Recommended Product Settings policy

The Product Settings policy controls the behavior of the Drive Encryption client. For example, it contains the options for enabling encryption, enabling automatic booting, and controlling the theme for the pre-boot environment.

You can configure the Product Settings policy by navigating through MenuPolicyPolicy Catalog, then selecting Drive Encryption 7.2 from the Product drop-down list. Select Product Settings from the Category drop-down list, locate the My Default policy, then click Edit Settings. For more information about individual policy settings, see the McAfee Drive Encryption 7.2.5 Product Guide.

The Product Settings policy options are organized into a series of tabs.

General tab
Policy Options Recommendations
Enable Policy Leave this option checked (enabled). This policy should be enabled to activate Drive Encryption on the client system. This option needs to be disabled to uninstall Drive Encryption from the client.
Note: The Only activate if Health Check (Drive Encryption GO) check passes option is applicable only if the DEGO extension is installed in McAfee ePO.
Logging Level Set the required logging level.
Note: To overwrite the logging level defined in ePolicy Orchestrator, the LoggingLevelOverride registry key needs to be set on the client system.
  • None — Does not create any log for the client system managed by McAfee ePO.
  • Error — Logs only error messages.
  • Error and Warnings — Logs the error and warning messages.
  • Error, Warnings, and Informational — Logs the error and warning messages with more descriptions.
  • Error, Warnings, Informational and Debug — Logs the error, warning, and debug messages. We recommend that you enable this option only when you require extended logging for troubleshooting purposes. Try not to enable this option for standard usage because it might impact the performance.
Harden against cold boot attacks when Allows you to use the Elevated Security Crypt mode to help protect against cold-boot and other RAM-based attacks, when:
  • The system is locked —The encryption driver switches to the Elevated Security Crypt mode when the user locks the screen.
  • The user is logged off — The encryption driver switches to the Elevated Security Crypt mode when the user logs off.
  • The system is in standby — The encryption driver switches to the Elevated Security Crypt mode when the system in standby

For more information, see Protection of systems in Windows lock, log off, and standby states in the McAfee Drive Encryption 7.2.5 Product Guide.

Expire users who do not login Leave this option checked (enabled). This option allows the administrator to control and manage the users who have not logged on to the client system. This option forces the user account, which is not initialized, to expire after a number of hours as set in the policy. This feature allows you to control access to client systems by preventing unauthorized access using uninitialized user accounts.
Allow users to create endpoint info file Leave this option checked (enabled). This option allows the user to collect client system details such as the list of assigned users, policy settings, recovery, and Drive Encryption status.

After enabling this option, a Save Machine info button appears in Windows, under McAfee Agent Tray | Quick Settings | Show Drive Encryption Status. You can click this button and save the text file for later reference.

Enable logging for Credential provider Leave this option unchecked (disabled). This option allows you to enable or disable credential provider logging.
Encryption tab
Policy Options Recommendations
Encrypt Allows you to select the required encryption type and to set the encryption priority.
Encryption type All Disks is the recommended option (the None option does not initiate the encryption).

The All disks except boot disk option, which encrypts all disks except the boot disk, is not a recommended option.

The None, All disks except boot disk, and Selected partitions options are not applicable for self‑encrypting drives in Opal mode.

Selected Partitions Allows you to select the required partitions of the client system to be encrypted. You can select the required partitions by specifying the Windows drive letters or volume names.

Partition level encryption is not applicable to client systems using Opal encryption. If the selected partitions include both Opal and non-Opal hard drives, both will be software-encrypted.

Note: Do not assign a drive letter to the Windows 7 hidden system partition on your client system. Assigning the drive letter prevents activation of Drive Encryption software on the client system.

This table also lists the available encryption providers (PC Software and PC Opal) available. You can change and set the encryption priority by moving the encryption provider rows up and down, as appropriate.

By default, software encryption is used on both Opal and non-Opal systems in this version of Drive Encryption. To ensure that Opal technology is chosen in preference to software encryption, we recommend that you always set Opal as the default encryption provider, by moving it to the top of the list on the Encryption Providers page. This ensures that Opal locking will be used on Opal drives.

Note: Make sure that you select the required encryption type, as appropriate. Policy enforcement might fail on client systems if you select an unsupported encryption type.
Log On (Drive Encryption) tab
Policy Options Recommendations
Enable automatic booting Leave this option unchecked (disabled). If you enable this feature, the client system does not have the PBA. This is normally referred to as Autoboot mode. Nonetheless, enabling this option can be helpful when you need to manage the autobooting scenarios. There are multiple scenarios where this option can be enabled or disabled. For instance, to minimize the end user impact during rollout, or to allow patches to be installed and the reboots to take place without end user intervention during patch cycles. It is the responsibility of the administrator to decide on when to enable or disable this option.
Note: If you enable this option, the Drive Encryption software does not protect the data on the drive when it is not in use.
  • Disable and restart system after 3 (1‑10) failed logons or unlocks (Windows only, Vista onwards) — We recommend that you enable this option if you enabled the Enable automatic booting option. This option disables the system autoboot after a specific number of failed Windows logons.
Allow temporary automatic booting Allows you to turn (on or off) the PBA screen, with a client-side utility. This eliminates the need to modify the policy in McAfee ePO, and fully automates patching and other client management scenarios.
Use of TPM for automatic booting Select one of these options:
  • Never — The encryption key is written to a plain-text file, which is unencrypted. The system is not secure.
  • If available — If the TPM is available, the encryption key is written to a plain-text file, which is encrypted. The system is secure.

    If the TPM is not available, the encryption key is written to a plain-text file, which is unencrypted. The system is not secure.

  • Required (Note: if TPM is not available on the system, automatic booting will not be enabled) — If the required TPM is available, the encryption key is written to a plain-text file, which is encrypted. The system is secure.

    If the required TPM is not available, automatic booting is not enabled and the PBA screen is displayed. The system is secure.

Note: This option is applicable only for systems installed with Drive Encryption 7.2.5. If you apply a policy to earlier versions of Drive Encryption (i.e., EEPC) with automatic booting enabled and set TPM use to Required, the client system is left in an unprotected state because autoboot is enabled with no protection of the disk encryption key.
Log on message Type a message that appears to the client user.
Do not display previous user name at log on Leave this option checked (enabled). This option prevents the client system from displaying the user name of the last logged on user automatically on all Drive Encryption logon dialog boxes.
Enable on screen keyboard Leave this option checked (enabled), especially for tablets or on-screen mouse device systems. This option enables the Pre‑Boot On‑Screen Keyboard (OSK) and the associated Wacom serial pen driver. When this option is enabled, the pen driver finds a supported pen hardware and displays the OSK.
Note: If you do not select this option, the BIOS uses mouse emulation. In such a situation, the BIOS treats the digitizer as a standard mouse, which might lead to the cursor being out of sync with the stylus on USB-connected Wacom pen digitizers.
Always display on screen keyboard Forces the Pre‑Boot to always display a clickable on‑screen keyboard regardless of whether the pen driver finds suitable hardware or not.
Note: This is valid for BIOS-based hardware only. On UEFI, the digitizer is managed by the UEFI software, so the UEFI implementation needs to contain drivers for the digitizer.
Add local domain users (and tag with 'EE:ALDU')
  • Disabled — Selecting this option does not add any local domain users to the client system.
  • Add all previous and current local domain users of the system — Any domain users who have previously and are currently logged on to the system, are able to authenticate through the Pre‑Boot, even if the administrator has not explicitly assigned the user to the client system.
  • Only add currently logged on local domain user(s); activation is dependent on a successful user assignment — Leave this option selected (enabled) so that only the domain users who are logged on to the current Windows session are added to the system. As a result, Drive Encryption is activated, even if the administrator has not explicitly assigned the user to the client system.
    Note: If you select this option, at least one user should be added to the client system for successful Drive Encryption activation on the client. The activation doesn't happen until a user logs on to Windows as a domain user. This domain should have been registered in McAfee ePO.
Enable Accessibility (Windows BIOS systems only) Leave this option checked (enabled). This option is helpful to visually challenged users. If selected, the system beeps as a signal when the user moves the focus from one field to the next using a mouse or keyboard in the Pre‑Boot environment.

The USB audio functionality allows visually impaired users to hear an audio signal (spoken word) as guidance when the user moves the cursor from one field to the next in the pre-boot environment. The USB speakers and headphones can be used to listen to the audio signal.

Note: USB audio functionality requires that the Always enable pre-boot USB support option be selected on the Boot Options tab.

Disable pre‑boot authentication when not synchronized Leave this option checked (enabled). This option blocks the user from logging on to PBA in the client system, if the client system is not synchronized with the McAfee ePO server for the set number of days. When the user is blocked from logging on to PBA, the user should request the administrator to perform the Administrator Recovery to unlock the client system. This allows the client system to boot and communicate with the McAfee ePO server.
Note: The client system will continue to block the user from logging on to the system until the synchronization with ePolicy Orchestrator happens. This is especially useful to prevent unauthorized access to laptops that have been misplaced, lost or stolen.
Read username from smartcard Leave this option checked (enabled). This option automatically retrieves the available user information on the client system from the inserted smartcard; hence the Authentication window does not prompt for a username. The user can then authenticate just by typing the correct PIN.

You need to enable the matching rules that are required for matching smartcard user principle name (UPN) with Drive Encryption usernames.

Note: This feature is supported on the Gemalto .Net V2+ tokens, and PIV and CAC tokens.
  • Match certificate user name field up to @ sign — Match the certificate user name up to the @ sign of the user name. For example, if the UPN is SomeUser@SomeDomain.com and the Drive Encryption user name is SomeUser, a match is found.
  • Hide user name during authentication — On selecting this option, the Drive Encryption user name does not appear in the Authentication window.
Lock workstation when inactive Leave this option unchecked (disabled). The client system is locked when it is inactive for the set time.
Log On tab
Option Definition
Enable SSO Leave this option checked (enabled).
  • Must match user name — Leave this option checked (enabled). This option ensures the SSO details are only captured when the user’s Drive Encryption and Windows user names match. This ensures that the SSO data captured is replayed for the user for which it was captured. When you select the Enable SSO option, the Must match user name option is also enabled by default.
  • Using smart card PIN — Leave this option checked or unchecked based on whether the eToken or smart card is used or not. This option allows Drive Encryption to capture the smart card PIN for SSO.
Synchronize Drive Encryption Password with Windows Leave this option checked (enabled). If selected, the Drive Encryption password synchronizes to match the Windows password when the Windows password is changed on the client system. For example, if users change their password on the client, the Drive Encryption password is also changed to the same value.
Allow user to cancel SSO Leave this option checked (enabled). This option allows the user to cancel the SSO to Windows in Pre‑Boot. When this option is enabled, the user has an additional checkbox at the bottom of the Pre‑Boot logon dialog box.
Require Drive Encryption logon (only supported on V6 clients) This makes it mandatory for you to log on to PBA for EEPC 6.x.x systems, thereby disabling the SSO functionality.
Lock workstation when inactive Leave this option unchecked (disabled). The client system is locked when it is inactive for the set time.
Recovery tab
Policy Options Recommendations
Enabled Leave this option checked (enabled). This is enabled by default to make sure that the recovery is possible at any stage of the Drive Encryption management.
Administrator recovery
  • Key size — After consulting with your IT security, set the to the size adequate for your organization requirements. This refers to a recovery key size that creates a short Response Code for the recovery.
    • Low — A recovery key size that creates a short Response Code for the recovery.
    • Medium — A recovery key size that creates a medium size Response Code for the recovery.
    • High — A recovery key size that creates a lengthy Response Code for the recovery.
    • Full — A recovery key size that creates a Response Code, with the maximum number of characters, for the recovery.
  • Message — Displays a text message when you select Recovery. This can include information such as your help desk contact details.
Self-recovery Allow users to re-enroll self-recovery information at PBA —Leave this option checked (enabled) only when required. On enabling this option, the client user's self-recovery details can be reset, then the user has to enroll the self-recovery details with new self-recovery answers.
Note: Before resetting the self-recovery questions on the client system, make sure that you have enabled the Enable Self Recovery option under User Based Policy | Self-recovery.

