McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide (McAfee epolicy Orchestrator 5.9.0)
COPYRIGHT Copyright 2018 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, epolicy Orchestrator, McAfee epo, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide
Contents 1 Overview of Endpoint Upgrade Assistant 5 Overview of Endpoint Upgrade Assistant.......................... 5 Key features of Endpoint Upgrade Assistant......................... 6 How Endpoint Upgrade Assistant works.......................... 6 Recommendations for using Endpoint Upgrade Assistant.................... 7 2 Preparing to upgrade 9 Preparation checklist................................. 9 McAfee product requirements.............................. 10 Setting up your test environment............................ 11 High-level workflow for upgrades............................ 12 How to use Endpoint Upgrade Assistant.......................... 12 Planning your deployment options............................ 15 3 Upgrading with McAfee epo 17 Deployment options using McAfee epo tasks........................ 17 What happens during upgrades............................. 17 Workflow for upgrading with McAfee epo......................... 18 Create a deployment task in Endpoint Upgrade Assistant.................... 18 Create a deployment task in McAfee epo.......................... 19 Supported command-line options for upgrades.................... 19 4 Upgrading with other solutions 23 Using Package Creator to create custom product installers................... 23 Requirements for Package Creator............................ 24 Workflow for upgrading with third-party tools........................ 24 Create product installers with Package Creator....................... 25 Download the McAfee Agent frame package file.................... 26 5 Best practices and troubleshooting 27 Best practices for managing upgrade information...................... 27 Export system and product information....................... 28 Troubleshooting blocked endpoints........................... 28 Refresh the McAfee epo database......................... 28 Troubleshooting installation and uninstallation issues..................... 29 Remove files after a failed installation........................ 29 Troubleshooting issues with Endpoint Upgrade Assistant.................... 30 Troubleshoot issues with Upgrade Automation....................... 30 Troubleshooting issues related to Package Creator...................... 33 Increase package size limit in McAfee epo...................... 33 Reporting an issue to McAfee Support........................... 34 McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide 3
Contents 4 McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide
1 Overview 1 of Endpoint Upgrade Assistant Contents Overview of Endpoint Upgrade Assistant Key features of Endpoint Upgrade Assistant How Endpoint Upgrade Assistant works Recommendations for using Endpoint Upgrade Assistant Overview of Endpoint Upgrade Assistant McAfee Endpoint Upgrade Assistant is a tool that assists with upgrading endpoints in your McAfee epolicy Orchestrator (McAfee epo ) environment to McAfee Endpoint Security. Administrators can use Endpoint Upgrade Assistant to: Analyze endpoints, detect the supported McAfee products that are installed, and determine the minimum requirements for upgrading to Endpoint Security. Plan, implement, and track product upgrades throughout the environment. Endpoint Upgrade Assistant is bundled with Upgrade Automation, which runs on endpoints to manage the upgrade process. Components Endpoint Upgrade Assistant includes these McAfee epo components: Endpoint Upgrade Assistant extension Install on the McAfee epo server. Provides the features for analyzing, preparing, and tracking McAfee product upgrades for your environment. Make sure that your endpoints are running epolicy Orchestrator 5.1.2 or later. Endpoint Upgrade Assistant does not alter the McAfee epo environment. It collects and analyzes the data about an environment, then provides tools to assist with upgrading the environment to Endpoint Security. Endpoint Upgrade Automation client package Deploy to managed endpoints. Provides ability to remove legacy products, upgrade McAfee Agent and McAfee Data Loss Prevention (McAfee DLP), and install Endpoint Security. Upgrade Automation does modify the environment. It removes legacy products and installs new product versions. Endpoint Upgrade Assistant also works with the Endpoint Upgrade Assistant Package Creator tool, which can be downloaded separately to create custom, deployable product packages for use with McAfee epo or third-party tools. McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide 5
