Product Settings policy The Product Settings policy options are organized into these tabs: General, Encryption, Log On, Recovery, Boot Options, Theme, Out-of-Band, Encryption Providers, and Companion Devices. Table 1: General tab Option Definition Enable policy Enables the set policies on the client computers. Only activate if health check (Drive Encryption: Go) passes —Select this option to activate Drive Encryption on client systems only when the Drive Encryption: GO health check passes. Note: You can enable this option only if the DEGO extension 7.x or higher is installed in McAfee ePO. Logging level Allows the administrator to set a different logging level for each client computer that has the specific policy setting assigned. Note: To overwrite the logging level defined in McAfee ePO, the LoggingLevelOverride registry key needs to be set on the client system. None — Does not create any log for the client system managed by McAfee ePO. Error — Logs only error messages. Error and Warnings — Logs the error and warning messages. Error, Warnings, and Informational — Logs the error and warning messages with more descriptions. Error, Warnings, Informational and Debug — Logs the error, warning, and debug messages. Harden against cold boot attacks when Allows you to use the Elevated Security Crypt mode to help protect against cold-boot and other RAM-based attacks, when: The system is locked. The user is logged off. The system is in standby. Always (On systems that support Intel SGX) For more information, see the Protection of systems in Windows lock, log off, and standby states section. Expire users who do not login Allows the administrator to control and manage the users who have not logged on to the client system. This option forces the user account, which is not initialized, to expire after a number of hours as set in the policy. Allow users to create endpoint info file Allows the user to collect client system details such as the list of assigned users, policy settings, recovery, and Drive Encryption status. After enabling this option, the Save Machine info button appears in: Windows — McAfee Agent Tray → Quick Settings → Show Drive Encryption Status. You can click this button and save the text file for later reference. Table 2: Encryption tab Option Definition Encrypt Allows you to select the required encryption type and to set the encryption priority. Encryption type The type of encryption: None — Does not encrypt any disk. All disks — Encrypts all disks in a system. Boot disk only — Encrypts only the boot disk. Selected partitions — Allows you to select the required partitions of the client system and select them to be encrypted. You can select the required partitions by specifying the Windows drive letters/volume names. Partition level encryption is not applicable to client systems using OPAL encryption. Note: Do not assign a drive letter to the Windows 7 hidden system partition on your client system. Doing so prevents activation of the Drive Encryption software on the client system. This table also lists the available encryption providers (PC Software and PC Opal) available. You can change and set the encryption priority by moving the encryption provider rows up and down, as appropriate. By default, software encryption is used on both Opal and non-Opal systems in this version of Drive Encryption. To ensure that Opal technology is chosen in preference to software encryption, we recommend that you always set Opal as the default encryption provider, by moving it to the top of the list on the Encryption Providers page. This ensures that Opal locking will be used on Opal drives. Note: Make sure that you select the required encryption type, as appropriate. Policy enforcement might fail on client systems if you select an unsupported encryption type. All disks except boot disk — Encrypts all disks except the boot disk (not recommended) The Encryption type options None, All disks except boot disk, and Selected partitions are not applicable to self-encrypting drives in Opal mode. Table 3: Log On (Drive Encryption) tab Option Definition Enable automatic booting When enabled, the client system boots automatically without prompting for a Pre-Boot Authentication. The expiration date for auto-booting can also be set. If required, the user can select the UTC time standard option. Important: If you enable this option without requiring the use of TPM for automatic booting, the Drive Encryption product does not protect the data on the drive when it is not in use. Disable and restart system after 3 (1-10) failed logons or unlocks (Windows only, Vista onwards) — This feature is an enhancement of the primary Enable automatic booting feature. Select this option to disable the autoboot after a specific number (defaulted to 3 or specify from 1-10) of failed Windows logons. On the Windows authentication screen, if the user fails to authenticate the defined number of times, a message appears indicating that the maximum number of failed operating system logons was reached, and that Pre-Boot Authentication is enabled on the machine. Upon clicking OK, the client system restarts and PBA screen appears. Once the user authenticates through PBA and Windows successfully, autoboot is enabled. Note: This