When this option is enabled, the Pre-Boot Authentication (user name) screen includes the Reset self-recovery option. On selecting Reset self-recovery, the user is prompted for a password, then self-recovery enrollment.

Note: Only initialized users can reset their self-recovery details.
Boot Options tab
Policy Options Recommendations
Enable Boot Manager Leave this option unchecked (disabled).This option activates the built in pre‑boot partition manager. This allows you to select the primary partition on the hard disk that you wish to boot. Naming of the partition is also possible with the boot manager. The time out for the booting to start can also be set.
Always enable pre-boot USB support Leave this option checked (enabled) only when needed.

This option forces the Drive Encryption Pre‑Boot code to always initialize the USB stack. USB audio functionality allows the visually impaired users to listen to an audio signal (spoken word) as a guidance when the user moves the cursor from one field to the next, in the Pre‑Boot environment. The USB speakers and headphones can be used to listen to the audio signal.

To enable the USB audio functionality, select Enable Accessibility on the Log On (Drive Encryption) tab.

Note: You might notice an improper synchronization of the mouse cursor and the stylus on USB-connected Wacom pen digitizers. To avoid this, enable this option.
Enable pre-boot PCMCIA support Leave this option unchecked (disabled) unless you require support for PCMCIA devices in pre-boot.
Graphics mode Leave the default setting, Automatic. This option allows you to select the screen resolution for a system or a system group.

Note: We recommend that you leave the default options on the Theme tab for easier deployment and management.

Out-of-Band tab
Policy Options Recommendations
Enable at PBA Select this option to enable the Drive Encryption out‑of‑band management features through policies, and then perform actions on Intel® AMT provisioned client systems.
Note: You can select this option only if you have installed the Drive Encryption : Out Of Band Management extension in McAfee ePO.
Encryption Providers tab
Policy Options Recommendations
Use compatible MBR Leave this option unchecked (disabled). This option causes Drive Encryption to boot a built‑in fixed MBR instead of the original MBR that was on the system after pre‑boot logon.
Note: It is used to avoid problems with some systems that had other software that runs from the MBR and no longer work if Drive Encryption is installed.
Fix OS boot record sides Leave this option unchecked (disabled). Some boot records report an incorrect number of sides. Selecting this option fixes this on the client system. This is available only when you install the Drive Encryption extension.
Use Windows system drive as boot drive Leave this option unchecked (disabled). This is for maintaining the compatibility with some systems where the disk 0 is not the boot disk. Selecting this option forces the client system to assume that the boot disk is the one that contains the Windows directory but not disk 0.
Enable Pre‑Boot Smart Check (BIOS-based systems only) Leave this option checked (enabled) only when needed. When you enable this feature, it modifies the Drive Encryption activation sequence and creates a pre‑activation stage, where a series of hardware compatibility checks are performed prior to actual activation and subsequent encryption to successfully activate Drive Encryption on platforms where BIOS issues might exist.

This feature is available only for BIOS systems using PC software encryption, and is not available for UEFI or Opal systems.

Note: The client system reboots several times before the Smart Check is completed.
Force system restart once activation completes Leave this option checked only when needed (enabled). This option is selected by default when you select the Enable Pre‑Boot Smart Check (BIOS based systems only) option to restart your system after activation.
Opal This option requires all the drives in your client system to be Opal for the PC Opal encryption provider to be activated.
Companion Devices tab
Policy Options Recommendations
Enable Companion Device Support Select this option to allow the user to perform system recovery using a smartphone or mobile device.
Note: The Companion Device application is now known as McAfee Endpoint Assistant.