Endpoint Upgrade Assistant 1.5.0 Product Guide

Product Guide
McAfee Endpoint Upgrade Assistant 1.5.0
COPYRIGHT
Copyright © 2017 McAfee, LLC
TRADEMARK ATTRIBUTIONS
McAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes,
McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee,
LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE
GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE
CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE
RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU
DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF
APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
2
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
Contents
1
2
3
4
Overview of Endpoint Upgrade Assistant
5
Overview of Endpoint Upgrade Assistant . . . . . . . . . . . . . . . . . . . . . . . . . .
Key features of Endpoint Upgrade Assistant . . . . . . . . . . . . . . . . . . . . . . . . .
5
6
How Endpoint Upgrade Assistant works . . . . . . . . . . . . . . . . . . . . . . . . . .
7
Preparing to upgrade
9
Best practices before you upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . .
McAfee product requirements for upgrades . . . . . . . . . . . . . . . . . . . . . . . .
Planning your deployment options . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setting up your test environment . . . . . . . . . . . . . . . . . . . . . . . . . . . .
High-level workflow for upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How to use Endpoint Upgrade Assistant . . . . . . . . . . . . . . . . . . . . . . . . . .
9
10
11
12
13
14
Upgrading with McAfee ePO
17
Deployment options using McAfee ePO tasks . . . . . . . . . . . . . . . . . . . . . . . .
What happens during upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Workflow for upgrading with McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . .
Create a deployment task in Endpoint Upgrade Assistant . . . . . . . . . . . . . . . . . . . .
Create a deployment task in McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . . .
Supported command-line options for upgrades . . . . . . . . . . . . . . . . . . . .
17
17
17
18
19
20
Upgrading with other solutions
23
Using Package Creator to create custom product installers .
Workflow for upgrading with third-party tools . . . . .
Create product installers with Package Creator . . . . .
Download the McAfee Agent frame file . . . . .
5
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. .
. . 23
. . . 24
. .
25
. .
26
Best practices and troubleshooting
27
Best practices for managing upgrade information . . . . . . . . . . . . . . . . . . . . . .
Export system and product information . . . . . . . . . . . . . . . . . . . . . . .
Troubleshooting blocked endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . .
Refresh the McAfee ePO database . . . . . . . . . . . . . . . . . . . . . . . . .
Troubleshooting installation and uninstallation issues . . . . . . . . . . . . . . . . . . . . .
Remove files after a failed installation . . . . . . . . . . . . . . . . . . . . . . . .
Troubleshooting issues with Endpoint Upgrade Assistant . . . . . . . . . . . . . . . . . . . .
Troubleshoot issues with Upgrade Automation . . . . . . . . . . . . . . . . . . . . . . .
Troubleshooting issues related to Package Creator . . . . . . . . . . . . . . . . . . . . . .
Increase package size limit in McAfee ePO . . . . . . . . . . . . . . . . . . . . . .
Reporting an issue to McAfee Support . . . . . . . . . . . . . . . . . . . . . . . . . . .
27
28
28
28
29
29
30
30
33
33
34
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
3
Contents
4
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
1
Overview of Endpoint Upgrade Assistant
Contents
Overview of Endpoint Upgrade Assistant
Key features of Endpoint Upgrade Assistant
How Endpoint Upgrade Assistant works
Overview of Endpoint Upgrade Assistant
®
®
®
®
™
McAfee Endpoint Upgrade Assistant is a McAfee ePolicy Orchestrator (McAfee ePO ) tool that analyzes the
endpoints in your McAfee ePO environment, detects the supported McAfee products that are installed, and
determines the minimum requirements for upgrading to McAfee Endpoint Security.
®
Bundled with Endpoint Upgrade Assistant is Upgrade Automation, which can be deployed to endpoints, to
manage an upgrade process.
With information from Endpoint Upgrade Assistant, administrators can plan and implement product upgrades
throughout their environment efficiently. Endpoint Upgrade Assistant does not alter the McAfee ePO
environment. It collects and analyzes the data about an environment, then provides tools to assist with
upgrading the environment to Endpoint Security.
In contrast, Upgrade Automation does modify the environment. It removes legacy products and installs
Endpoint Security.
Product components
Endpoint Upgrade Assistant includes these McAfee ePO components:
•
Extension — Install on the McAfee ePO server. Provides the features for analyzing, preparing, and tracking
McAfee product upgrades for your environment. Make sure that your endpoints are running ePolicy
Orchestrator 5.1.2 or later.
•
Client package (Upgrade Automation) — Deploy to managed endpoints. Provides ability to remove legacy
products, upgrade McAfee Agent, upgrade incompatible versions of McAfee Data Loss Prevention (McAfee
DLP), and install Endpoint Security.
McAfee Endpoint Upgrade Assistant 1.5.0
®
®
Product Guide
5
1
Overview of Endpoint Upgrade Assistant
Key features of Endpoint Upgrade Assistant
Key features of Endpoint Upgrade Assistant
Endpoint Upgrade Assistant simplifies and automates the tasks required to upgrade McAfee products in McAfee
ePO environments. Its features minimize the number of upgrade tasks and ensure product interoperability. It
also provides information to assist with upgrading the Windows operating system.
Automatic upgrades using Upgrade Automation
Upgrade Automation is a McAfee ePO client package that works with Endpoint Upgrade Assistant to upgrade
multiple products on multiple endpoints to McAfee Endpoint Security, using a single McAfee ePO product
deployment task.
Upgrade Automation removes and replaces these legacy products:
This product (if installed)
Is replaced with
McAfee VirusScan Enterprise
Endpoint Security Threat Prevention
McAfee SiteAdvisor Enterprise
Endpoint Security Web Control
McAfee Host Intrusion Prevention (McAfee
Host IPS)
Endpoint Security Firewall (Optional. You can choose to keep
McAfee Host IPS instead of installing Firewall.)
®
®
®
®
®
Upgrade Automation also upgrades these products to compatible versions:
•
McAfee Agent 5.0.5 or later
•
McAfee Data Loss Prevention version 9.3 Patch 6
Best practice: Restart the endpoints manually after upgrading, taking care to consider the effects of restarts in
server environments. Upgrade Automation doesn't restart endpoints after deployment.
Tagging
Endpoint Upgrade Assistant uses McAfee ePO tags to identify servers and workstations that require specific
product upgrades. View these tags in the Tag Catalog under a group called Endpoint Upgrade Assistant Tags.
You can create a single tag for all the endpoints eligible for automatic upgrades using Upgrade Automation.
When you create a deployment task in McAfee ePO, select one of the tags you've created with Endpoint
Upgrade Assistant. All the tagged endpoints are upgraded when the deployment task runs.
Deployment options
You can automatically upgrade Endpoint Security in your environment with a single McAfee ePO deployment
task. Create a deployment task in three ways:
•
In Endpoint Upgrade Assistant — Create a deployment task on the Deploy & Track tab.
•
In McAfee ePO:
•
Create a deployment task on the Product Deployment page.
•
Create a client McAfee Agent deployment task.
Package Creator and support for third-party deployment solutions
Endpoint Upgrade Assistant Package Creator is a tool that lets system administrators create custom installers
for upgrading McAfee products. The product installer can be an application for deployment with third-party
solutions or a package for deployment with McAfee ePO.