1 Overview of Endpoint Upgrade Assistant Key features of Endpoint Upgrade Assistant Key features of Endpoint Upgrade Assistant Endpoint Upgrade Assistant simplifies and automates the tasks required to upgrade McAfee products in McAfee epo environments. Its features minimize the number of upgrade tasks and ensure product interoperability. It also provides information to assist with upgrading the Windows operating system. Upgrading with Upgrade Automation Upgrade Automation upgrades multiple products on multiple endpoints, using a single product deployment task. Upgrade Automation removes and replaces these legacy products: This product (if installed) McAfee VirusScan Enterprise McAfee SiteAdvisor Enterprise McAfee Host Intrusion Prevention (McAfee Host IPS) Is replaced with Endpoint Security Threat Prevention Endpoint Security Web Control Endpoint Security Firewall (Optional. You can choose to keep McAfee Host IPS instead of installing Firewall.) Upgrade Automation upgrades these products to selected versions: McAfee Data Loss Prevention, version 9.3 Patch 6 or earlier Upgrade Automation upgrades these products to compatible versions: McAfee Agent 5.0.5 or later Tagging endpoints for upgrades Endpoint Upgrade Assistant uses McAfee epo tags to identify servers and workstations that require specific product upgrades. View these tags in the Tag Catalog under a group called Endpoint Upgrade Assistant Tags. You can create a single tag for all the endpoints eligible for automatic upgrades using Upgrade Automation. When you create a deployment task in McAfee epo, select one of the tags you've created with Endpoint Upgrade Assistant. All the tagged endpoints are upgraded when the deployment task runs. Deploying with McAfee epo or third-party tools Endpoint Upgrade Assistant provides options for deploying upgrades and a tool for creating custom upgrade installers. Deployment from McAfee epo Upgrade endpoints that are ready for Upgrade Automation with a single deployment task. You can create deployment tasks using Endpoint Upgrade Assistant or McAfee epo. Deployment using third-party tools Download the Endpoint Upgrade Assistant Package Creator tool to create custom product installers for use with McAfee epo or third-party deployment tools. You can select the products to include in the installer and other options. How Endpoint Upgrade Assistant works Endpoint Upgrade Assistant analyzes your environment, then displays the information you need to upgrade your environment automatically with minimal impact on managed systems. Best practice: Deploy upgrades in a test environment or to a test group, then verify the results before deploying upgrades to the larger environment. Three tabs guide you through all the tasks required to upgrade. 6 McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide
Overview of Endpoint Upgrade Assistant Recommendations for using Endpoint Upgrade Assistant 1 1 Specify what to upgrade Select the version of Endpoint Security and the System Tree groups. 2 Analyze your environment Discover endpoints that require upgrades and endpoints that can't be analyzed. 3 Check in and install the required software Check it in to the McAfee epo server to make it available for deployment tasks using Software Manager. 4 Tag systems to upgrade Create one tag for all the systems you want to upgrade with a single deployment task. You can tag all the systems that are ready for Upgrade Automation. You can also tag endpoints that require manual upgrades. 5 Deploy upgrades Deploy using Upgrade Automation or manual deployment tasks, with McAfee epo or third-party deployment tools. Use Endpoint Upgrade Assistant Package Creator to create installers for third-party tools. See also Setting up your test environment on page 11 Recommendations for using Endpoint Upgrade Assistant Endpoint Upgrade Assistant helps you upgrade your environment as efficiently as possible with minimal disruption. Phase 1: Analyze your environment Select the products to install, then let Endpoint Upgrade Assistant determine how to maintain compatibility with existing McAfee products. Phase 2: Upgrade the endpoints that are ready for Upgrade Automation Create a deployment task and select the Upgrade Automation tag created by Endpoint Upgrade Assistant. If some endpoints require additional upgrades before using Upgrade Automation, use Endpoint Upgrade Assistant to identify and upgrade them. Phase 3: Prioritize upgrades for the remaining endpoints Plan a strategy for manually upgrading them to meet requirements for Upgrade Automation. Tag systems and deploy required products. As additional systems become ready for Upgrade Automation, upgrade them. McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide 7
1 Overview of Endpoint Upgrade Assistant Recommendations for using Endpoint Upgrade Assistant 8 McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide
2 Preparing 2 to upgrade Contents Preparation checklist McAfee product requirements Setting up your test environment High-level workflow for upgrades How to use Endpoint Upgrade Assistant Planning your deployment options Preparation checklist To streamline the upgrade process, perform these tasks before upgrading. Verify that endpoints can be analyzed Endpoint Upgrade Assistant analyzes endpoints managed with McAfee Agent. If your environment includes endpoints where McAfee Agent isn't installed or set to Managed mode, Endpoint Upgrade Assistant reports them as Blocked from Upgrades. Set up a test environment Select a subset of your System Tree to upgrade as a test. Upgrading in a test environment allows you to verify that endpoints upgrade as expected, and make changes as needed, before deploying upgrades to all endpoints. Disable features that detect and reinstall uninstalled products If you have set up applications or processes to detect when programs are uninstalled and reinstall them automatically, be sure to disable this functionality. Upgrade Automation can uninstall legacy products during the upgrade process. Make sure your endpoint doesn't reinstall them before the tool installs upgraded products. Install Endpoint Upgrade Assistant on the McAfee epo server Endpoint Upgrade Assistant is a self-contained McAfee epo extension that you install on the McAfee epo server. Endpoint Upgrade Assistant also checks in the Endpoint Upgrade Automation client package to all branches of McAfee epo. This lets you deploy from any branch. Deploy the Upgrade Automation client package Deploy to endpoints in your environment to enable Upgrade Automation features. (Optional) Prepare to migrate legacy product settings To preserve custom settings for legacy products, you need to migrate those settings on the McAfee epo server during the upgrade process. To prepare for migration: Review your custom policy settings and client tasks, consolidating them where possible. Remove duplicate and unused policies and tasks. Install the Endpoint Migration Assistant extension on the McAfee epo server. McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide 9
2 Preparing to upgrade McAfee product requirements See the McAfee Endpoint Security Migration Guide for more information. (Optional) Prepare for deployment with third-party solutions If you plan to deploy with third-party solutions, download the Endpoint Upgrade Assistant Package Creator tool from Software Manager to a system that has access to the installer packages. See also Troubleshooting blocked endpoints on page 28 Setting up your test environment on page 11 Using Package Creator to create custom product installers on page 23 McAfee product requirements Endpoint Upgrade Automation requires that supported McAfee products are installed on endpoints you plan to upgrade and that all required product upgrade packages are checked in. Products supported on endpoints Upgrade Automation upgrades endpoints where these products are installed: VirusScan Enterprise, version 8.8 Patch 1 9 McAfee Host IPS, version 8 Patch 1 9 SiteAdvisor Enterprise, version 3.5 and later McAfee Agent, version 4.6 and later McAfee Threat Intelligence Exchange (TIE) for VirusScan Enterprise, version 1.x and later McAfee DLP, versions 9.2 and later Upgrade Automation coexists on endpoints with these products, but does not alter them: McAfee Access and Change Control, version 6.1.2.440 6.1.3.0, 6.1.3.440 6.1.4.0, or 6.2.0.504 and later McAfee Data Exchange Layer (DXL), version 2.0.1.162 and later McAfee Drive Encryption, version 7.1.1 and later McAfee File and Removable Media Protection (FRP), version 4.3.1.153 and later McAfee Native Encryption Products checked in to McAfee epo When you install the Endpoint Upgrade Assistant extension, the Upgrade Automation package is checked in to all McAfee epo branches: Current, Evaluation, and Previous. This lets you deploy Upgrade Automation from any branch. Before running Endpoint Upgrade Assistant, you must check in the packages for any of these products that you plan to install or upgrade: McAfee Agent, version 5.0.5 or later McAfee DLP, version 9.3 Patch 6 or later Endpoint Security, version 10.2.2, 10.5.2, or 10.5.3 10 McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide
Preparing to upgrade Setting up your test environment 2 Endpoint Security has three main product modules: Threat Prevention (Required) Firewall (Optional) Web Control (Optional) Common module (Required, checked in automatically) All modules are selected to install, by default. You can specify not to install optional modules. Threat Prevention is required (and the Common module is silently installed with it). Check in these products to the same McAfee epo branch where you plan to deploy Endpoint Upgrade Assistant. Endpoint Upgrade Assistant installs the products that you have checked in. If you do not select any modules to install or check them in to McAfee epo, the Upgrade Automation deployment task fails. See also Requirements for Package Creator on page 24 Setting up your test environment Use a test environment to upgrade a subset of endpoints in preparation for performing a controlled rollout of