Complete Data Protection Support

Clean Install

McAfee defines a clean installation as a deployment where there are no elements of McAfee software pre-existing on the endpoint. See “Upgrades” if there is pre-existing software.

Review the supported environments documentation to ensure that the environment is compatible before deploying McAfee Drive Encryption:

Review the guides below for information about how to install McAfee Drive Encryption and for additional details regarding system requirements.

Offline Installation and Activation

To install and activate McAfee Drive Encryption on a system that has no network connectivity or no connection to McAfee ePO, you can create an offline activation package on the McAfee ePO server and distribute it to the required client system.


McAfee defines an upgrade as a deployment where a version of McAfee Drive Encryption already exists on the endpoint.

Review the guide below for information about how to install McAfee Drive Encryption and for additional details regarding system requirements.

If you are using McAfee Endpoint Encryption for PC (EEPC) 7.0.x, you must upgrade the extensions to EEPC 7.0 Patch 4 before initiating the upgrade process to McAfee Drive Encryption 7.2. To upgrade from EEPC 7.0.x, make sure to run through this Upgrade Checklist.

Windows 10 OS Upgrade/Update

Below are the paths to perform a Microsoft Windows 10 update, while maintaining the encrypted state, from operating systems prior to Windows 10.

Important: McAfee strongly recommends that customers upgrade to McAfee Drive Encryption 7.2.8 prior to any Windows 10 OS upgrade. See the following articles for additional information.

Configuration & Best Practices

The default settings for McAfee Drive Encryption typically require additional configuration and tuning for most environments. To get acquainted with the software, review the documentation below:

Additional documentation for other versions on is available on the Business Product Documentation Portal. Additionally, review the following articles prior to a disaster recovery event for McAfee ePO:

Migration of Managed Encrypted Systems

There are two primary cases for migrating systems from one McAfee ePO instance to another.

Activation Issues

Activation failures are caused by various issues ranging from not assigning a user to incompatible encryption products installed on the machine. Below are some of the more common issues and how to resolve and prevent from occurring.

Note: The primary client log is located at C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpe.log.

Here is an easy search for most activation issue articles:

Disaster Recovery

McAfee Drive Encryption (DE) can be utilized on PCs running in UEFI or legacy BIOS (MBR) mode. The need for recovery is rare but various circumstances can result in the need for recovery. If a system requires a recovery with a recovery disk, there are two main types of recovery disks:

  • DETech: A single utility with several functions, often referred to as "DETech Standalone"
  • Optional DETech functionality included in a WinPE environment

Steps for creating DETech recovery disks are included in the DETech guides. Additionally a script included in the DETech tools download can be used to create the DETech in a more automated fashion, and EZ series tools can be used to further automate recovery disk creation.

Ensure that you download and use the proper tool(s) for your firmware type, UEFI, or legacy BIOS, and choose the correct recovery disks for your encryption type (software encryption or OPAL hardware encryption).

The components necessary for these builds are available in the McAfee ePO software manager under the McAfee Drive Encryption product. Alternatively, you can download them from the Product Downloads page.

To create the recovery disk, use the DETech guide or the EZ series tools, a simple GUI-based set of tools. The tools have multiple functions and the actions can significantly alter the contents of the drive. Since each recovery scenario varies, McAfee recommends that you back up the drive by creating a sector-level clone of the disk prior to taking any action with DETech.

This cloning process can be completed with any third-party tool that creates a sector-level copy of the drive. It should be created using an identical disk to the one you need to recover. Additionally, McAfee recommends that you discuss your recovery needs with our Technical Support staff prior to taking any action.

Incorrect actions completed with the DETech utility can have adverse effects ranging in severity, including total data loss.

View the guides below for additional information:

Common Recovery Actions

  • Emergency Boot — An emergency boot, also referred to as an e-boot, is used to get past an erroneous McAfee Drive Encryption preboot environment (PBA). Once in the operating system, it sets the client in a recovery mode that then attempts to rebuild the McAfee Drive Encryption boot components and PBA.
  • Remove DE — Remove DE decrypts the volumes, assuming the proper McAfee Drive Encryption disk information is available. It reverts the boot sequence to the Windows boot sequence, deactivating McAfee Drive Encryption. It does not remove the McAfee Drive Encryption client software.
  • Force crypt sectors — Commonly referred to as a "force decryption," this is the least preferred option. Rather than using McAfee Drive Encryption disk information, it manually completes crypt action on the disk in accordance to information that you supply to the utility. In the event a force decryption is necessary, the best practices for manually decrypting an encrypted hard disk with McAfee Drive Encryption can be found in KB 66433.

Hard Disk Failure

If there is a disk failure, the McAfee Drive Encryption recovery disk may not be able to complete the necessary actions for recovery. If you use a third-party data recovery solution, review KB 68164 for best practices for sending an encrypted drive to a third-party hardware recovery service.

Root Certificate Expiration

The McAfee product line uses TLS for secure communication. Two certificates validate McAfee TLS chains, including a primary expiring in 2038 and a secondary expiring on May 30, 2020. If either certificate, or both, are present in your environment, TLS will function correctly prior to May 30, 2020. After May 30, 2020, only the primary certificate will be valid. Out of an abundance of caution McAfee is informing customers of this impending event.

Generally, certificates are auto-updated through operation systems and customers will not be impacted. However, in environments where automatic management of root certificates is disabled and the primary certificate has not been manually deployed, customers will potentially be impacted. KB92937 provides information on how to verify and install the primary certificate.

Failure to have a valid certificate will cause product issues including reduced detection efficacy.

The primary certificate that needs to be validated is in a customer's environment as below:

Subject : CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, S=New Jersey, C=US
Thumbprint : 2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
Expiration : 2038-01-18

Subscribe to KB92937 to receive updates.

Data Sheet


More Information

Contact Us
Trellix Logo

You're exiting McAfee Enterprise.

Please pardon our appearance as we transition from McAfee Enterprise to Trellix.

Exciting changes are in the works.
We look forward to discussing your enterprise security needs.

You will be redirected in 0 seconds. If not, please click here to continue

McAfee Logo