6
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
Overview of Endpoint Upgrade Assistant
How Endpoint Upgrade Assistant works
1
Package Creator includes these components:
•
Package Creator — Provides features to select products and configure settings for custom product
installers.
•
Client package (Upgrade Automation) — Deploys to managed endpoints with the custom product installer.
How Endpoint Upgrade Assistant works
Endpoint Upgrade Assistant analyzes your environment, then displays the information you need to upgrade
your environment automatically with minimal impact on endpoints.
Best practice: Deploy upgrades in a test environment or to a test group, then verify the results before deploying
upgrades to the larger environment.
Three tabs guide you through all the tasks required to upgrade.
1
Specify what to upgrade — Select the version of Endpoint Security and the System Tree groups.
2
Analyze your environment — Discover endpoints that require upgrades and endpoints that can't be
analyzed.
3
View the steps required for upgrading your environment — Identify which endpoints can use Upgrade
Automation and which require manual upgrades.
Re-analyze your environment after completing manual upgrades to identify additional endpoints for
Upgrade Automation.
4
Check in and install the required software to the McAfee ePO server — This makes it available for
deployment tasks using Software Manager.
5
Tag endpoints to upgrade — Create one tag for all the endpoints that are eligible for Upgrade Automation.
This enables Upgrade Automation to deploy upgrades to all the endpoints with a single deployment task.
You can also tag endpoints that require manual upgrades.
6
Deploy Upgrade Automation — Use one of these methods to upgrade to Endpoint Security:
•
On the Deploy & Track tab — Click Create Deployment Task.
•
From McAfee ePO — Create a product deployment task or client McAfee Agent deployment task.
•
From Package Creator — Create a custom installer, then deploy it using your preferred third-party tools
or McAfee ePO.
See also
Setting up your test environment on page 12
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
7
1
Overview of Endpoint Upgrade Assistant
How Endpoint Upgrade Assistant works
8
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
2
Preparing to upgrade
Contents
Best practices before you upgrade
McAfee product requirements for upgrades
Planning your deployment options
Setting up your test environment
High-level workflow for upgrades
How to use Endpoint Upgrade Assistant
Best practices before you upgrade
To streamline the upgrade process, follow these best practices before upgrading.
•
Set up a test environment — Select a subset of your System Tree to upgrade as a test.
Upgrading in a test environment allows you to verify that endpoints upgrade as expected, and make
changes as needed, before deploying upgrades to all endpoints.
•
Disable features that detect and reinstall uninstalled products — If you have set up applications or
processes to detect when programs are uninstalled and reinstall them automatically, be sure to disable this
functionality.
Upgrade Automation can uninstall legacy products during the upgrade process. Make sure your endpoint
doesn't reinstall them before the tool installs upgraded products.
•
Install Endpoint Upgrade Assistant — Endpoint Upgrade Assistant is a self-contained McAfee ePO
extension that you install on the McAfee ePO server.
Endpoint Upgrade Assistant also checks in the Endpoint Upgrade Automation client package to all branches
of McAfee ePO. This lets you deploy from any branch.
•
Deploy the Upgrade Automation client package — Deploy to endpoints in your environment to enable
Upgrade Automation features.
•
Check that endpoints meet requirements for analysis — Endpoint Upgrade Assistant analyzes endpoints
managed with McAfee Agent. If your environment includes endpoints that don't meet the requirements,
such as management by McAfee Agent, Endpoint Upgrade Assistant can't analyze them and reports them as
Blocked from Upgrades.
•
Prepare for migration if you want to preserve settings for legacy products — To preserve custom
settings for legacy products, you need to migrate those settings on the McAfee ePO server during the
upgrade process. To prepare for migration:
•
Review your custom policy settings and client tasks, consolidating them where possible. Remove
duplicate and unused policies and tasks.
•
Install the Endpoint Migration Assistant extension.
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
9
2
Preparing to upgrade
McAfee product requirements for upgrades
See the McAfee Endpoint Security Migration Guide for more information.
•
Prepare for deployment with third-party solutions, if applicable — If you plan to deploy with third-party
solutions, download the Package Creator tool from Software Manager to the system where you plan to run
it.
See also
Troubleshooting blocked endpoints on page 28
Setting up your test environment on page 12
McAfee product requirements for upgrades
Upgrade Automation requires that compatible McAfee products are installed on endpoints you plan to upgrade
and that all required packages are checked in. When you upgrade to Endpoint Security, some product modules
are required and some are optional.
Supported McAfee products
Endpoint Upgrade Automation can upgrade endpoints to Endpoint Security if they have any combination of the
following products:
•
VirusScan Enterprise, version 8.8 (all patches)
•
McAfee Host IPS, version 8 (all patches)
•
SiteAdvisor Enterprise, version 3.5 and later
•
McAfee Agent, version 4.8.x and later
•
McAfee Threat Intelligence Exchange (TIE) for VirusScan Enterprise, version 1.x and later
•
McAfee DLP, versions 9.3.500.22 and earlier
®
Upgrade Automation can coexist on the endpoint with these products, but does not alter them:
•
McAfee Access and Change Control, version 6.1.2.440-6.1.3.0, 6.1.3.440-6.1.4.0, or 6.2.0.504 and later
•
McAfee Data Exchange Layer (DXL), version 2.0.1.162 and later
•
McAfee DLP, version 9.3.500.23 and later
•
McAfee Drive Encryption, version 7.1.1 and later
•
McAfee File and Removable Media Protection (FRP), version 4.3.1.153 and later
•
McAfee Native Encryption
®
®
®
Checking in McAfee products
When you install the Endpoint Upgrade Assistant extension, the package is checked in to all McAfee ePO
branches: Current, Evaluation, and Previous. This lets you deploy automatic upgrades from any branch.
For Endpoint Upgrade Assistant to run successfully, you must check in these packages to the same McAfee ePO
branch where you plan to deploy Endpoint Upgrade Assistant:
•
McAfee Agent, version 5.0.5 or later
•
Endpoint Security, version 10.2.1, 10.2.2, 10.5.1, 10.5.2, or 10.5.3
Upgrade Automation can also upgrade incompatible versions of McAfee DLP to version 9.3 patch 6, which is
compatible with Endpoint Security versions 10.x. To upgrade McAfee DLP, you must check in its client software
to the same McAfee ePO branch where you plan to deploy Endpoint Upgrade Assistant.
10
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
Preparing to upgrade
Planning your deployment options
2
Endpoint Security modules
Endpoint Security has three main product modules:
•
Threat Prevention (Required)
•
Firewall
•
Web Control
All modules are selected to install, by default. You can specify not to install optional modules. Threat Prevention
is required (and the Common module is silently installed with it).
Endpoint Upgrade Assistant installs the products that you have checked in to McAfee ePO. If you do not select
any modules to install or check them in to McAfee ePO, the Upgrade Automation deployment task fails.
Planning your deployment options
Endpoint Upgrade Assistant lets you customize upgrades by specifying options for the upgrade workflow when
you create the package file and deployment task. Before upgrading, you should decide which options you want
to use.
Specify these options in different ways, depending on your deployment method.