Endpoint Upgrade Automation package across your environment. Upgrade Automation ensures that endpoints do not end up in an unsuitable state. However, upgrades for multiple products, groups, and endpoint types involve many components, and you might not always anticipate all the results correctly. It's important to test upgrades in test environments or small groups before upgrading your entire environment. General guidelines Review these best practices before setting up your test environment. Do not include endpoints that are essential to your daily operations in your test environment. Select endpoints that reflect the diversity of your environment. For example, include one endpoint from each upgrade step. Use the Overview tab to identify suitable endpoints by reviewing the software running on them. Use the Prepare tab to ensure that the necessary software packages are available in the correct software branch. Use the Deploy & Track tab to identify the deployments performed using Endpoint Upgrade Assistant. When selecting a test environment, make sure that you consider the following information to identify representative endpoints: McAfee product combinations and versions Operating systems Servers and workstations Best practice: Test on a subset of servers before upgrading your entire server environment. Validate the upgrade on servers and workstations. Some endpoints might require a restart. You need to restart them manually; the Upgrade Automation deployment task doesn't initiate a restart after all upgrades are complete. McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide 11
2 Preparing to upgrade High-level workflow for upgrades High-level workflow for upgrades Follow this workflow to upgrade your environment to Endpoint Security. Before upgrading, ensure that your environment and the systems you plan to upgrade meet the requirements. See the McAfee Endpoint Security Installation Guide and McAfee epolicy Orchestrator Product Guide for more information about these tasks. 1 Prepare policies as needed. 2 On the Endpoint Upgrade Assistant landing page, analyze your environment. 3 On the Overview tab, view all products that require upgrades and determine which systems are suitable for immediate, automatic upgrade. If some systems are blocked from upgrading, you can manually upgrade them with required products, then re-analyze your environment. 4 On the Prepare tab, verify that all required software is available (check in or download). 5 Manually update the content files required for Endpoint Security. 6 Migrate policies, client tasks, and other settings from supported legacy products on the McAfee epo server. (Required only when migrating legacy product settings.) 7 Configure policies as needed. 8 Deploy or install the client software with default or custom settings. Endpoint Upgrade Assistant provides multiple options for deploying with McAfee epo tasks. You can also use Endpoint Upgrade Assistant Package Creator to create custom installers for use with third-party deployment solutions. Best practice: Restart the endpoints manually after upgrading, taking care to consider the effects of restarts in server environments. Upgrade Automation doesn't restart endpoints after deployment. 9 Verify that the upgrade completed successfully. How to use Endpoint Upgrade Assistant Endpoint Upgrade Assistant organizes the information you need to analyze, plan, deploy, and track upgrades on three tabs. Follow these guidelines for using the product's features to meet the needs of your environment. Launching Endpoint Upgrade Assistant After installing the Endpoint Upgrade Assistant extension, click the product in the McAfee epo Software menu. 12 McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide
Preparing to upgrade How to use Endpoint Upgrade Assistant 2 Analyzing your environment On the landing page, select these options, then analyze your environment to find out what upgrades are required: Version of Endpoint Security to upgrade to. Endpoints to analyze Analyze the entire System Tree or a single group and its subgroups. You can use the System Tree to select subsets of your environment for analysis, which might reduce the time required to perform the analysis and provides flexibility when planning upgrades. The time required to analyze your selection depends on the size of the McAfee epo database and the number of endpoints selected. This option lets you select a subset of your environment for a test environment, so that you can deploy and verify upgrades to non-critical endpoints before upgrading your entire environment. Endpoint Upgrade Assistant analyzes the McAfee epo database to determine what endpoint software is in your environment and how that compares to the product versions recommended by McAfee. Getting a visual overview of your environment The top of each tab features a pie chart and table that summarize the number of systems in four categories: Upgrade