McAfee KB84419: Windows 10 compatibility with McAfee products

McAfee KB84419: Windows 10 compatibility with McAfee products

Environment

Multiple McAfee business and enterprise products

Microsoft Windows 10 (version 1507)
Microsoft Windows 10 (version 1511) - November Update (Threshold 2, first update)
Microsoft Windows 10 (version 1607) - Anniversary Update (Redstone 1 [RS1], second update)
Microsoft Windows 10 (version 1703) - Creators Update (Redstone 2 [RS2], third update)
Microsoft Windows 10 (version 1709) - Fall Creators Update (Redstone 3 [RS3], fourth update)

NOTE: This article applies only to McAfee business and enterprise products. If you need information or support for McAfee consumer or small business products, visit https://service.mcafee.com.

Summary

McAfee is committed to supporting the Microsoft release cadence for Windows 10 and is working closely with Microsoft to ensure that McAfee security software and hardware products are fully compatible with Windows 10 endpoints.

To ensure release quality, all new releases that Microsoft publishes for Windows 10 require full validation by the individual product teams. The McAfee goal is to add zero-day support for all Windows 10 releases over time for those products that do not currently offer this cadence.

NOTE: Late-breaking changes implemented by Microsoft to a release, or any unresolved compatibility issues raised by McAfee with Microsoft around a scheduled release, could lead to schedule changes that will be documented and updated in this article.

Recent updates to this article

Date	Comments
Oct 30, 2017	Updated products RTS information for Windows 10 Fall Creators Update (RS3) support.
Oct 25, 2017	Update to Application and Change Control for Fall Creators Update, to reflect support included with version 7.0.1-462 (HF6).
Oct 23, 2017	Updated details about McAfee product support for Microsoft Windows 10 (version 1709) - Fall Creators Update. Changed Management of Native Encryption 4.1.1 to 4.1.2 (Q4 2017) in the Windows 10 (Version 1709) Fall Creators Update column.
Oct 17, 2017	Updated details about McAfee product support for Microsoft Windows 10 (version 1709) - Fall Creators Update. Moved content for Windows 10 versions 1507 and 1511 to a second table in the Related Information section.
Oct 10, 2017	Corrected a typo in the Security Management Products section (Windows 10 Fall Creators Update column) for McAfee Agent (MA). MA 5.0.6 was included twice. Changed to MA 5.0.5 and 5.0.6.
Sep 25, 2017	Added to footnote 2 for support with Drive Encryption.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged in to subscribe.

NOTES:

• Future release dates are subject to change.
  NOTE: Any future product functionality or releases mentioned in the Knowledge Base are intended to outline our general product direction and should not be relied on, either as a commitment, or when making a purchasing decision.
• RTW = Released To World
• RTS = Released To Support, also called Managed Release. Contact your Technical Account Manager (TAM) or Support Account Manager (SAM) to participate in a Managed Release program.
• For details about Service Packs, patches, hotfixes, maintenance releases, and the patch release cycle, see KB51560.
• For details about a support statement for verifying and validating Microsoft patches, see KB50473.