Keeping compatible versions of McAfee Agent
When McAfee Agent version 5.0.2.333 or later is installed on an endpoint where you plan to upgrade Endpoint
Security, upgrading McAfee Agent is optional. You can choose not to upgrade McAfee Agent when you create
the deployment task.
When you specify this option and a compatible version of McAfee Agent is present on the endpoint, the McAfee
Agent installation package isn't downloaded and the McAfee Agent isn't upgraded.
If all the endpoints you plan to upgrade have versions of McAfee Agent that are compatible with Endpoint
Security, it is not necessary to check in McAfee Agent version 5.0.5 to the McAfee ePO branch. However, if an
incompatible version of McAfee Agent is installed on any endpoint, the deployment task attempts to download
the version of McAfee Agent that is checked in. In these cases:
•
If version 5.0.5 or later is checked in — Upgrade Automation upgrades McAfee Agent and installs Endpoint
Security.
•
If version 5.0.5 or later is not checked in — Upgrade Automation fails on the endpoints that have an
incompatible version of McAfee Agent.
This option is available on the Overview tab in Endpoint Upgrade Assistant or as a command-line option in
McAfee ePO. It is also available in Package Creator.
Keeping compatible versions of Host Intrusion Prevention
By default, Endpoint Upgrade Assistant removes McAfee Host IPS version 8.x, when it is installed on an
endpoint you are upgrading, and replaces it with Endpoint Security. However, you can choose not to upgrade
this product when you create the deployment task.
These versions of McAfee Host IPS can co-exist with Endpoint Security on the same endpoint:
•
Version 8 Patch 5-7 with Hotfix 1153407
•
Version 8 Patch 8
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
11
2
Preparing to upgrade
Setting up your test environment
When they co-exist, you can enable the Host Intrusion Prevention and Firewall functionality in either Endpoint
Security or McAfee Host IPS. When these functions are enabled in McAfee Host IPS, they are disabled in
Endpoint Security, even when enabled by policy.
When you specify this option and a compatible version of McAfee Host IPS is present on the endpoint, the
McAfee Host IPS installation package isn't downloaded and McAfee Host IPS isn't upgraded.
This option is available on the Overview tab in Endpoint Upgrade Assistant or as a command-line option in
McAfee ePO. It is also available in Package Creator.
Forcing removal of McAfee product files
Normally, Endpoint Upgrade Assistant removes only detected products during deployment, but you can force it
to remove undetected McAfee products. This option forces Endpoint Upgrade Assistant to remove any version
of VirusScan Enterprise, McAfee Host IPS, McAfee DLP, or Endpoint Security, regardless of whether they were
ever installed on the endpoint.
This option overrides the options to keep compatible versions of Host Intrusion Prevention and McAfee Agent.
If McAfee DLP is installed during deployment, it is not reinstalled.
After forced product removal, McAfee Agent is upgraded. Then you need to restart the endpoint before the rest
of the products are upgraded. Until you restart the endpoint, the endpoint does not have any functional
security software installed.
Forced removal resolves issues with failed installations. Don't use this option when upgrading from one version
of Endpoint Security to another.
Best practice: Use this option when deploying to endpoints where Endpoint Security installations have failed
because previous versions of McAfee products were not removed completely and some files remain on the
endpoint.
This option is available as a command-line option in McAfee ePO. It is also available in Package Creator.
Reporting in System Custom Property fields
Endpoint Upgrade Assistant provides the ability to monitor some endpoint events during deployment by using
command-line options. This allows you to know when specific events occur and respond to them, if needed. For
example, you can check when it's time to restart the endpoint after a forced product removal or after upgrading
McAfee DLP.
Events are reported in one of the four Custom fields that appear on the System Properties tab of the McAfee ePO
System Details page.
This option is available as a command-line option in McAfee ePO.
See also
Supported command-line options for upgrades on page 20
Setting up your test environment
Use a test environment to upgrade a subset of endpoints in preparation for performing a controlled rollout of
Endpoint Upgrade Automation package across your environment.
Upgrade Automation ensures that endpoints do not end up in an unsuitable state. However, upgrades for
multiple products, groups, and endpoint types involve many components, and you might not always anticipate
all the results correctly. It's important to test upgrades in test environments or small groups before upgrading
your entire environment.
12
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
Preparing to upgrade
High-level workflow for upgrades
2
General guidelines
Review these best practices before setting up your test environment.
•
Do not include endpoints that are essential to your daily operations in your test environment.
•
Select endpoints that reflect the diversity of your environment. For example, include one endpoint from
each upgrade step.
•
•
Use the Overview tab to identify suitable endpoints by reviewing the software running on them.
•
Use the Prepare tab to ensure that the necessary software packages are available in the correct software
branch.
•
Use the Deploy & Track tab to identify the deployments performed using Endpoint Upgrade Assistant.
When selecting a test environment, make sure that you consider the following information to identify
representative endpoints:
•
McAfee product combinations and versions
•
Operating systems
•
Servers and workstations
Best practice: Test on a subset of servers before upgrading your entire server environment.
•
Validate the upgrade on servers and workstations.
Some endpoints might require a restart. You need to restart them manually; the Upgrade Automation
deployment task doesn't initiate a restart after all upgrades are complete.
High-level workflow for upgrades
Follow this workflow to upgrade your environment to Endpoint Security.
Before upgrading, ensure that your environment and the systems you plan to upgrade meet the requirements.
See the McAfee Endpoint Security Installation Guide and McAfee ePolicy Orchestrator Product Guide for more
information about these tasks.
1
Prepare policies as needed.
2
On the Endpoint Upgrade Assistant landing page, analyze your environment.
3
On the Overview tab, view all products that require upgrades and determine which systems are suitable for
immediate, automatic upgrade.
If some systems are blocked from upgrading, you can manually upgrade them with required products, then
re-analyze your environment.
4
On the Prepare tab, verify that all required software is available (check in or download).
5
Manually update the content files required for Endpoint Security.
6
Migrate policies, client tasks, and other settings from supported legacy products on the McAfee ePO server.
(Required only when migrating legacy product settings.)
7
Configure policies as needed.
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
13
2
Preparing to upgrade
How to use Endpoint Upgrade Assistant
8
Deploy or install the client software with default or custom settings.
Endpoint Upgrade Assistant provides multiple options for deploying with McAfee ePO tasks. You can also
use Package Creator to create custom installers for use with third-party deployment solutions.
Best practice: Restart the endpoints after Endpoint Upgrade Automation runs. Upgrade Automation doesn't
restart endpoints after deployment. You need to restart them manually, taking care to consider the effects of
restarts in server environments.
9
Verify that the upgrade completed successfully.
See also
Create a deployment task in Endpoint Upgrade Assistant on page 18
Create a deployment task in McAfee ePO on page 19
Create product installers with Package Creator on page 25
How to use Endpoint Upgrade Assistant
Upgrade tasks are grouped together on tabs that display the information you need to analyze, plan, upgrade,
and track deployments to your endpoints.
Launching Endpoint Upgrade Assistant
After installing the Endpoint Upgrade Assistant extension, double-click the product in the McAfee ePO Software
menu.
Analyzing your environment
On the landing page, select these options, then analyze your environment to find out what upgrades are
required:
•
Version of Endpoint Security to upgrade to.