complete Successfully upgraded to Endpoint Security. Ready to upgrade Ready to upgrade to Endpoint Security using Upgrade Automation. Require product upgrades Running incompatible versions of McAfee products that you need to upgrade manually before running Upgrade Automation. Blocked from upgrading Can't be upgraded or analyzed by Endpoint Upgrade Assistant. A checkbox lets you exclude systems that aren't managed by McAfee Agent from this overview. Search, sort, filter, and validate Endpoint Upgrade Assistant results by downloading the information for each category in comma-separated values (CSV) format. Use this information for purposes such as debugging, identifying the endpoints required for upgrades, and resolving differences between the reported and expected status of endpoints. View Systems Displays a page listing the corresponding systems that you can export. Export System and Product Details Creates a list of endpoints with their name, path, and type (server or workstation). Adds the products and versions running on endpoints. This lets you sort by product to create a listing of all endpoints running each version of each product (for example, outdated versions of McAfee Agent). Getting a detailed overview of your environment After analysis is complete, use the Overview tab to identify systems that: Are ready to upgrade to Endpoint Security automatically. Have incompatible software installed See the steps required to make them compatible for upgrades. You can tag these systems, create deployment tasks to upgrade them, then re-analyze your environment to determine whether they are ready to upgrade automatically. Have issues that prevent Endpoint Upgrade Assistant from analyzing or upgrading them Resolve these issues, then re-analyze your environment. McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide 13
2 Preparing to upgrade How to use Endpoint Upgrade Assistant The Overview tab provides details about: Products and number of endpoints that require upgrades. The minimum product versions required for upgrades. KnowledgeBase articles with additional information about the products to be upgraded. Current versions of products in your environment and number of endpoints where they are installed. When McAfee Agent or McAfee Host Intrusion Prevention is installed on endpoints that you plan to upgrade, these deployment options are available: Do not remove versions of McAfee Agent that are compatible with McAfee Endpoint Security When this option is selected and a compatible version of McAfee Agent is installed, it won't be upgraded. Do not remove McAfee Host Intrusion Prevention (do not use Endpoint Security Firewall) When this option is selected and a compatible version of McAfee Host Intrusion Prevention is installed, it won't be uninstalled and Endpoint Security Firewall will not be enabled. Preparing to upgrade Use the Prepare tab to make sure the required software is available for automatic upgrades. Endpoint Upgrade Assistant lists the software packages that you need to check in to Software Manager. It shows what is currently checked in and what needs to be upgraded to meet the product versions recommended by McAfee. Check in all packages to the same branch. When you installed the Endpoint Upgrade Assistant extension, the Upgrade Automation client package was checked in to all McAfee epo branches. This lets you deploy Upgrade Automation from any branch. After checking in the required software packages, click Refresh to confirm that your server is up to date. Use the information on this tab to identify: Product client packages required for upgrades. Product client packages currently checked in You can view the Current, Evaluation, or Previous branch. You must check in all packages to the same branch to use Upgrade Automation. Product extensions required If the products you're upgrading require a product extension, install those on the McAfee epo server manually. Endpoint Upgrade Assistant checks for the minimum required version for McAfee Agent. It looks for specific versions of Endpoint Security. It lets you select a version of McAfee DLP to install. Best practice: If you don't want to create a deployment task manually, click Copy Command Line in Endpoint Upgrade Assistant to copy to the Windows clipboard all the command-line options that match your selections on the Overview and Prepare tabs. Deploying and tracking upgrades in Endpoint Upgrade Assistant Use the Deploy & Track tab to create deployment tasks for automatic upgrades and verify the status of scheduled deployment tasks. Click Create Deployment Task to configure and schedule an automatic upgrade. Check the status of deployment tasks you have created For deployment tasks that are running or completed, view the status of the upgrade on each endpoint (Install Successful, Failed, or Pending). 14 McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide
Preparing to upgrade Planning your deployment options 2 Planning your deployment options Endpoint Upgrade Assistant lets you customize upgrades by specifying options for the upgrade workflow when you create the package file and deployment task. Before upgrading, you should decide which options you want to use. Specify these options in different ways, depending on your deployment method. Keeping compatible versions of McAfee Agent When McAfee Agent version 5.0.2.333 or later is installed on an endpoint where you plan to upgrade Endpoint Security, upgrading McAfee Agent is optional. You can choose not to upgrade McAfee Agent when you create the deployment task. When you specify this option and a compatible version of McAfee Agent is present on the endpoint, the McAfee Agent installation package isn't downloaded and the McAfee Agent isn't upgraded. If all the endpoints you plan to upgrade have versions of McAfee Agent that are compatible with Endpoint Security, it is not necessary to check in McAfee Agent to the McAfee epo branch. However, if an incompatible version of McAfee Agent is installed on any endpoint, the deployment task attempts to download the version of McAfee Agent that is checked in. In these cases: If version 5.0.5 or later is checked in Upgrade Automation upgrades McAfee Agent and installs Endpoint Security. If version 5.0.5 or later is not checked in Upgrade Automation fails on the endpoints that have an incompatible version of McAfee Agent. This option is available on the Overview tab in Endpoint Upgrade Assistant or as a command-line option in McAfee epo. It is also available in Endpoint Upgrade Assistant Package Creator. Keeping compatible versions of Host Intrusion Prevention By default, Endpoint Upgrade Assistant removes McAfee Host IPS version 8.x, when it is installed on an endpoint you are upgrading, and replaces it with Endpoint Security Firewall. However, you can choose not to upgrade this product when you create the deployment task. These versions of McAfee Host IPS can co-exist with Endpoint Security on the same endpoint: Version 8 Patch 5 7 with Hotfix 1153407 Version 8 Patch 8 When they co-exist, you can enable the Host Intrusion Prevention and Firewall functionality in either Endpoint Security or McAfee Host IPS. When these functions are enabled in McAfee Host IPS, they are disabled in Endpoint Security, even when enabled by policy. When you specify this option and a compatible version of McAfee Host IPS is present on the endpoint, it is retained. This option is available on the Overview tab in Endpoint Upgrade Assistant or as a command-line option in McAfee epo. It is also available in Endpoint Upgrade Assistant Package Creator. Reporting in System Custom Property fields Endpoint Upgrade Assistant provides the ability to monitor some endpoint events during deployment by using command-line options. This allows you to know when specific events occur and respond to them, if needed. For example, you can check when it's time to restart the endpoint after upgrading McAfee DLP. Events are reported in one of the four Custom fields that appear on the System Properties tab of the McAfee epo System Details page. McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide 15
2 Preparing to upgrade Planning your deployment options This option is available as a command-line option in McAfee epo. Selecting McAfee SysPrep options McAfee SysPrep is a standalone tool that adds third-party injectors to the McAfee Trusted Store, which ensures that the injectors work together with Endpoint Security. A version of SysPrep is packaged with Endpoint Upgrade Assistant, but if a later version of SysPrep is available, Upgrade Automation can use it with the current version of Endpoint Upgrade Assistant. From McAfee epo Check in the updated SysPrep package to the same branch in McAfee epo as Endpoint Upgrade Assistant. When Upgrade Automation runs on the endpoint, it downloads and runs the updated SysPrep package. From Package Creator Select the new SysPrep package to include in the installer. When SysPrep returns a failure message, such as Unknown 3rd party DLL injector is found, the default functionality is that Endpoint Upgrade Assistant stops running. It does not remove VirusScan Enterprise and McAfee Host IPS, to ensure that the endpoint is always protected. You can choose to ignore SysPrep failures, because not all third-party injections cause an issue with Endpoint Security. This option is available as a command-line option in McAfee epo. It is also available in Endpoint Upgrade Assistant Package Creator. Sending telemetry data to McAfee Endpoint Upgrade Automation now includes a telemetry feature that collects and sends anonymous deployment data to McAfee. This data will be used to improve product robustness and performance in future releases. This option is available as a command-line option in McAfee epo. It is also available in Endpoint Upgrade Assistant Package Creator. This option is enabled