Compatibility with Windows 10 Versions 1607, 1703, and 1709

McAfee Products	Windows 10  (Version 1607) Anniversary Update4	Windows 10  (Version 1703) Creators Update 5	Windows 10 (Version 1709) Fall Creators Update McAfee Products Status RTS
	Minimum Supported McAfee Product Version
Endpoint Protection Products 1
Active Response	1.1.0.212	2.0 2.01	2.0.1
Application and Change Control	7.0.1	8.0.x	8.0.x
Data Loss Prevention Endpoint (DLP Endpoint)	11.0 10.0.100 9.4.230 9.3.630	11.0 10.0.250 9.4.300	11.0.130 (RTS)8
			10.0.330 (RTS)8
Endpoint Security (ENS)	10.2 10.1.2	10.2.1 10.5.1	10.2.2 (RTS)8
			10.5.3 (RTS)8
ENS - Advanced Threat Protection (ATP)	10.5.1	10.5.2	10.5.3 (RTS)8
Host Intrusion Prevention (Host IPS)	8.0 Patch 8	8.0 Patch 9	8.0 Patch 10 (RTS)8
SiteAdvisor Enterprise (SAE)	3.5 Patch 5	3.5 Patch 5	3.5 Patch 5
Threat Intelligence for Endpoint Security Client	10.1 Patch 2 10.2	10.2.2	10.2.3
Threat Intelligence Exchange (TIE) Module for VSE	1.0.2	1.0.2	n/a
VirusScan Command Line Scanner	6.1.0	6.1.0	6.1.0
VirusScan Enterprise (VSE)	8.8.0 Patch 8	8.8 Patch 9	8.8 Patch 10 (RTS)8
Database Security Products
Database Activity Monitoring (Standalone Management)	4.6.0	n/a	n/a
Database Activity Monitoring (ePO Management)	5.2.0	n/a	n/a
Vulnerability Manager for Databases (Standalone Management)	4.6.0	n/a	n/a
Vulnerability Manager for Databases (ePO Management)	5.2.0	n/a	n/a
Data Center Protection Products
Management for Optimized Virtual Environment (MOVE) Multi-platform	4.0 3.6.1	4.5	4.6
Data Protection Products
Drive Encryption (DE) 2, 3	7.2.0 7.1.3 HF1148978	7.2.1	7.2.2 (RTS)8
File and Removable Media Protection (FRP) 3	5.0.1 HF1150417 5.0.2	5.0.3 6	5.0.4 (RTS)8
Management of Native Encryption (MNE)	4.1.0	4.1.1	4.1.1 4.1.2 (RTS)8
Security Management Products
Data Exchange Layer (DXL)	2.0.1	3.1.0	4.0 (RTS)8
ePO Deep Command 7	Pending Update	n/a	n/a
McAfee Agent (MA)	5.0.4 4.8.0 Patch 3	5.0.5 4.8.0 Patch 3	5.0.5 5.0.6 4.8.0 Patch 3
Policy Auditor Agent (PA)	6.2.0.309	6.2.2	6.3
Rogue System Detection	5.0.4	5.0.5	5.0.5
Web Protection
McAfee Client Proxy (MCP)	2.1.0.177	2.3	2.3.2 (RTS)8

n/a = not available
HF = hotfix
TBD = To be Decided

1	SaaS Endpoint Protection 6.0 does not support Microsoft Windows 10.0. If you try to install Windows 10.0 while running SaaS Endpoint Protection 6.0, it asks you to uninstall it. If you are running SaaS Endpoint Protection 6.0, uninstall it and install ENS 10.0. ENS 10.0 Patch 1 supports Windows 10.0.
2	IMPORTANT: Zero-day in-place upgrade to Windows 10 is fully supported with DE 7.2.1 and later, by running setup.exe (no need for scripts or command-line arguments), when setup.exe is initiated from the Microsoft WSUS mechanism. For DE 7.1.3 and 7.2.0 and later, reflect drivers parameter must be used when executing setup.exe directly. For Windows Anniversary Update (Version 1607) only, see KB87909. For Windows 10 Creators Update (Version 1703) and later, see KB89000. If the organization administrator runs the setup.exe directly, setup.exe must include the additional command-line options.   In-place upgrade to Windows 10 (versions 1507 and 1511) with DE 7.1 Patch 3 (7.1.3) or FRP 5.0.1 installed is supported, but requires specific steps to be taken as part of the Windows 10 upgrade for it to be successful. For details, see the required article: For detailed instructions and sample scripts that can be tailored to suit the customer environment for DE, see KB84962. For detailed instructions for FRP, see KB87550.   DEGO deployment to Windows 10 clients fails. This is resolved by installing DE 7.1 Patch 3 Hotfix 1087719 (build 7.1.3.554) or later. For details, see KB85514.
3	For information about support for Device Guard with DE and FRP, see KB86009.
4	KB87536 (Incompatibility between the Windows 10 Anniversary Update and multiple McAfee products) has been redirected to this article because KB87536 became obsolete. Windows 10 Anniversary Update now performs the needed upgrade and installation checks to ensure that no incompatible McAfee product versions can be installed or present, and blocks the upgrade if they are present.
5	CAUTION: If Device Guard or Credential Guard is enabled on a Windows 10 Creators Update 64-bit system, you must ensure that Microsoft KB4016251 is installed on the system before you install McAfee products. For more information, see KB89029.
6	A minimum Windows 10 Creators Update Version 1703 (OS build 15063.250) is required for support with FRP 5.0.3. For more information, see the Microsoft article KB4016240 https://support.microsoft.com/en-gb/help/4016240/windows-10-update-kb4016240 WARNING: Installation or upgrade with earlier builds of Windows 10 Creators Update fails.
7	ePO Deep Command reaches End of Life (EOL) on April 10, 2018. See KB88454 for details.
8	For customers who want to participate in a RTS/Managed Release program, contact your Technical Account Manager (TAM) or Support Account Manager (SAM).

NOTE: Additional information regarding Windows 10 support for McAfee products will use standard McAfee communication methods including the Support Notification Service (SNS).

To receive information about McAfee product updates, sign up for the Support Notification Service athttps://sns.secure.mcafee.com/signup_login.

Related Information

Windows 10 devices running version 1507 and 1511 will no longer receive security and quality updates. Microsoft recommends updating devices to the latest version of Windows 10.

Compatibility with Windows 10 Versions 1507 and 1511

McAfee Products	Windows 10 (Version 1507) Release To World	Windows 10 (Version 1511) November Update
	Minimum Supported McAfee Product Version
Endpoint Protection Products 1
Active Response	1.1.0  HF1.1.0.161	1.1.0  HF1.1.0.161
Application and Change Control	7.0	7.0
Data Loss Prevention Endpoint (DLP Endpoint)	11.0 10.0 9.4 Patch 1 9.3 Patch 6	11.0 10.0 9.4 Patch 1 9.3 Patch 6
Endpoint Security (ENS)	10.0.1 (patch) 10.1 (major release)	10.0.1 (patch) 10.1 (major release)
ENS - Advanced Threat Protection (ATP)	10.5.1	10.5.1
Host Intrusion Prevention (Host IPS)	8.0.0 Patch 6	8.0.0 Patch 6
SiteAdvisor Enterprise (SAE)	3.5 Patch 4 4	3.5 Patch 4 4
Threat Intelligence for Endpoint Security Client	10.1	10.1
Threat Intelligence Exchange (TIE) Module for VSE	1.0.1	1.0.1
VirusScan Command Line Scanner	6.0.6	6.0.6
VirusScan Enterprise (VSE)	8.8.0 Patch 6	8.8.0 Patch 6
Database Security Products
Database Activity Monitoring (Standalone Management)	4.4.9	4.4.9
Database Activity Monitoring (ePO Management)	5.1.3 Patch 2	5.1.3 Patch 2
Vulnerability Manager for Databases (Standalone Management)	4.4.9	4.4.9
Vulnerability Manager for Databases (ePO Management)	5.1.3 Patch 2	5.1.3 Patch 2
Data Center Protection Products
Management for Optimized Virtual Environment (MOVE) Multi-platform	3.6.1	3.6.1
Data Protection Products
Drive Encryption (DE) 2, 5	7.1 Patch 3 (7.1.3)	7.1.3
File and Removable Media Protection (FRP) 5	5.0.x 4.3.1 HF1062118 3	5.0.x 4.3.1 HF1062118 3
Management of Native Encryption (MNE)	3.0.0	3.0.0
Security Management Products
Data Exchange Layer (DXL)	2.0.0	2.0.1 Patch 1
ePO Deep Command 6	2.4	2.4
McAfee Agent (MA)	5.0.2 4.8.0 Patch 3	5.0.2 4.8.0 Patch 3
Policy Auditor Agent (PA)	6.2.0.309	6.2.0.2309
Rogue System Detection	5.0.3	5.0.3
Web Protection
McAfee Client Proxy (MCP)	2.1	2.1

1	SaaS Endpoint Protection 6.0 does not support Microsoft Windows 10.0. If you try to install Windows 10.0 while running SaaS Endpoint Protection 6.0, it asks you to uninstall it. If you are running SaaS Endpoint Protection 6.0, uninstall it and install ENS 10.0. ENS 10.0 Patch 1 supports Windows 10.0.
2	IMPORTANT: Zero-day in-place upgrade to Windows 10 is fully supported with DE 7.2.1 and later, by running setup.exe (no need for scripts or command-line arguments), when setup.exe is initiated from the Microsoft WSUS mechanism. For DE 7.1.3 and 7.2.0 and later, reflect drivers parameter must be used when executing setup.exe directly. For Windows Anniversary Update (Version 1607) only, see KB87909. For Windows 10 Creators Update (Version 1703) and later, see KB89000. If the organization administrator runs the setup.exe directly, setup.exe must include the additional command-line options.   In-place upgrade to Windows 10 (versions 1507 and 1511) with DE 7.1 Patch 3 (7.1.3) or FRP 5.0.1 installed is supported, but requires specific steps to be taken as part of the Windows 10 upgrade for it to be successful. For details, see the required article: For detailed instructions and sample scripts that can be tailored to suit the customer environment for DE, see KB84962. For detailed instructions for FRP, see KB87550.   DEGO deployment to Windows 10 clients fails. This is resolved by installing DE 7.1 Patch 3 Hotfix 1087719 (build 7.1.3.554) or later. For details, see KB85514.
3	For details about FRP 4.3.1 HF1062118, see KB84829. This hotfix is available on the Product Downloads site as a separate item on the FRP 4.3.1 download page.
4	SAE 3.5 Patch 4 HF1076106 adds support for Mozilla Firefox.
5	For information about support for Device Guard with DE and FRP, see KB86009.
6	ePO Deep Command reaches End of Life (EOL) on April 10, 2018. See KB88454 for details.

- Link:

- wong chee tat :)

McAfee KB66616: ePolicy Orchestrator server backup and disaster recovery procedure

McAfee KB66616: ePolicy Orchestrator server backup and disaster recovery procedure

Environment

McAfee ePolicy Orchestrator (ePO) 5.x

Summary

This article provides information on the backup and disaster recovery process for ePO servers.

IMPORTANT:

• This procedure is intended for use by network and ePO administrators only. McAfee does not assume responsibility for any damage incurred because it is intended as a guideline for disaster recovery. All liability for use of the following information remains with the user.
• It is preferable to use the built-in Disaster Recovery feature and use these steps only if a valid Snapshot was not created and a manual recovery is required. For information about the Disaster Recovery feature, see the "Restoring McAfee ePO" section of the ePolicy Orchestrator Installation Guide.
• If you are migrating from a 32-bit to a 64-bit operating system, or installing ePO to a different path, you must follow the instructions in KB71078 instead.

NOTES:

• The agent uses either the last known IP address, DNS name, or NetBIOS name of the ePO server. If you change any one of these, ensure the agents have a way to locate the server. The easiest way to do this is to retain the existing DNS record and change it to point to the new IP address of the ePO server. After the agent is able to successfully connect to the ePO server, it downloads an updated SiteList.xml with the current information.
• You can also use this procedure if you want to migrate the ePO server to another system, though it is preferable to use the built-in Disaster Recovery feature to migrate the ePO server to another system.

Preparation
To ensure a smooth recovery, do not perform a backup while the server is in the process of installing an extension.

Before backing up

If possible, shut down the McAfee ePolicy Orchestrator Application Server service (Tomcat) entirely when performing the backup. Otherwise, ensure that no one is performing the following actions during the backup:

• Installing, uninstalling, or upgrading an extension
• Updating the ePO database configuration 

Backing up the ePO server

1. Use the following documents to back up the SQL database (normally named ePO_<ServerName>, where the <ServerName> is your ePO server name):
   • See article KB52126 for details on backing up the ePO database using SQL Server Management Studio.
   • See article KB59562 for details on backing up the ePO database using OSQL commands.
      
2. You must also back up the following folder paths:
   NOTE: The default 64-bit installation paths are listed below; however, your installation might differ (for example, the default 32-bit installation path is C:\Program Files\McAfee\ePolicy Orchestrator).

C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\extensions
The default path to ePO software extension information.

C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf
The default path to required files used by the ePO software extensions.

C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore
These keys are for ePO agent-server communication and the repositories.

C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Software
All products that have been checked into the Master Repository are located here.

C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Keystore
The agent-to-server communication and Repository Keys that are unique to your installation are located here. Failing to restore this folder will result in all client systems being unable to communicate with the server, and you will have to redeploy the agent to all systems. Additionally, you will have to check in all deployable packages again.

C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf
The server configuration settings for Apache, the SSL certificates needed to authorize the server to handle agent requests, and console certificates are located here.

NOTE: Failure to back up and restore these directory structures will require a re-installation of ePO to create new ones and possibly require a clean database installation and redeployment of agents to all client systems.

Recover the ePO server

1. Delete the ePO database on the SQL server. If you do not know how to perform the MSSQL operation, refer to http://technet.microsoft.com/en-us/library/ms177419.aspx or contact Microsoft Support.
    
2. If restoring ePO to the same system, uninstall ePO. Ensure that there is no ePolicy Orchestrator folder in the original installation path after the software is uninstalled.
   
   NOTE: Renaming the existing ePO folder and leaving the old directory in place may interfere with the new installation; therefore, we recommend that you remove the old directory completely.
    
3. Re-install ePO to the same version and patch level as the server you are restoring.
   
   NOTE: You can verify the ePO patch level by looking at the Version field in the backed up Server.ini file (C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\) and cross-referencing it with article KB59938.
   
   IMPORTANT: You must re-install ePO to the exact same directory path as the previous installation for this article to apply (or the initialization of extensions will fail when the restore is complete). If the installation path is different, follow the steps in article KB71078 instead.
    
4. Apply any additional patches/hotfixes/POCs to ePO that had been previously applied. If you have previously installedPolicy Auditor 6.2 for use with ePO, install the same version of Policy Auditor (including any hotfix releases) that had been installed before.
    
5. Stop and disable all ePO services:
    
   1. Click Start, Run, type services.msc, and click OK.
       
   2. Right-click each of the following services and select Stop:
      McAfee ePolicy Orchestrator Application Server
      McAfee ePolicy Orchestrator Event Parser
      McAfee ePolicy Orchestrator Server
       
   3. Double-click each of the following services and change Startup type to Disabled:
      McAfee ePolicy Orchestrator Application Server
      McAfee ePolicy Orchestrator Event Parser
      McAfee ePolicy Orchestrator Server
        
6. Restore the database. See article KB52126 for details on restoring the ePO database using SQL Server Management Studio.
   NOTE: Restore the database so that you do not require the ePO database configuration to be updated (for example, same name, host, port, and so on). Otherwise, you must update the restored DB.PROPERTIES file in C:\Program Files\McAfee\ePolicy Orchestrator\Server\conf\orion with the new information before starting the server.
7. Rename the following folders (for example, rename the extensions folder to extensions_old), and then replace them with the corresponding folders that were backed up earlier in step 2:
   C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\extensions
   C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf
   C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore
   C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Software
   C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Keystore
   C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf
    
8. Start only the McAfee ePolicy Orchestrator Application Server service. 
    
9. Access the core/config page of ePO and re-enter the DB credentials if you are using ePO 5.3 or later, or if you are unable to access the ePO console. See KB69850 for detailed instructions on how to access the core\config page and update the DB credentials if needed.
    
10. Attempt to log on to the ePO console. If you are unable to log on, review all the steps performed in this article and ensure they have been properly completed. If you cannot resolve the console logon issue, contact Technical Support for further assistance before proceeding.
     
    
    For Technical Support contact details:
    Go to http://www.mcafee.com/us/about/contact-us.aspx#ht=tab-techsupport and select your country from the drop-down list. 
    
    Alternatively:
    Log in to the ServicePortal at https://support.mcafee.com:
    • If you are a registered user, type your User Id and Password, and click Log In.
    • If you are not a registered user, click Register and complete the required fields. Your password and login instructions will be emailed to you.
    
     
    NOTE: You must be able to log on for the rest of the recovery steps to work.
      
11. Rename the SSL.CRT folder (see path below) to SSL.CRT.OLD and manually create an empty folder named SSL.CRT in the same path; otherwise the setup will fail to create a new certificate: 
     
    64-bit: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
    32-bit: "C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
      
12. Click Start, type cmd in the search field, right-click, and select Run as administrator.
     
13. Change directories to your ePO installation directory.
    Default paths:
     
    64-bit: Program Files (x86)\McAfee\ePolicy Orchestrator\
    32-bit: Program Files\McAfee\ePolicy Orchestrator\
       
14. Run the following command:
     
    Rundll32.exe ahsetup.dll RunDllGenCerts <ePO_server_name> <console_HTTPS_port> <admin_username> <password> <"installdir\Apache2\conf\ssl.crt">
     
    where:
     
    <ePO_server_name> is your ePO server NetBIOS name
    <console_HTTPS_port> is your ePO console port (default is 8443)
    <admin_username> is admin (use the default ePO admin console account)
    <password> is the password to the ePO admin console account
    <installdir\Apache2\conf\ssl.crt> is your installation path to the Apache folder; Default installation path:
     
    64-bit: "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
    32-bit: "C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
     
    Example
    Rundll32.exe ahsetup.dll RunDllGenCerts eposervername 8443 administrator password "C:\Program Files\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
    IMPORTANT:
    • This command will fail if you have enabled User Account Control (UAC) on this server. If the server is running Windows Server 2008 or later, disable this feature. You can find more information about UAC at: http://technet.microsoft.com/en-us/library/cc709691(WS.10).aspx.
    • This command is case-sensitive. The ahsetup.log (found in <installdir\Apache2\conf\ssl.crt>) provides information about whether the command succeeded or failed and will state whether it used the files located in the ssl.crt folder.
       
15. Start the following services:
     
    McAfee ePolicy Orchestrator Event Parser 
    McAfee ePolicy Orchestrator Server
       
16. Look in the DB/logs/server.log to ensure that the Agent Handler (Apache server) started correctly. It should state something similar to the following:
     
    20090923173647        I           #4108  NAIMSRV      ePolicy Orchestrator server started.
     
    If it does not, there will be an error similar to the following: 
     
    20090923173319       E          #4736  NAIMSRV      Failed to get server key information. 

- Link

 - wong chee tat :)

KB89833 - End of Life for Drive Encryption 7.1.x

KB89833 - End of Life for Drive Encryption 7.1.x

Environment

McAfee Drive Encryption (DE)  7.1.x

For details of DE supported environments, see KB79422.  

Summary

This support statement is provided by the Product Management Team. 

McAfee announces End of Sale (EOS) and End of Life (EOL) for Drive Encryption  7.1.x

• On January, 31, 2018, DE 7.1.x will reach the EOS stage. As of this date this product will not be available for purchase.
• On June, 30, 2019, DE 7.1.x  will reach the EOL stage. As of this date McAfee will no longer provide technical support for these versions.

We strongly recommend that customers who are still using the DE 7.1.x release should upgrade to the latest version of the product to ensure continued support.

To identify the latest DE release, refer to the supported environments article in the environment field above.

Related Information

For product lifecycle details, see the McAfee Product and Technology Support Lifecycle page at:http://www.mcafee.com/us/support/support-eol.aspx.

For EOL policy details, see the Enterprise Products End-of-Life policy at:http://www.mcafee.com/common/media/mcafeeb2b/support/terms/Support_Policy-Product_Support_EOL.pdf.

Definitions

End-of-Life period	The timeframe that runs from the day McAfee announces product discontinuation until the last date that the product is formally supported by McAfee. In general, after the EOL period is announced, no enhancements are made.
End-of-Life date	The last day that the product is supported according the terms of the McAfee standard support offering.

- wong chee tat :)

McAfee KB71825: ePolicy Orchestrator installation/patch upgrade checklist for known issues

Environment

McAfee ePolicy Orchestrator (ePO) 5.x

Summary

The following is a checklist for known issues with full product installations and patch upgrades for ePO.

IMPORTANT: It is necessary to follow each step in this document exactly as it appears to reduce the chance of an upgrade or migration failure.

Contents:

Getting Started	Important Knowledge Base articles to review before starting your upgrade.
ePO Server Pre-Check	Tasks to perform on the ePO server.
Database Pre-Check	Tasks to perform in SQL Management Studio and on the SQL database.
General Considerations	Best practices that should be completed before starting the setup.

Getting Started

Review the supported upgrade paths for ePO
See KB86693 for a list of supported upgrade paths.

Review the product or patch release notes for new features
Click here for a list of ePO release notes.

Review the product or patch known issues articles
Review the articles to understand both general known issues and upgrade-related known issues. Click here for a list of ePO known issues articles.

Back up your ePO server
For more information, see KB66616 and follow the steps in the "Backing up the ePO server" section.

Back to Contents

ePO Server Pre-Check

Perform the following steps on servers that have ePO installed.

Ensure that the ePO server has enough hard disk space for the upgrade:

• System temp drive: Requires 2 GB or more of free disk space.
• ePO installation drive: Could require up to three times the size of the McAfee\ePolicy Orchestrator folder or 20 GB, whichever is greater.
  
  NOTE: If the ePO server is installed on the same drive as the system temp folder, and the ePO installation directory is 15 GB in size, the required available hard disk space in the C drive will be more than 45 GB to account for the system temp folder. In that scenario, you would need 15 GB X 3 + 2 GB = 47 GB of free space. In the same scenario, if the ePO installation directory is 2 GB in size, the minimum size requirement means that the drive must have 20 GB + 2 GB = 22 GB of free space.

(Optional) Reduce the drive space requirement by purging log files and temp files from the ePO installation directory prior to upgrading:

1. Stop the ePO services:
   1. Press Windows+R, type services.msc, and click OK.
   2. Right-click the following services and select Stop:
      
      McAfee ePolicy Orchestrator x.x.x Application Server
      McAfee ePolicy Orchestrator x.x.x Server
      McAfee ePolicy Orchestrator x.x.x Event Parser
       
2. Delete the files in the following folders:
   IMPORTANT: Do not delete the folders. Delete only the files within these folders.
   • <epo_installation_directory>\Server\Temp
   • <epo_installation_directory>\Server\Logs
   • <epo_installation_directory>\DB\Logs
   • <epo_installation_directory>\Apache2\Logs
      
3. Start the ePO services:
   1. Press Windows+R, type services.msc, and click OK.
   2. Right-click the following services and select Start:
      
      McAfee ePolicy Orchestrator x.x.x Application Server
      McAfee ePolicy Orchestrator x.x.x Server
      McAfee ePolicy Orchestrator x.x.x Event Parser
       

Ensure the id="orion.server.https" attribute is not missing from server.xml (required only when upgrading from ePO 4.x to 5.x): 
See KB78121 to determine whether the id="orion.server.https" attribute is missing from the server.xml file. The article contains instructions to add id="orion.server.https" to the list of attributes if it is missing.

Disable run immediately client tasks: 
When the McAfee Agent extension is upgraded in ePO, previously executed tasks that are configured to "Run Immediately" execute again on the next agent-to-server communication. This can cause various products to be redeployed to clients. To prevent this issue, before you upgrade, disable any tasks configured to "Run Immediately." For more information, see KB74420.

Disable ePO server tasks and any Windows scheduled tasks that may be set to run on the ePO server:
Disable any tasks that would interfere with the installation (such as purge events, pull tasks, and replication tasks). If you are using Drive Encryption, it is important to disable all LDAP Sync tasks before initiating the upgrade of the ePO server. Ensure that there are no LDAP Sync tasks running. If any are running, wait for them to complete. For more information see KB84690.

For information on editing tasks, see the "Server Tasks" section of the product guide for your current version of ePO:

• PD26914 - ePolicy Orchestrator 5.9 Product Guide
• PD25504 - ePolicy Orchestrator 5.3 Product Guide
• PD24808 - ePolicy Orchestrator 5.1 Product Guide

Disable Windows updates:
Disable Windows updates to ensure they do not interfere with your ePO installation or upgrade. For more information, see https://support.microsoft.com/en-us/help/12373/windows-update-faq.

Disable third-party software:

• Disable any software that automatically restarts services on your ePO server. This includes disabling monitoring software (such as Microsoft System Center Operations Manager) that might affect the ePO services starting and stopping for the duration of the installation or upgrade.
• Disable any third-party security software that could potentially introduce permissions issues.
   

Ensure that the 8.3 naming convention is enabled: 
The 8.3 naming convention must be enabled on the drive where ePO is going to be installed. For instructions to enable the 8.3 naming convention, see Solution 1 in KB51431.

Back to Contents

Database Pre-Check

Run the following steps using SQL Management Studio:

1. Click Start, Programs, Microsoft SQL Server, and select SQL Server Management Studio.
2. Verify the SQL instance that ePO is using.
   
   Perform either of the following to verify the SQL instance that ePO is using:
    
   • Check the SQL server service name by opening services.msc:
     Example: SQL Server (SQLEXPRESS)
      
   • Run the following query in SQL Server Management Studio:
     
     select @@servername
     go
      
3. Ensure correct account permissions.
   
   The account used to access the SQL server must have the following permissions:
    
   • Default database must be master:
     1. Expand Security, Logins.
     2. Right-click the account and select Properties.
     3. Ensure the default database is set to Master.
     4. Expand User Mapping and ensure that the account has dbo in the schema for the database.
         
   • This account must be the db_owner in the database security properties:
     1. Expand Databases, your ePO database, Security, Users.
     2. Right-click the dbo account and select Properties.
     3. Ensure that the account has dbo in the Default schema for the database.
        
        If you use an NT account to authenticate to the ePO database, ensure that the account has Local Admin rights on the ePO server.
        
        See KB75766 for detailed information on the required SQL permissions.
         
4. Verify the Database Options Properties:
    
   1. Right-click the ePO database and select Properties.
   2. Select Options on the properties page.
   3. Verify the correct DB collation is set on the SQL server.
      
      See KB73717 for detailed information on supported collation types for ePO.
       
   4. Ensure the Compatibility level is set to 100 or higher for the ePO database.
      
      Click Options and ensure Compatibility level is set to 100 rather than 80 or 90. If it is not, select 100 from the Compatibility level drop-down list and click OK.
       
   5. Ensure Auto Close is set to False.
      
      If it is not, click Auto Close, select False, and click OK.
       
   6. Ensure Arithmetic Abort Enabled is set to True.
      
      If it is not, click Arithmetic Abort Enabled, select True, and click OK.
       
5. Disable SQL database mirroring or Always on, if it is used.
   
   See KB86152 for detailed information about how to verify if it is enabled.

The following steps should be performed on the server hosting the ePO Database:

1. Ensure the SQL browser service is running:
    
   1. Press Windows+R, type services.msc, and click OK.
   2. Locate the SQL Server Browser service and ensure that it is started and running.
      
      If it is not, right-click the SQL Server Browser service and select Start.
       
2. Ensure that Microsoft KB 2653857 is applied on the SQL server. If that is not possible, disable SQL Force Encryption before upgrading (if it is enabled):
   1. Click Start, All Programs, Configuration Tools, SQL Server Configuration Manager.
   2. Right-click Protocols for <instance_name> (MSSQLSERVER by default) under SQL Server Network Configuration, and click Properties.
   3. Click the Force Encryption drop-down list and select No.
   4. Click OK.

In a pure IPv6 environment, ensure that only IPv6 is enabled on the SQL server that hosts the ePO database.

Ensure that the ePO database has enough space for the upgrade:
It is recommended for the ePO database to have 1.5 to 2 GB of free space for an upgrade. If you are using SQL Server Express, which supports a maximum of 10 GB, you should upgrade to SQL Server if the existing ePO database is 8 GB or more in size.

Eliminate unprocessed events:
Ensure that the DB\Events folder (including Debug) is empty or has minimal events stored before the upgrade. During the upgrade, this folder will be scanned and if there are more than 10,000 events that are not processed yet, it will interrupt the upgrade with a pop-up message stating: "This ePolicy Orchestrator server has more than 10,000 unprocessed events, which may cause the upgrade process to take an exceptionally long amount of time".


Back to Contents

General Considerations

• Review the documentation correction article KB83298 regarding stopping ePO services on remote Agent Handlers instead of disabling them in the Handler List page.
   
• Ensure that the ePO administrator and SQL account usernames and passwords meet the criteria described inKB66286.
   
• Perform a preventative measure to avoid Tomcat failing to stop.
  
  NOTE: Perform this procedure only when you are ready to start the installation:
   
  1. Press Windows+R, type services.msc, and click OK.
  2. Stop the ePolicy Orchestrator Server Service and ePolicy Orchestrator Event Parser Service.
  3. Restart the ePolicy Orchestrator Application Server Service.
      
• Back up your ePO server. See KB66616 for detailed steps.

Back to Contents

Related Information

PD24807 - ePolicy Orchestrator 5.1 Installation Guide 
PD25506 - ePolicy Orchestrator 5.3 Installation Guide
PD26914 - ePolicy Orchestrator 5.9 Product Guide

- Link

 - wong chee tat :)