•
Endpoints to analyze — Analyze the entire System Tree or a single group and its subgroups.
You can use the System Tree to select subsets of your environment for analysis, which might reduce the
time required to perform the analysis and provides flexibility when planning upgrades. The time required to
analyze your selection depends on the size of the McAfee ePO database and the number of endpoints
selected.
This option lets you select a subset of your environment for a test environment, so that you can deploy and
verify upgrades to non-critical endpoints before upgrading your entire environment.
Endpoint Upgrade Assistant analyzes the McAfee ePO database to determine what endpoint software is in your
environment and how that compares to the product versions recommended by McAfee.
Getting a visual overview of your environment
The top of each tab features a pie chart and table that summarize the number of systems in four categories:
14
•
Upgrade complete — Successfully upgraded to Endpoint Security.
•
Ready to upgrade — Ready to upgrade to Endpoint Security using Upgrade Automation.
•
Require product upgrades — Running incompatible versions of McAfee products that you need to upgrade
manually before running Upgrade Automation.
•
Blocked from upgrading — Can't be upgraded or analyzed by Endpoint Upgrade Assistant. A checkbox lets you
exclude systems that aren't managed by McAfee Agent from this overview.
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
Preparing to upgrade
How to use Endpoint Upgrade Assistant
2
Search, sort, filter, and validate Endpoint Upgrade Assistant results by downloading the information for each
category in comma-separated values (CSV) format. Use this information for purposes such as debugging,
identifying the endpoints required for upgrades, and resolving differences between the reported and expected
status of endpoints.
•
View Systems — Displays a page listing the corresponding systems that you can export.
•
Export System and Product Details — Creates a list of endpoints with their name, path, and type (server or
workstation). Adds the products and versions running on endpoints. This lets you sort by product to create a
listing of all endpoints running each version of each product (for example, outdated versions of McAfee
Agent).
Getting a detailed overview of your environment
After analysis is complete, use the Overview tab to identify systems that:
•
Are ready to upgrade to Endpoint Security automatically.
•
Have incompatible software installed — See the steps required to make them compatible for upgrades. You
can tag these systems, create deployment tasks to upgrade them, then re-analyze your environment to
determine whether they are ready to upgrade automatically.
•
Have issues that prevent Endpoint Upgrade Assistant from analyzing or upgrading them — Resolve these
issues, then re-analyze your environment.
The Overview tab provides details about:
•
Products and number of endpoints that require upgrades.
•
The minimum product versions required for upgrades.
•
KnowledgeBase articles with additional information about the products to be upgraded.
•
Current versions of products in your environment and number of endpoints where they are installed.
When McAfee Agent or McAfee Host Intrusion Prevention is installed on endpoints that you plan to upgrade,
these deployment options are available:
•
Do not remove versions of McAfee Agent that are compatible with McAfee Endpoint Security — When this option is
selected and a compatible version of McAfee Agent is installed, it won't be upgraded.
•
Do not remove McAfee Host Intrusion Prevention (do not use Endpoint Security Firewall) — When this option is selected
and a compatible version of McAfee Host Intrusion Prevention is installed, it won't be uninstalled and
Endpoint Security Firewall will not be enabled.
Preparing to upgrade
Use the Prepare tab to make sure the required software is available for automatic upgrades.
•
Endpoint Upgrade Assistant lists the software packages that you need to check in to Software Manager. It
shows what is currently checked in and what needs to be upgraded to meet the product versions
recommended by McAfee. Check in all packages to the same branch.
When you installed the Endpoint Upgrade Assistant extension, the Upgrade Automation client package was
checked in to all McAfee ePO branches. This lets you deploy Upgrade Automation from any branch.
•
After checking in the required software packages, click Refresh to confirm that your server is up to date.
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
15
2
Preparing to upgrade
How to use Endpoint Upgrade Assistant
Use the information on this tab to identify:
•
Product client packages required for upgrades.
•
Product client packages currently checked in — You can view the Current, Evaluation, or Previous branch.
You must check in all packages to the same branch to use Upgrade Automation.
•
Product extensions required — If the products you're upgrading require a product extension, install those
on the McAfee ePO server manually.
Endpoint Upgrade Assistant checks for minimum requirement versions for all products except Endpoint
Security and McAfee DLP. It looks for specific versions of those products.
You can keep versions of McAfee Agent and McAfee Host IPS that are compatible with Endpoint Security during
deployment by selecting options when you create the deployment task.
Deploying and tracking upgrades in Endpoint Upgrade Assistant
Use the Deploy & Track tab to create deployment tasks for automatic upgrades and verify the status of scheduled
deployment tasks.
•
Click Create Deployment Task to configure and schedule an automatic upgrade.
•
Check the status of deployment tasks you have created — For deployment tasks that are running or
completed, view the status of the upgrade on each endpoint (Install Successful, Failed, or Pending).
See also
Best practices for managing upgrade information on page 27
Export system and product information on page 28
Troubleshooting blocked endpoints on page 28
16
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
3
Upgrading with McAfee ePO
Contents
Deployment options using McAfee ePO tasks
What happens during upgrades
Workflow for upgrading with McAfee ePO
Create a deployment task in Endpoint Upgrade Assistant
Create a deployment task in McAfee ePO
Deployment options using McAfee ePO tasks
You can deploy upgrades using Endpoint Upgrade Assistant or standard McAfee ePO deployment methods.
•
In Endpoint Upgrade Assistant — Create a deployment task on the Deploy & Track tab.
•
In McAfee ePO:
•
Create a deployment task on the Product Deployment page.
•
Create a client McAfee Agent deployment task.
What happens during upgrades
When you deploy the Upgrade Automation package to an endpoint, it performs all the tasks required to remove
existing versions of McAfee products and install new or upgraded versions.
1
Downloads McAfee Endpoint Security, McAfee Agent, and McAfee Data Loss Prevention (depending on
options selected when creating the deployment task) from McAfee ePO.
2
Copies legacy product policies locally on the endpoint.
3
Removes supported legacy products, verifies the removal, and performs cleanup, if required.
4
Upgrades the McAfee Agent (if selected) and installs Endpoint Security, which then applies the local policies.
5
Endpoint Security checks with McAfee ePO for new policies.
6
Upgrades McAfee Data Loss Prevention to version 9.3 patch 6 (if the current version is incompatible with
Endpoint Security).
Workflow for upgrading with McAfee ePO
Follow this workflow to upgrade endpoints using McAfee ePO.
Before upgrading, ensure that your environment and the systems you plan to upgrade meet the requirements.
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
17
3
Upgrading with McAfee ePO
Create a deployment task in Endpoint Upgrade Assistant
See the McAfee Endpoint Security Installation Guide and McAfee ePolicy Orchestrator Product Guide for more
information about these tasks.
1
Prepare policies as needed.
•
If you are migrating legacy policies — Review and revise your settings to eliminate unused, outdated,
and duplicate settings.
•
If you are preconfiguring policies — Create a custom package using Endpoint Security Package
Designer. See the McAfee Endpoint Security Installation Guide for instructions.
2
On the Endpoint Upgrade Assistant landing page, analyze your environment.
3
On the Overview tab, view all products that require upgrades and determine which systems are suitable for
immediate upgrade.
4
On the Prepare tab, verify that all required software is installed and checked in to McAfee ePO.
If some systems are blocked from upgrading, you can manually upgrade them with required products, then
re-analyze your environment.
5
Manually update your McAfee ePO server with the latest AMCore and Exploit Prevention content files
required for Endpoint Security.
See the McAfee Endpoint Security Installation Guide for instructions. See the Endpoint Security Common Product
Guide for more information about content files.
6
(Required only when migrating legacy product settings.) Migrate policies, client tasks, and other settings
from supported legacy products on the McAfee ePO server.
You need to install the Migration Assistant extension before migrating. See the McAfee Endpoint Security
Migration Guide for more information.
7
Configure policies as needed.
8
Create a deployment task, then deploy the client software to endpoints.
Best practice: Restart the endpoints manually after upgrading, taking care to consider the effects of restarts
in server environments. Upgrade Automation doesn't restart endpoints after deployment.
9
Verify that the deployment task completed successfully.
•
In Endpoint Upgrade Assistant — Check the Deploy & Track tab for the status of the task and endpoints.
•
In McAfee ePO — Check that the client software is installed and up to date on all endpoints.
Create a deployment task in Endpoint Upgrade Assistant
Create a McAfee ePO deployment task directly from the Deploy & Track tab. This deploys products using Upgrade
Automation.
Before you begin
You have prepared and tagged endpoints for upgrade in Endpoint Upgrade Assistant and created
an Upgrade Automation package.
See the McAfee ePO Product Guide for more information.
18
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
Upgrading with McAfee ePO
Create a deployment task in McAfee ePO
3
Task
1
On the Deploy & Track tab, click Create Deployment Task.
2
On the Create Deployment Task page, specify a name for the task.
The branch and product options that were selected on the Prepare and Overview tabs appear. If you want to
change them, cancel this task, select the correct settings on those tabs, then begin this task again.
3
For Policy Migration, select the checkbox to acknowledge that you have either migrated legacy custom policies
and client tasks or understand that McAfee Default policy settings will be enforced. (Required only when
migrating legacy product settings.)
4
Specify when to run the deployment task.
The default setting is Run immediately. If you're scheduling it for later, specify a date and time.
5
Select the systems to upgrade.
By default, both workstations and servers are upgraded. You can also select individual systems from a list.
6
Click Create.
7
Verify that the information for the task is correct, then click OK.
Create a deployment task in McAfee ePO
When systems are ready to upgrade using Upgrade Automation, you can deploy upgrades with standard
McAfee ePO deployment methods.
Before you begin
You have prepared and tagged endpoints for upgrade in Endpoint Upgrade Assistant and created
an Upgrade Automation package.
Task
1
In McAfee ePO:
•
On the Product Deployment page in McAfee ePO, create a new deployment task.
•
From the Client Task Catalog in McAfee ePO, select a Client Task Type of McAfee Agent | Product Deployment
Task, then create a new task.
2
From the Product and Components section, select the Upgrade Automation package that you installed with
Endpoint Upgrade Assistant.
3
From the Tag Catalog, select the Upgrade Automation tag that you created with Endpoint Upgrade Assistant.
4
Specify other options as needed.
Upgrade Automation supports several command-line options.
5
Create the task.
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
19
3
Upgrading with McAfee ePO
Create a deployment task in McAfee ePO
Supported command-line options for upgrades
Upgrade Automation supports these command-line options for deployment tasks created in McAfee ePO.
Option
Description
--keephips
Do not upgrade versions of McAfee Host IPS that are compatible with Endpoint
Security. Do not enable Endpoint Security Firewall.
--keepma
Do not upgrade versions of McAfee Agent that are compatible with Endpoint
Security.
--force
Force removal of VirusScan Enterprise, McAfee Host IPS, McAfee DLP, and
Endpoint Security.
This option overrides the --keephips option.
--tag[=1–4]
where:
1–4 specifies one of four
Custom fields
Report endpoint events in a Custom field on the System Properties tab in the McAfee
ePO System Details page.
For example, --tag=3 reports endpoint events in the Custom 3 field, and --tag
or --tag=1 reports in the Custom 1 field.
Supported events for Custom fields
Not all upgrade workflows use all the supported event properties. Endpoint Upgrade Assistant reports these
properties:
Property
Description
EUA_CLIENT_EXECUTION_STARTED
Endpoint upgrade has started.
EUA_REBOOT_REQUIRED
Restart the endpoint.
ENS_INSTALL_PENDING
EUA_ENDPOINT_REBOOTED
ENS_INSTALLING
EUA_EXECUTION_COMPLETE
• Endpoint has been restarted.
• Endpoint Security is installing.
• Deployment task is completed.
• Check the status of the deployment task on the Deploy & Track tab.
EUA_EXECUTION_COMPLETE
REBOOT_REQUIRED
DLP_UPGRADED
• Deployment task is completed.
• Check the status of the deployment task on the Deploy & Track tab.
• Restart the endpoint to enable McAfee DLP.
These are some general guidelines for using the Custom fields:
•
Endpoint Upgrade Assistant doesn't remove or change the value displayed. For example, if you restart an
endpoint, the REBOOT_REQUIRED value doesn't change.
•
The value in the Custom field isn't updated or removed until it is overwritten by another task on the
endpoint.
•
If a Custom field is being used by another application for another purpose, reporting for Endpoint Upgrade
Assistant might be affected.
•
The --tag option is not related to tagging endpoints for updates in the System Tree.
Compatibility of command-line options
Command-line options are case sensitive. If you enter an invalid or an unrecognized option, the upgrade fails.
20
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
Upgrading with McAfee ePO
Create a deployment task in McAfee ePO
3
Specifying multiple options can result in conflicting actions. Here's how Endpoint Upgrade Assistant resolves
conflicting command-line options:
Options
Result
--keepma --keephips
Does not upgrade McAfee Agent or remove Host Intrusion Prevention if
they are compatible with Endpoint Security.
--keephips --keepma
--force --keepma
• Forces removal of VirusScan Enterprise, McAfee Host IPS, McAfee DLP,
and Endpoint Security.
• Upgrades McAfee Agent (ignores --keepma).
--keephips --force
• Forces removal of VirusScan Enterprise, McAfee Host IPS, McAfee DLP,
and Endpoint Security (ignores --keephips).
• Upgrades McAfee Agent.
"--tag=2 --keepma --keephips • Does not upgrade McAfee Agent or McAfee Host IPS if they are
compatible with Endpoint Security.
• Reports endpoint events in the Custom 2 field on the System Properties
tab in the McAfee ePO System Details page.
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
21
3
Upgrading with McAfee ePO
Create a deployment task in McAfee ePO
22
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
4
Upgrading with other solutions
Contents
Using Package Creator to create custom product installers
Workflow for upgrading with third-party tools
Create product installers with Package Creator
Using Package Creator to create custom product installers
Download the Endpoint Upgrade Assistant Package Creator tool to create product installers for deployment
with third-party solutions or McAfee ePO.
This custom product installer contains everything needed to upgrade systems to Endpoint Security: the
installers for each product you plan to upgrade and the Upgrade Automation application. Package Creator
requires administrator credentials.
Locating the installers
Package Creator generates a single product installer that contains an Endpoint Security installer, a McAfee
Agent installer, McAfee DLP installer (if needed), and the Upgrade Automation client application.
You must download all the installers for the products you plan to upgrade on the system where you run
Package Creator. It uses these installers to create the final product installer.
Upgrade options
These options to configure a custom product installer.
•
Endpoint Security modules to install — By default, all modules are selected, but you can specify whether to
install optional modules.
•
When McAfee Agent or Host Intrusion Prevention are installed on endpoints that you plan to upgrade:
•
•
Do not remove versions of McAfee Agent that are compatible with Endpoint Security
•
Do not remove McAfee Host Intrusion Prevention (do not use Endpoint Security Firewall)
Force removal of McAfee product files — You can select an option to remove failed or partial installations of
Endpoint Security, then reinstall the product.
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
23
4
Upgrading with other solutions
Workflow for upgrading with third-party tools
Product installer options
Select the type of product installer to create:
•
A package for use with McAfee ePO — Check in this file to the McAfee ePO server. Package Creator validates
the package while creating it.
Best practice: Check and increase the package size limit in McAfee ePO before uploading large packages.
This package can deploy all individual product installers with one deployment task and ensures that no
additional downloads are required when upgrading to Endpoint Security. Because it contains the installer
for McAfee Agent, you can move endpoints from one McAfee ePO server to another during upgrades.
Best practice: Use Package Creator to create a deployment package when you plan to move endpoints to a
new McAfee ePO server during the upgrade.
•
An application for use with any third-party deployment solutions — Check in this file to the repository for
your third-party tool. This is a self-extracting .exe file that extracts the installers, then runs Upgrade
Automation to automatically upgrade endpoints with the selected options.
See also
Create product installers with Package Creator on page 25
Increase package size limit in McAfee ePO on page 33
Workflow for upgrading with third-party tools
Follow this workflow to upgrade endpoints using third-party deployment solutions.
You must have administrator credentials to use Package Creator. Before upgrading, ensure that your
environment and the systems you plan to upgrade meet the requirements.
See the McAfee Endpoint Security Installation Guide and McAfee ePolicy Orchestrator Product Guide for more
information about these tasks.
24
1
Download Package Creator from the Software Manager.
2
Prepare policies as needed.
•
If you are migrating legacy policies — Review and revise your settings to eliminate unused, outdated,
and duplicate settings.
•
If you are preconfiguring policies — Create a custom package using Endpoint Security Package
Designer. See the McAfee Endpoint Security Installation Guide for instructions.
3
On the Endpoint Upgrade Assistant landing page, analyze your environment.
4
On the Overview tab, view all products that require upgrades and determine which systems are suitable for
immediate upgrade.
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
Upgrading with other solutions
Create product installers with Package Creator
5
4
Download the installers for products you plan to upgrade.
•
Download the McAfee Agent (version 5.0.5 or later) frame file from your target McAfee ePO server.
The file is named FramePkg.exe. Files named SmartInstaller.exe or Frminst.exe don't work.
•
Download the version of Endpoint Security to install.
Download Endpoint Security Bundle as a .zip file from Software Manager or the McAfee product
download page: https://secure.mcafee.com/apps/downloads/my-products/login.aspx?region=us. A grant
number is required to download the bundle.
•
Download Data Loss Prevention and Device Control 9.3 (if required) from Software Manager or the
McAfee product download page.
This is also available as a .zip file from Software Manager or the McAfee product download page.
6
Manually update your McAfee ePO server with the latest AMCore and Exploit Prevention content files
required for Endpoint Security.
See the McAfee Endpoint Security Installation Guide for instructions. See the Endpoint Security Common Product
Guide for more information about content files.
7
(Required only when migrating legacy product settings.) Migrate policies, client tasks, and other settings
from supported legacy products on the McAfee ePO server.
You need to install the Migration Assistant extension before migrating. See the McAfee Endpoint Security
Migration Guide for more information.
8
Configure policies as needed.
9
Run Package Creator and create an executable product installer for third-party deployment.
10 Check in the product installer to the repository for your third-party tools, then deploy to endpoints.
Best practice: Restart the endpoints manually after upgrading, taking care to consider the effects of restarts
in server environments. Upgrade Automation doesn't restart endpoints after deployment.
Create product installers with Package Creator
Use Package Creator to create a single package or installation file that contains all the individual product
installers required for upgrades. Then deploy the file with third-party solutions or McAfee ePO.
Before you begin
You must have administrator credentials to use Package Creator. Before upgrading, ensure that
your environment and the systems you plan to upgrade meet the requirements.
Task
1
Download and install Package Creator from Software Manager, if you haven't already done so.
2
In Package Creator, specify the locations of the installers for Endpoint Security and McAfee Agent.
The installer for McAfee Agent is called a frame package.
3
Select optional components to install.
By default, all components are selected. Threat Prevention is required, but Endpoint Security Firewall and
Web Control are optional.
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
25
4
Upgrading with other solutions
Create product installers with Package Creator
4
5
Select upgrade options, as needed.
•
Do not remove versions of McAfee Agent that are compatible with McAfee Endpoint Security.
•
Do not remove McAfee Host Intrusion Prevention (do not use Endpoint Security Firewall).
•
Remove failed or partial installations of McAfee Endpoint Security and reinstall it (requires a restart).
Select the type of product installer to create:
•
A package .zip file to deploy with McAfee ePO.
•
An executable application to install with third-party tools.
6
Click Create.
7
Verify that you've specified the correct information, then click Generate Package.
Tasks
•
Download the McAfee Agent frame file on page 26
Package Creator needs a compatible installer for McAfee Agent, to include in the custom installer
that it generates. You need to download this installer, called a frame package, from your target
McAfee ePO server.
Download the McAfee Agent frame file
Package Creator needs a compatible installer for McAfee Agent, to include in the custom installer that it
generates. You need to download this installer, called a frame package, from your target McAfee ePO server.
The correct file is named FramePkg.exe. Files named SmartInstaller.exe or Frminst.exe don't work.
Task
26
1
In McAfee ePO, click System Tree | New Systems.
2
For How to add systems, select Create and download agent installation package.
3
For version, select Windows and 5.0.5 or later.
4
Click OK to download a valid McAfee Agent installer from your McAfee ePO server.
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
5
Best practices and troubleshooting
Contents
Best practices for managing upgrade information
Troubleshooting blocked endpoints
Troubleshooting installation and uninstallation issues
Troubleshooting issues with Endpoint Upgrade Assistant
Troubleshoot issues with Upgrade Automation
Troubleshooting issues related to Package Creator
Reporting an issue to McAfee Support
Best practices for managing upgrade information
Endpoint Upgrade Assistant uses several McAfee ePO features that assist you with planning and implementing
your upgrade strategy.
Using queries and reports
Each time it analyzes an environment, Endpoint Upgrade Assistant creates a query that you can view in McAfee
ePO under Queries & Reporting. Use these queries to create reports containing the information you need to plan
and track your upgrades, then save them in PDF format.
Endpoint Upgrade Assistant queries display results from the last System Tree or group you analyzed. Data from
previous analyses is overwritten.