by default. You can disable it by using a command-line option in McAfee epo, or by selecting System Send Telemetry to toggle the feature on and off in Package Creator. A checkmark appears when the feature is enabled. The telemetry feature collects the following anonymous data: Product name (EUA) Product version (1.6.0) Iteration number List of products installed prior to upgrade List of products installed post upgrade List of completed upgrade progress milestones Command line used for upgrade MD5 hash of machine GUID Machine locale (LCID) Success/failure of deployment Return code from Endpoint Upgrade Assistant See also Supported command-line options for upgrades on page 19 16 McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide
3 Upgrading 3 with McAfee epo Contents Deployment options using McAfee epo tasks What happens during upgrades Workflow for upgrading with McAfee epo Create a deployment task in Endpoint Upgrade Assistant Create a deployment task in McAfee epo Deployment options using McAfee epo tasks You can deploy upgrades using Endpoint Upgrade Assistant or standard McAfee epo deployment methods. From Endpoint Upgrade Assistant Click Create a deployment task on the Deploy & Track tab. From McAfee epo: Create a deployment task on the Product Deployment page. Create a client task. What happens during upgrades When you deploy the Upgrade Automation client software to an endpoint, it performs these tasks: 1 Downloads McAfee Endpoint Security, McAfee Agent, and McAfee Data Loss Prevention (depending on options selected when creating the deployment task) from McAfee epo and verifies that they're the correct product versions. 2 Verifies that no conflicting products exist on the endpoint. 3 Harvests local policies for VirusScan Enterprise and McAfee Host IPS. 4 Removes VirusScan Enterprise and McAfee Host IPS. 5 Upgrades McAfee Agent (if selected) and installs Endpoint Security, which then applies the local policies. 6 Endpoint Security checks with McAfee epo for new policies. 7 Upgrades McAfee Data Loss Prevention to the selected version. 8 Sends telemetry data to McAfee when installation is complete. McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide 17
3 Upgrading with McAfee epo Workflow for upgrading with McAfee epo Workflow for upgrading with McAfee epo Follow this workflow to upgrade endpoints using McAfee epo. Before upgrading, ensure that your environment and the systems you plan to upgrade meet the requirements. See the McAfee Endpoint Security Installation Guide and McAfee epolicy Orchestrator Product Guide for more information about these tasks. 1 Prepare policies as needed. If you are migrating legacy policies Review and revise your settings to eliminate unused, outdated, and duplicate settings. If you are preconfiguring policies Create a custom package using Endpoint Security Package Designer. See the McAfee Endpoint Security Installation Guide for instructions. 2 On the Endpoint Upgrade Assistant landing page, analyze your environment. 3 On the Overview tab, view all products that require upgrades and determine which systems are suitable for immediate upgrade. If some systems are blocked from upgrading, you can manually upgrade them with required products, then re-analyze your environment. 4 On the Prepare tab, verify that all required software is checked in to McAfee epo. 5 Manually update your McAfee epo server with the latest AMCore and Exploit Prevention content files required for Endpoint Security. See the McAfee Endpoint Security Installation Guide for instructions. See the Endpoint Security Common Product Guide for more information about content files. 6 (Required only when migrating legacy product settings.) Migrate policies, client tasks, and other settings from supported legacy products on the McAfee epo server. You need to install the Migration Assistant extension before migrating. See the McAfee Endpoint Security Migration Guide for more information. 7 Configure policies as needed. 8 Create a deployment task, then deploy the client software to endpoints. Best practice: Restart the endpoints manually after upgrading, taking care to consider the effects of restarts in server environments. Upgrade Automation doesn't restart endpoints after deployment. 9 Verify that the deployment task completed successfully. From Endpoint Upgrade Assistant Check the Deploy & Track tab for the status of the task and endpoints. From McAfee epo Check that the client software is installed and up to date on all endpoints. Create a deployment task in Endpoint Upgrade Assistant Create a McAfee epo deployment task directly from the Deploy & Track tab. This deploys products using Upgrade Automation. See the McAfee epo Product Guide for more information. 18 McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide
Upgrading with McAfee epo Create a deployment task in McAfee epo 3 Task 1 On the Deploy & Track tab, click Create Deployment Task. 2 On the Create Deployment Task page, specify a name for the task. The branch and product options that were selected on the Prepare and Overview tabs appear. If you want to change them, cancel this task, select the correct settings on those tabs, then begin this task again. 3 For Policy Migration, select the checkbox to acknowledge that you have either migrated legacy custom policies and client tasks or understand that McAfee Default policy settings will be enforced. (Required only when migrating legacy product settings.) 4 Specify when to run the deployment task. The default setting is Run immediately. If you're scheduling it for later, specify a date and time. 5 Select the systems to upgrade. By default, both workstations and servers are upgraded. You can also select individual systems from a list. 6 Click Create. 7 Verify that the information for the task is correct, then click OK. Create a deployment task in McAfee epo When systems are ready to upgrade using Upgrade Automation, you can deploy upgrades with standard McAfee epo deployment methods. Task 1 In McAfee epo: On the Product Deployment page in McAfee epo, create a new deployment task. From the Client Task Catalog in McAfee epo, select a Client Task Type of McAfee Agent Product Deployment Task, then create a new task. 2 From the Product and Components section, select the Upgrade Automation package that you installed with Endpoint Upgrade Assistant. 3 From the Tag Catalog, select the Upgrade Automation tag that you created with Endpoint Upgrade Assistant. 4 Specify other options as needed. Upgrade Automation supports several command-line options. 5 Create the task. Supported command-line options for upgrades Upgrade Automation supports these command-line options for deployment tasks created in McAfee epo. If you don't want to create a deployment task manually, click Copy Command Line in Endpoint Upgrade Assistant to copy to the Windows clipboard all the command-line options that match your selections on the Overview and Prepare tabs. McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide 19
3 Upgrading with McAfee epo Create a deployment task in McAfee epo Option --keephips --keepma --excludefw --excludewc --upgradedlp=<version> --tag[=1 4] where: 1 4 specifies one of four Custom fields Description Do not upgrade versions of McAfee Host IPS that are compatible with Endpoint Security. Do not enable Endpoint Security Firewall. Do not upgrade versions of McAfee Agent that are compatible with Endpoint Security. Do not install Endpoint Security Firewall. Do not install Web Control. Upgrade McAfee DLP to the specified version if it's present in the selected McAfee epo branch. Supported versions are: 9.3, 9.4, 10, and 11. If this command-line option is not present, McAfee DLP isn't upgraded. Report endpoint events in a Custom field on the System Properties tab in the McAfee epo System Details page. For example, --tag=3 reports endpoint events in the Custom 3 field, and --tag or --tag=1 reports in the Custom 1 field. -- ignoresysprepfail Do not stop the Endpoint Security upgrade if McAfee SysPrep returns a failure message. --notelemetry --retryafterreboot Do not collect and send anonymous telemetry data from Endpoint Upgrade Automation. If Endpoint Security fails to install on the first attempt Do not initiate a restart automatically. Wait until the endpoint restarts, then attempt to install Endpoint Security. If Endpoint Security is manually installed before the endpoint restarts Detect that the product is installed and cancel the pending installation. Supported events for Custom fields Not all upgrade workflows use all the supported event properties. Endpoint Upgrade Assistant reports these properties: Property EUA_CLIENT_EXECUTION_STARTED EUA_REBOOT_REQUIRED ENS_INSTALL_PENDING EUA_ENDPOINT_REBOOTED ENS_INSTALLING EUA_EXECUTION_COMPLETE Description Endpoint upgrade has started. Restart the endpoint. Endpoint has been restarted. Endpoint Security is installing. Deployment task is completed. Check the status of the deployment task on the Deploy & Track tab. EUA_EXECUTION_COMPLETE REBOOT_REQUIRED DLP_UPGRADED Deployment task is completed. Check the status of the deployment task on the Deploy & Track tab. Restart the endpoint to enable McAfee DLP. 20 McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide
Upgrading with McAfee epo Create a deployment task in McAfee epo 3 These are some general guidelines for using the Custom fields: Endpoint Upgrade Assistant doesn't remove or change the value displayed. For example, if you restart an endpoint, the REBOOT_REQUIRED value doesn't change. The value in the Custom field isn't updated or removed until it is overwritten by another task on the endpoint. If a Custom field is being used by another application for another purpose, reporting for Endpoint Upgrade Assistant might be affected. The --tag option is not related to tagging endpoints for updates in the System Tree. