Complete Data Protection 支持

Clean Install

McAfee defines a clean installation as a deployment where there are no elements of McAfee software pre-existing on the endpoint. See “Upgrades” if there is pre-existing software.

Review the supported environments documentation to ensure that the environment is compatible before deploying McAfee Drive Encryption:

Review the guides below for information about how to install McAfee Drive Encryption and for additional details regarding system requirements.

Offline Installation and Activation

To install and activate McAfee Drive Encryption on a system that has no network connectivity or no connection to McAfee ePO, you can create an offline activation package on the McAfee ePO server and distribute it to the required client system.


McAfee defines an upgrade as a deployment where a version of McAfee Drive Encryption already exists on the endpoint.

Review the guide below for information about how to install McAfee Drive Encryption and for additional details regarding system requirements.

If you are using McAfee Endpoint Encryption for PC (EEPC) 7.0.x, you must upgrade the extensions to EEPC 7.0 Patch 4 before initiating the upgrade process to McAfee Drive Encryption 7.2. To upgrade from EEPC 7.0.x, make sure to run through this Upgrade Checklist.

Windows 10 OS Upgrade/Update

Below are the paths to perform a Microsoft Windows 10 update, while maintaining the encrypted state, from operating systems prior to Windows 10.

Important: McAfee strongly recommends that customers upgrade to McAfee Drive Encryption 7.2.8 prior to any Windows 10 OS upgrade. See the following articles for additional information.

Configuration & Best Practices

The default settings for McAfee Drive Encryption typically require additional configuration and tuning for most environments. To get acquainted with the software, review the documentation below:

Additional documentation for other versions on is available on the Business Product Documentation Portal. Additionally, review the following articles prior to a disaster recovery event for McAfee ePO:

Migration of Managed Encrypted Systems

There are two primary cases for migrating systems from one McAfee ePO instance to another.

Activation Issues

Activation failures are caused by various issues ranging from not assigning a user to incompatible encryption products installed on the machine. Below are some of the more common issues and how to resolve and prevent from occurring.

Note: The primary client log is located at C:\Program Files\McAfee\Endpoint Encryption Agent\MfeEpe.log.

Here is an easy search for most activation issue articles:

Disaster Recovery

McAfee Drive Encryption (DE) can be utilized on PCs running in UEFI or legacy BIOS (MBR) mode. The need for recovery is rare but various circumstances can result in the need for recovery. If a system requires a recovery with a recovery disk, there are two main types of recovery disks:

  • DETech: A single utility with several functions, often referred to as "DETech Standalone"
  • Optional DETech functionality included in a WinPE environment

Steps for creating DETech recovery disks are included in the DETech guides. Additionally a script included in the DETech tools download can be used to create the DETech in a more automated fashion, and EZ series tools can be used to further automate recovery disk creation.

Ensure that you download and use the proper tool(s) for your firmware type, UEFI, or legacy BIOS, and choose the correct recovery disks for your encryption type (software encryption or OPAL hardware encryption).

The components necessary for these builds are available in the McAfee ePO software manager under the McAfee Drive Encryption product. Alternatively, you can download them from the Product Downloads page.

To create the recovery disk, use the DETech guide or the EZ series tools, a simple GUI-based set of tools. The tools have multiple functions and the actions can significantly alter the contents of the drive. Since each recovery scenario varies, McAfee recommends that you back up the drive by creating a sector-level clone of the disk prior to taking any action with DETech.

This cloning process can be completed with any third-party tool that creates a sector-level copy of the drive. It should be created using an identical disk to the one you need to recover. Additionally, McAfee recommends that you discuss your recovery needs with our Technical Support staff prior to taking any action.

Incorrect actions completed with the DETech utility can have adverse effects ranging in severity, including total data loss.

View the guides below for additional information:

Common Recovery Actions

  • Emergency Boot — An emergency boot, also referred to as an e-boot, is used to get past an erroneous McAfee Drive Encryption preboot environment (PBA). Once in the operating system, it sets the client in a recovery mode that then attempts to rebuild the McAfee Drive Encryption boot components and PBA.
  • Remove DE — Remove DE decrypts the volumes, assuming the proper McAfee Drive Encryption disk information is available. It reverts the boot sequence to the Windows boot sequence, deactivating McAfee Drive Encryption. It does not remove the McAfee Drive Encryption client software.
  • Force crypt sectors — Commonly referred to as a "force decryption," this is the least preferred option. Rather than using McAfee Drive Encryption disk information, it manually completes crypt action on the disk in accordance to information that you supply to the utility. In the event a force decryption is necessary, the best practices for manually decrypting an encrypted hard disk with McAfee Drive Encryption can be found in KB 66433.

Hard Disk Failure

If there is a disk failure, the McAfee Drive Encryption recovery disk may not be able to complete the necessary actions for recovery. If you use a third-party data recovery solution, review KB 68164 for best practices for sending an encrypted drive to a third-party hardware recovery service.