Exporting system details
System administrators can search, sort, filter, and validate Endpoint Upgrade Assistant results by downloading
the information for a selected category in comma-separated values (CSV) format. Use this information for
purposes such as debugging, identifying the endpoints required for upgrades, and resolving differences
between the reported and expected status of endpoints.
•
Export Systems — Creates a list of endpoints with their name, path, and type (server or workstation).
•
Export System and Product Details — Adds the products and versions running on endpoints. This lets you sort by
product to create a listing of all endpoints running each version of each product (for example, outdated
versions of McAfee Agent).
•
View Systems — Displays a page listing the corresponding systems that you can export.
Tag management
Endpoint Upgrade Assistant creates McAfee ePO tags to label endpoints in the McAfee ePO database. Use them
to tag endpoints that require the same upgrade steps, even if the endpoints are in different System Tree
groups.
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
27
5
Best practices and troubleshooting
Troubleshooting blocked endpoints
When you tag a group of endpoints in Endpoint Upgrade Assistant, the tag appears in the Tag Catalog in the
Endpoint Upgrade Assistant Tags group. This lets you create deployment tasks that deploy upgrades to these tagged
endpoints.
To deploy to a subset of tagged endpoints, use one of these methods:
•
In Endpoint Upgrade Assistant — From the landing page, select a System Tree group to analyze. Endpoint
Upgrade Assistant analyzes only endpoints in that group. When you create a tag, it includes only endpoints
located in the selected group.
•
In McAfee ePO — Create a new tag, then copy endpoints with Endpoint Upgrade Assistant tags into the new
tag. See the McAfee ePolicy Orchestrator Product Guide for more information.
Export system and product information
Search, sort, filter, and validate results from Endpoint Upgrade Assistant by downloading the information for a
selected category in comma-separated values (CSV) format. Send this information to McAfee support when
reporting an issue with Endpoint Upgrade Assistant, or use it to troubleshoot issues, identify the endpoints
required for upgrades, and resolve differences between the reported and expected status of endpoints.
Task
1
From the Overview tab, in the Environment Overview table, click Export System and Product Details.
2
Import this data into Microsoft Excel, then sort and filter as needed to identify the endpoints outside your
expected groupings.
Troubleshooting blocked endpoints
Endpoints that the Endpoint Upgrade Assistant can't analyze are listed on the Overview tab in a table called
Blocked from Upgrading. Blocked endpoints do not appear on the Upgrade tab.
•
Incompatible systems — These endpoints cannot be upgraded due to hardware, memory, or operating system
limitations. Endpoints might fall into more than one category. For more information see KB82761.
•
Currently excluded systems — These endpoints have McAfee products installed that are not yet supported by
the Endpoint Upgrade Assistant. Note that the list of supported products is updated with new products
regularly.
•
Unmanaged systems — These endpoints can't be detected due to problems with McAfee Agent.
McAfee ePO locates endpoints by querying Active Directory. It uses McAfee Agent to detect the McAfee
products installed. It can't detect what is installed when:
•
McAfee Agent is not installed.
•
An unsupported version of McAfee Agent is installed.
•
McAfee Agent is not set to Managed mode.
To correct the problem, install a supported version of McAfee Agent or make sure that Managed mode is
enabled, then click Re-analyze Environment for an updated listing of the products installed in your environment.
Refresh the McAfee ePO database
You can often resolve a blocked status by sending endpoints an agent wake-up call that asks for full properties.
To analyze the products installed on endpoints, the Endpoint Upgrade Assistant queries the McAfee ePO
database. When the version information for McAfee products on one or more endpoints is not correctly
captured in the database, those endpoints are blocked from upgrades. In some cases, endpoints might report
blank or incorrectly formatted version information.
28
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
Best practices and troubleshooting
Troubleshooting installation and uninstallation issues
5
You can refresh the database to ensure that all products installed on the endpoints in your environment are
reported correctly in the McAfee ePO database.
Task
1
From the Overview tab, select Export System and Product Details to export details about these endpoints in CSV
format.
Use this information to identify and resolve issues with each endpoint.
2
Create a McAfee ePO task to update the client properties for these specific endpoints.
This refreshes the information in the McAfee ePO database. See the McAfee ePolicy Orchestrator Product
Guide for more information.
Troubleshooting installation and uninstallation issues
Use this information to resolve issues that occur when attempting to install the Endpoint Upgrade Assistant or
to uninstall McAfee products during an upgrade.
•
Installation fails because Software Manager is busy — In rare circumstances, installation fails if the
Software Manager is actively checking in the required software packages when installation begins. If this
happens, wait until the packages are checked in, then begin installation again. Alternatively, you can stop the
task that is updating the Software Manager.
•
The Endpoint Upgrade Assistant fails to install because files were left behind by a partial installation
— If you tried and failed to install the Endpoint Upgrade Assistant, some files might have been left behind
that prevent you from installing the product again. Remove these files before attempting to install again.
Remove files after a failed installation
If the Endpoint Upgrade Assistant fails to completely install, you need to manually remove any parts of the
extension that were installed before attempting to install again.
Before you begin
Examine the Orion logs to determine why the installation failed. If McAfee ePO is installed in the
default location, the logs are located under C:\Program Files (x86)\McAfee\ePolicy
Orchestrator\Server\Logs.
Task
1
Remove the extension xml from C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server
\conf\Catalina\localhost\UpgradeAssistant.XML.
2
Remove the extension directory from C:\Program Files (x86)\McAfee\ePolicy Orchestrator
\Server\extensions\installed\EndpointUpgradeAssistant.
3
Remove the OrionExtensions entry from the McAfee ePO database table.
Run the following SQL query:
DELETE FROM dbo.OrionExtensions WHERE Name = 'EndpointUpgradeAssistant'
4
(Optional) Restart the server only if you can't execute the first two steps (for example, if the files are locked).
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
29
5
Best practices and troubleshooting
Troubleshooting issues with Endpoint Upgrade Assistant
Troubleshooting issues with Endpoint Upgrade Assistant
Use this information to resolve issues related to analyzing and reporting data and performance.
•
Analysis inconsistencies — Inconsistent version numbers that appear in the tables are not a reporting
error; they refer to data entries in the database. You might need to refresh the McAfee ePO database.
•
Mismatched queries — Upgrade Automation might categorize endpoints differently from the manual
upgrade process. Upgrade Automation follows specific query criteria, and the sets of categories can be
exported.
When the number of endpoints reported by Endpoint Upgrade Assistant doesn't match the number you
expect (for example, the number of workstations, servers, or upgrade steps), use the export function to
download a list of endpoints and their details in CSV format.
•
Missing packages — The Prepare tab highlights missing software packages that are required for upgrading.
After missing packages are checked in, click Re-Analyze Environment to refresh the page so you can see the
updates.
•
Performance issues — The time required to analyze your environment depends on the size of the McAfee
ePO database, which depends on the size of your managed environment. Larger environments take longer
to analyze. You can use the drop-down list to select a System Tree group (a subset of endpoints) to reduce
the number of endpoints to analyze.
•
Outdated queries and reports — If outdated information appears in reports, click Re-analyze Environment to
refresh the queries and regenerate the report.