feature is available for password, smart cards, and biometric tokens, and only for Windows Vista or later operating systems. Allow temporary automatic booting Allows you to turn (on or off) the PBA screen, with a client-side utility. This eliminates the need to modify the policy in McAfee ePO, and fully automates patching and other client management scenarios. Use of TPM for automatic booting Select one of these options: Never — The encryption key is written to a plain-text file, which is unencrypted. The system is not secure. If available — If the TPM is available, the encryption key is written to a plain-text file, which is encrypted. The system is secure. If the TPM is not available, the encryption key is written to a plain-text file, which is unencrypted. The system is not secure. Required (Note: if TPM is not available on the system, automatic booting will not be enabled) — If the required TPM is available, the encryption key is written to a plain-text file, which is encrypted. The system is secure. If the required TPM is not available, automatic booting will not be enabled and the user will see the PBA screen to authenticate. The system is secure. Note: This option is applicable only for systems installed with Drive Encryption 7.2.0. If you apply a policy to the earlier versions of Drive Encryption 7.2.0 with automatic booting enabled and use of TPM set to 'Required', it will leave the client system in an unprotected state since autoboot will be enabled with no protection of the disk encryption key. Pre-boot power management: Automatically shutdown pre-boot after a period of inactivity: 1-60 minutes The client system will shut down automatically after the set time at pre-boot. Log on message Type a message that appears to the client user. Do not display previous user name at log on Prevents the client system from automatically displaying the user name of the last logged on user on all Drive Encryption logon dialog boxes. Enable on screen keyboard Enables the Pre-Boot On-Screen Keyboard (OSK) and the associated Wacom serial pen driver. When this option is enabled, the pen driver finds supported pen hardware (Panasonic CF-H1 and Samsung Slate 7) and displays the OSK. Note: If you do not select this option, the BIOS uses mouse emulation. In such a situation, the BIOS treats the digitizer as a standard mouse, which might lead to the cursor being out of sync with the stylus on USB-connected Wacom pen digitizers. Always display on screen keyboard — Forces the Pre-Boot to always display a clickable on-screen keyboard, whether the pen driver finds suitable hardware or not. Note: When the option Enable on screen keyboard is turned on, if there is a serial digitizer device for which we have support on BIOS systems, then the OSK is displayed. Otherwise, on both BIOS and UEFI systems, if there is a requirement to display the OSK, then you must also select the option Always display on screen keyboard. This forces the OSK to be displayed without looking for any serial digitizer devices under BIOS. Add local domain users (and tag with 'EE:ALDU') Disabled — Selecting this option does not add any local domain users to the client system. Add all previous and current local domain users of the system —Domain users who have previously and are currently logged on to the system can authenticate through the Pre-Boot, even if the administrator has not explicitly assigned the user to the client system. Only add currently logged on local domain user(s); activation is dependent on a successful user assignment — Only the domain users who are logged on to the current Windows session are added to the system and hence Drive Encryption is activated, even if the administrator has not explicitly assigned the user to the client system. Note: If you select this option, at least one user should be added to the client system for a successful Drive Encryption activation on the client. The activation doesn't happen until a user logs on to Windows. Enable accessibility Select this option to sound a beep as a signal when the user moves the focus from one field to the next using mouse or keyboard in the Pre-Boot environment. This option is helpful to visually challenged users. The USB audio functionality allows visually impaired users to hear an audio signal (spoken word) as guidance when the user moves the cursor from one field to the next in the Pre-Boot environment. The USB speakers and headphones can be used to listen to the audio signal. For more details, see Enable Accessibility (USB audio devices) in the Pre-Boot environment. Disable pre-boot authentication when not synchronized Blocks a user from logging on to PBA in the client system, if the client system is not synchronized with the McAfee ePO server for the set number of days. The user is blocked from logging on to PBA, and can then request the administrator to perform Administrator Recovery to unlock the client system. This allows the client system to boot and communicate with the McAfee ePO server. Note: The client system continues to block the user from logging on to the system until synchronization with McAfee ePO. Read username from smartcard Automatically retrieves the available user information on the client system from the inserted smartcard; hence