC 6.2 Patch 1 and later: KB78049
Supported tokens and readers
McAfee Endpoint Encryption for PC supports different logon tokens and token readers. The token
type associated with a user or a group can be modified using McAfee ePO. For details on modifying
tokens, see the McAfee Drive Encryption 7.1 Product Guide.
KnowledgeBase articles for tokens and readers in DE 7.1.x
For more information about supported tokens and readers, refer to these KnowledgeBase articles:
•
Supported Tokens for authentication in Drive Encryption 7.1 KB79787
•
Supported Readers for authentication in Drive Encryption 7.1 KB79788
Support for self-encrypting Opal-based disk drive
Drive Encryption 7.1 Patch 1 provides support for self-encrypting Opal-based disk drives on UEFI
and BIOS.
5
UEFI
Opal-based self-encrypting disk drives will be supported on UEFI systems where the system is
Windows 8 logo compliant and if the system was shipped from the manufacturer fitted with an Opal
self-encrypting drive.
Opal-based self-encrypting disk drives might not be supported on UEFI systems if the system is not
Windows 8 logo compliant, or if the system did not ship from the manufacturer fitted with an Opal
self-encrypting drive.
This is because a UEFI security protocol that is required for Opal management is only mandatory on
Windows 8 logo compliant systems where an Opal-based self-encrypting disk drive is fitted at the
time of shipping. Those shipped without self-encrypting drives might or might not include the
security protocol. Without the security protocol, Opal management is not possible.
Note
Drive Encryption 7.1.1 HF1005393 will support the Opal-based encryption provider on
UEFI systems fitted with an Opal-based disk drive if the UEFI protocol
EFI_STORAGE_SECURITY_COMMAND_PROTOCOL is present on the system.
BIOS
Opal is supported for Opal-based disk drives under BIOS. To activate a system using the native Opal
functionality, Windows 7 SP1 Operating system and above is required. On systems with Opal-based
disk drives where the Operating System is Windows 7 RTW or below, PC software encryption will be
used.
Note
By default, software encryption will be used on both Opal and non-Opal based
systems in Drive Encryption 7.1.1 HF1005393.
To make sure that Opal technology is chosen in preference to software encryption, we
recommend you always set Opal as the default encryption provider by moving it to
the top of the list on the Encryption Providers page. This makes sure that Opal
locking is used on Opal-based disk drives. For more information about Opal, refer to
the FAQs available in KB76591.
Reimaging Opal drives
When an Opal system (activated using the Opal encryption provider) is reimaged and restarted
without first removing Endpoint Encryption, the user is locked out of the system. This happens
because:
•
The Pre-Boot is held off the disk and it is still active when the system is restarted.
•
The Pre-Boot File System is destroyed during the imaging process.
Note
On BIOS systems, IDE and RAID modes are not supported with Opal. For more
information regarding Opal support, please review the KnowledgeBase article
KB75045. Opal activation might occasionally fail because the Microsoft
defragmentation API used fails to defragment the host. For this to happen, the
activation will restart at the next Agent-Server Communication Interval (ASCI).
Before installing Drive Encryption 7.1.x
Make sure that you read this section completely and take the following precautions before installing
Drive Encryption 7.1 on the client.
Hardware Disk hardware failure during Encryption
We recommend running a CHKDSK /r prior to installing EEPC to make sure the hard disk is in a
healthy state. If the Hard Disk is damaged or has a high number of undiscovered bad sectors, the
disk could fail during the full disk encryption process.
In addition, we recommend using Drive Encryption GO to discover potential issues prior to
installation. For more information, see KB72777.
6
Dynamic and RAID disks in Windows
Endpoint Encryption works at sector level, consequently it does not support software-based dynamic
disks and software based RAID.
Hardware RAID – Endpoint Encryption is untested in this mode, but may work properly in a situation
where pure Hardware RAID has been implemented. However, Drive Encryption can’t support
diagnostic or disaster recovery in this situation.
General Notes
•
Users upgrading from EEPC 6.x should be aware that a new default theme is shipped as
part of the Drive Encryption 7.1 releases. If you are using customized themes with EEPC
6.x, then recreate your custom themes from the Drive Encryption default theme after the
upgrade. This will make sure that the correct user interface is displayed and the correct
audio is heard. Failure to do so will continue to display the EEPC 6.x user interface and use
the EEPC 6.x audio. Those users who wish to deploy the new default theme to all their
existing endpoints or have their own custom theme should follow these steps to make sure
they are using the correct theme during PBA.
1. Create a Theme Deployment task and assign it to all of your endpoints.
2. Make sure that you have the desired theme selected in the Theme section of the
Product Policy, that is, McAfee Default or your own custom theme based on the Drive
Encryption 7.1 default theme.
3. After upgrading an endpoint, allow the Theme Deployment and Policy Enforcement
tasks to complete before restarting the system.
Note
The size limit of the PNG file that can be uploaded is 2.5 MB.
•
If you are using Policy Assignment Rules to assign specific Endpoint Encryption User-Based
Policies (UBP) to users, see the Drive Encryption 7.1 Product Guide to learn how to
configure these users to continue to use Policy Assignment Rules in Drive Encryption 7.1.1
HF1005393. This must be done prior to deploying the Endpoint Encryption (EE) Agent/PC to
the clients. Failing to configure users correctly will result in users returning to the default
User Based Policy assigned at system level.
•
If you are using the autoboot feature in EEPC 5.x.x, please be advised that at least one
EEPC user must be assigned to each client system to be upgraded to Drive Encryption 7.1
Patch 1 successfully.
Note
In Drive Encryption 7.1.1 HF1005393, the autoboot feature no longer requires the use
$autoboot$, therefore do not create this use as a valid user in Active Directory. In the
context of the bullet above, one EEPC user refers to a valid Active Directory user.
•
On upgrading from EEPC 6.x and EEPC 7.0.x to Drive Encryption 7.1.1 HF1005393, the
EEPC MBR is backed up to the McAfee ePO server. To avoid overloading the server, we
recommend that you roll out the upgrade in batches of around 5000 systems.
•
Out-of-band user management does not work when the action is performed on the client
system at PBA through CIRA.
•
RemoveDE is not supported in the UEFI version of the standalone DETech for Opal. The
users should use the WinPE version of DETech if they wish to remove DE on a UEFI system.
The reason for this is that the Opal removal process is highly complex on a UEFI system
and is technically challenging to put in a standalone version of DETech.
•
The built in track pad/mouse pad/touch interface may not work in Pre-Boot on UEFI booting
systems. The reason for this is that OEM might not bundle a suitable UEFI driver for the
device in the firmware. The track pad/mouse pad requires the UEFI Simple Pointer Protocol
and the touch interface requires the Absolute Pointer Protocol to work correctly.
•
With HIPS 7.0 Patch 1, HIPS Security content 8.0.0.4611 is required for successful DE
installation on the client. EEPC installation will fail if this security content is not updated on
the client.
7
Find product documentation
McAfee provides the information you need during each phase of product implementation, from
installation to daily use and troubleshooting. After a product is released, information about the
product is entered into the McAfee online KnowledgeBase.
Task
1
Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.
2
Under Self Service, access the type of information you need:
To access...
Do this...
User documentation
1 Click Product Documentation.
2 Select a product, then select a version
3 Select a product document
KnowledgeBase
• Click Search the KnowledgeBase for answers to your product questions.
• Click Browse the KnowledgeBase for articles listed by product and version.
Copyright © 2014 McAfee, Inc. Do not copy without permission.
McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United
States and other countries. Other names and brands may be claimed as the property of others.
8