See also
Troubleshooting blocked endpoints on page 28
Refresh the McAfee ePO database on page 28
Export system and product information on page 28
Troubleshoot issues with Upgrade Automation
Use these steps to prevent or troubleshoot problems related to Upgrade Automation.
Best practice: Examine the Upgrade Automation logs to help determine the problem area. Upgrade Automation
updates its logs for each step of the troubleshooting process. Logs are saved at the location %windir%\Temp
\McAfeeLogs\EndpointUpgradeAutomation.log.
You can use these steps:
30
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
Best practices and troubleshooting
Troubleshoot issues with Upgrade Automation
•
In a test environment to ensure Upgrade Automation works correctly.
•
When an Upgrade Automation task fails in your production environment.
5
Task
1
On endpoints, monitor progress in the Agent Monitor, where details about the actions performed by client
deployment tasks are logged.
2
Verify that the Endpoint Upgrade Assistant package downloaded McAfee Agent and Endpoint Security. See
the table below for more information.
If McAfee Agent 4.x was installed on the endpoint before upgrading, then FOLDER PATH is C:\ProgramData
\McAfee\Common Framework\[Current|Previous|Evaluation]
If McAfee Agent 5.x was installed on the endpoint before upgrading, then FOLDER PATH is C:\ProgramData
\McAfee\Agent\[Current|Previous|Evaluation]
These folders indicate that the download was successful Product
<FOLDER PATH>\ENDP_AM_1020
Endpoint Security 10.2 or 10.5
<FOLDER PATH>\ENDP_AM_1050
<FOLDER PATH>\ENDP_FW_1020
<FOLDER PATH>\ENDP_FW_1050
<FOLDER PATH>\ENDP_GS_1020
<FOLDER PATH>\ENDP_GS_1050
<FOLDER PATH>\ENDP_WP_1020
<FOLDER PATH>\ENDP_WP_1050
<FOLDER PATH>\EPOAGENT3000
<FOLDER PATH>\EUA_AUTO1000
McAfee Agent 5.0.5 or later
Endpoint Upgrade Automation package
(contains three .exe and two script files)
Potential remediation step: Make sure the correct versions of McAfee Agent (5.0.5 or later) and Endpoint
Security (version 10.2.x or 10.5.x) are checked in to the same branch in McAfee ePO that the Endpoint
Upgrade Automation package was deployed from (for example, Current, Previous, or Evaluation).
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
31
5
Best practices and troubleshooting
Troubleshoot issues with Upgrade Automation
3
Verify that there aren't any conflicting products on the endpoint that could stop the Endpoint Upgrade
Automation package from running. Check the logs for this information:
Log entry
Indicates
All steps completed successfully for product: ENS_HW_Requirements
Success
All steps completed successfully for product: ripper_conflict
Success
All steps completed successfully for product: ENS_RegistryConflicts
Success
All steps completed successfully for product: ENS_MSIConflicts
Success
OneBuild progress set to: COPY_FILES_COMPLETE
Success
All steps completed successfully for product: ENS1020_Conflicts
Success
All steps completed successfully for product: ENS1050_Conflicts
Success
All steps completed successfully for product: ENSSuccess
Success
Potential remediation step: Remove conflicting products and redeploy the Endpoint Upgrade Automation
package to the endpoint.
4
Verify that VirusScan Enterprise and Host Intrusion Prevention policies were copied successfully on the
endpoint.
Log entry
Indicates
Step preserve_policy completed successfully for product: VSE 8.8
Success
Step preserve_policy failed for product: VSE 8.8
Failure
Step preserve_policy completed successfully for product: HIPS 8.0
Success
Step preserve_policy failed for product: HIPS 8.0
Failure
Potential remediation step: If an error occurs while copying policies, it does not stop the installation. After
Endpoint Security is installed on the endpoint, it pulls the latest policies from McAfee ePO.
5
Verify that McAfee Agent upgraded successfully.
Log entry
Indicates
FramePkg.exe -- SUCCESS
Success
FramePkg.exe -- FAIL
Failure
Potential remediation step: Contact McAfee Support if the upgrade stops.
32
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
5
Best practices and troubleshooting
Troubleshooting issues related to Package Creator
6
Verify that Endpoint Security installed successfully.
Log entry
Indicates
setupCC.exe succeeded
Success
setupCC.exe --FAIL
Failure
setupTP.exe succeeded
Success
setupTP.exe --FAIL
Failure
Potential remediation step: Contact McAfee Support if the installation stops.
7
Verify that Upgrade Automation finished successfully.
Log entry
Indicates
All steps completed successfully for product: ENSSuccess
Success
OneBuild exit code is 0
Success
Troubleshooting issues related to Package Creator
Examine the log files to prevent or troubleshoot problems related to using Package Creator and custom product
installers.
Package Creator log files
When you use Package Creator to create a product installer, Package Creator logs events at this location on the
local system:
%windir%\Temp\McAfeeLogs\EndpointUpgradeAutomation.log
Product installer log files
The product installer is the deployment package created by Package Creator. When the product installer runs, it
uses the same product removal and installer logic that Upgrade Automation uses, and it creates log files with a
similar signature to Upgrade Automation.
The product installer logs events related using the product installer at this location on local systems:
%windir%\Temp\McAfeeLogs\EndpointUpgradeAutomation.log
If you deploy to the same system where you used Package Creator to create the product installer, the product
installer appends data to the log file created by Package Creator.
Increase package size limit in McAfee ePO
Most McAfee ePO servers have a maximum size limit for packages of 250 MB. If the product installer you've
created in Package Creator is larger than 250 MB, you need to increase the limit before checking in the package
to the McAfee ePO server.
To increase this limit, change the value specified in a McAfee ePO properties file. See the McAfee ePolicy
Orchestrator Product Guide for more information.
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
33
5
Best practices and troubleshooting
Reporting an issue to McAfee Support
Task
1
In Notepad or another editor, open C:\Program Files (x86)\McAfee\ePolicy Orchestrator
\Server\conf\epo\epo.properties.
2
Increase the value specified for file.upload.limit to 400.
For example, change file.upload.limit = 250 to file.upload.limit = 400.
3
Save the file, then restart the McAfee ePO server.
Reporting an issue to McAfee Support
To expedite assistance, include all the required information when reporting an issue to McAfee Support.
Endpoint Upgrade Assistant issues
Provide this information when reporting an issue:
•
Brief description of the issue — If possible, provide the steps required to reproduce the issue.
•
Screenshots
•
Logs from the time when the issue occurred
McAfee ePO server logs, also called Orion logs, can be found in the log directory (for example, McAfee
\ePolicy Orchestrator\Server\Logs). If McAfee ePO is installed in the default location, the logs are
located under C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\Logs.
•
Version numbers for these components:
•
McAfee ePO
•
Endpoint Upgrade Assistant extension
•
Approximate number of endpoints running in your environment.
•
If relevant, include an export of the endpoint details.
Upgrade Automation issues
Provide this information when reporting an issue:
1
MER data — Before submitting an issue, open the Minimum Escalation Requirements (MER) tool and follow
the instructions provided in KB59385 to collect product data for analysis.
2
Brief description of the issue
3
Screenshots
See also
Export system and product information on page 28
34
McAfee Endpoint Upgrade Assistant 1.5.0
Product Guide
0-00