the Authentication window does not prompt for a user name. The user can then authenticate by typing the correct PIN. You need to enable the matching rules that are required for matching smartcard user principle name (UPN) names with Drive Encryption user names. Disable pre-boot authentication when not synchronized Match certificate user name field up to @ sign — Matches the certificate user name up to the @ sign of the user name. For example, if the UPN is SomeUser@SomeDomain.com and the Drive Encryption user name is SomeUser, a match is found. Hide user name during authentication — The Drive Encryption user name does not appear in the Authentication window. Note: This feature is supported on the Gemalto .Net V2+ tokens, and PIV and CAC tokens. Lock workstation when inactive: After x number of minutes The client system is locked automatically when it is inactive for the set time. Table 4: Log On (Windows) tab Option Definition V7.2 Onwards Third-party credential providers: Allow integrated third-party credential providers to override the Drive Encryption credential provider — Enable this option to make sure that the Drive Encryption credential provider does not load and allow a compatible third-party credential provider to override the existing credential provider. Single sign-on (SSO): Provide a single sign-on experience for Drive Encryption users (SSO) — Enable this option to allow the user to log on to the system with a single authentication process. It allows automatic logon to the operating system once the user authenticates through the Pre-Boot Authentication page. Allow the capturing of smart card PINs for SSO replay — Enable this option to allow Drive Encryption to capture the smart card PIN for SSO. Password synchronization: Update the Drive Encryption user password to match the Windows user password (during Windows logon, or password changes) — Enable this option to synchronize the Drive Encryption password to match the Windows password when the Windows password is changed on the client system. For example, if users change their password on the client, the Drive Encryption password is also changed to the same value. Ignore Drive Encryption password rules and history when updating the Drive Encryption password — Enabling this option allows you to ignore Drive Encryption password rules and history when synchronizing the Drive Encryption password. Warning: This may result in a reduction of password strength for Drive Encryption users. Periodically check domain credentials for changes and ask the user to re-capture the Drive Encryption password if required — Enabling this option allows you to periodically check the domain credentials for any changes and also inform the user to re-capture the Drive Encryption password, if required. Warning: This will result in an increased load on the domain server that manages the endpoint. Polling interval (minutes) __ (5-480) — Enter the time in minutes within the set limit to periodically check the domain credentials for any changes. Preboot user options Allow user to cancel SSO and password synchronization — Enable this option to allow the user to cancel SSO and password synchronization. Windows username matching The Windows username must match the username of the Drive Encryption user before capturing SSO or synchronizing passwords — Ensures the SSO details are captured only when the user’s Drive Encryption and Windows user names match. This ensures that the SSO data captured is replayed for the user for which it was captured. Credential provider bitmap Do not display McAfee shield on Windows logon tiles — Enabling this option allows you to hide the McAfee shield on Windows logon titles. Pre V7.2 Enable SSO — Select this option to enable Single Sign On. Must match user name — Ensures the SSO details are captured only when the user’s Drive Encryption and Windows user names match. This ensures that the SSO data captured is replayed for the user for which it was captured. When you select the Enable SSO option, the Must match user name option is also enabled by default. Using smart card PIN — Allows Drive Encryption to capture the smart card PIN for SSO. Synchronize Drive Encryption password with Windows — The Drive Encryption password synchronizes to match the Windows password when the Windows password is changed on the client system. For example, if users change their password on the client, the Drive Encryption password is also changed to the same value. Allow user to cancel SSO — Allows the user to cancel the SSO to Windows in Pre-Boot. When this option is enabled, the user has an additional checkbox at the bottom of the Pre-Boot logon dialog box. Note: Make sure to note that SSO now works with Drive Encryption 7.2.0 when the client system resumes from hibernation or when booting the system using Windows 8 fast boot. Require Drive Encryption logon (only supported on V6 clients) — This requires you to mandatorily log on to PBA for EEPC 6.x.x systems, thereby disabling the SSO functionality. Require log on when token is removed — This requires you to mandatorily log on when the token is removed. Note: This option is available for selection only if the Require Drive Encryption logon (only supported on V6 clients) option is enabled. Table 5: Recovery tab Option Definition Enabled The Recovery option is enabled by default. This activates the Administrator Recovery option in the client system. Administrator recovery Key size — The recovery key size options. The recovery Response Code size depends on this recovery key size. This does not affect the size of the challenge code. Low — A recovery key size that creates a short Response Code for the recovery. Medium — A recovery key size that creates a medium size Response Code for the recovery. High — A recovery key size that creates a lengthy Response Code for the recovery. Full — A recovery key size that creates a Response Code, with the maximum number of characters, for the recovery. Message — Displays a text message when you select Recovery. This can include information such as your help desk contact details. Self-recovery Allow users to re-enroll self-recovery information at PBA — Allows the client user's self-recovery details can be reset. The user must then re-enroll their self-recovery details with new self-recovery answers. Note: Before resetting the self-recovery questions on the client system, make sure that you have enabled the Enable Self Recovery option under User Based Policy | Self-recovery. When this option is enabled, the Pre-Boot Authentication (user name) screen includes the Reset self-recovery option. On selecting Reset self-recovery , the user is prompted for a password, then self-recovery enrollment. Note: Only initialized users can reset their self-recovery details. Table 6: Boot Options tab (Windows only) Option Definition Enable Boot Manager Activates the built-in pre-boot partition manager. This allows you to select the primary partition on the hard disk that you want to boot. Naming of the partition is also possible with the boot manager. The timeout for the booting to start can also be set. Always enable pre-boot USB support Forces the Drive Encryption Pre-Boot code to always initialize the USB stack. USB audio functionality allows the visually impaired users to listen to an audio signal (spoken word) as a guidance when the user moves the cursor from one field to the next, in the Pre-Boot environment. The USB speakers and headphones can be used to listen to the audio signal. Note: You will notice an improper synchronization of the mouse cursor and the stylus on USB connected Wacom pen digitizers. To avoid this, make sure to enable this option. For more details, see Enable Accessibility (USB audio devices) in the Pre-Boot environment. Enable pre-boot PCMCIA support If selected, the policy enables pre-boot PCMCIA support. Graphics mode Allows you to select the screen resolution for a system or a system group. The default option is Automatic. Table 7: Theme tab Option Definition Select theme Contains the options for selecting a theme. Preview Displays the preview of the selected theme. The preview is not available for shared policies from another McAfee ePO. Table 8: Out-of-Band tab (Windows only) Drive Encryption: Out Of Band Management Option Definition Enable at PBA Enables the Drive Encryption out-of-band management features through policies and then perform actions on Intel® AMT provisioned client systems. Note: You can select this option only if you installed the Drive Encryption: Out Of Band Management extension in McAfee ePO. Table 9: Encryption Providers tab Option Definition PC Software Use compatible MBR — Causes Drive Encryption to boot a built-in fixed MBR instead of the original MBR that was on the system after pre-boot logon. Note: It is used to avoid problems with some systems that had other software that runs from the MBR and no longer work if Drive Encryption is installed. Fix OS boot record sides — Some boot records report an incorrect number of sides. Selecting this option fixes this on the client system. This is available only when you install the Drive Encryption extension. Use windows system drive as boot disk — Maintains the compatibility with some systems where the disk 0 is not the boot disk. Selecting this option forces the users product to assume that the boot disk is the one that contains the Windows directory but not disk 0. Enable Pre-Boot Smart Check (BIOS based systems only) — Modifies the Drive Encryption activation sequence and creates a pre-activation stage, where hardware compatibility checks are performed prior to actual activation and subsequent encryption. Force system restart once activation completes — This option is selected by default when you select Enable Pre-Boot Smart Check (BIOS based systems only) to restart your system after activation. Opal Require all disks to be Opal — Requires all the drives in your client system to be Opal drives for the PC Opal encryption provider to be activated. Table 10: Companion Devices tab Option Definition Enable Companion Device Support Enable this option to allow the user to perform system recovery through smartphone. Note: The Companion Device application is now known as McAfee Endpoint Assistant. Recommended Product Settings policyThe Product Settings policy controls the behavior of the Drive Encryption client. For example, it contains the options for enabling encryption, enabling automatic booting, and controlling the theme for the pre-boot environment.