Important information

The following information applies to this release.

TPM Enhanced PIN prompt reappears on upgrade from MNE 4.1.x to MNE 5.0.0

As part of the Windows client software upgrade to MNE 5.0.0, the end user might need to re-enter their PIN or Enhanced PIN. IT teams should consider communicating this message to end users before the upgrade.

Legacy MNE (version 4.1.5 and earlier) stores the type of authentication method applied to the system within the protector-friendly name. However, it does not distinguish between TPM and PIN and TPM and enhanced PIN. If you check the BitLocker key protectors on the system, it is not clear whether the protector is TPM and PIN or TPM and enhanced PIN.

For this reason, when you install MNE 5.0.0 and try to apply TPM and enhanced PIN authentication, TPM and enhanced PIN cannot be applied. It is not possible to simply reuse the existing BitLocker key protectors that are currently in place on the system because it is not guaranteed that the correct protector is in place.

For details, see KB91243.

Uninstall of MNE 5.0.0

From MNE version 5.0.0, MNE is uninstalled differently because of the way it manages security through system authentication on client systems. The McAfee ePO administrator should set the BitLocker management policy to Manage BitLockerTurn off (Disable) BitLocker to make sure MNE can be uninstalled in any scenario.

See the Uninstallation Scenarios topic in the McAfee Management of Native Encryption Installation Guide for information about the different states that MNE might be in, depending on the system authentication methods enforced when you want to uninstall MNE. It gives further guidance on how MNE can be uninstalled from the system.

Improved policy user interface with advanced precedence order

For MNE client software 5.0.x and later, a new card-based precedence list under the System authentication tab allows the precedence order of protectors to be defined. Since the protector applied to any system is dependent on its operating system version and hardware capabilities, the precedence list is used to define the precedence order in which protectors are applied to the system.

If the highest precedence protector is not supported on the system, the next protector in the list is tried, and so on until a protector is found that is supported by the operating system or hardware.

For MNE client software 4.1.x and earlier, the legacy policy options remain in place under a separate System authentication (legacy) tab.

When you upgrade from MNE 4.1.x to MNE 5.0, the policy settings and precedence order under the System authentication tab are initialized from the existing legacy policy settings.

Note: In environments that include Windows 7 clients, and where System password is defined as the required (highest precedence) protector, it is recommended that you manually enable TPM and Shared PIN authentication types under the System authentication tab. This enables a Windows 7 system to fall back to TPM or Shared PIN because System password is not a supported protector type.
For details, see KB91317.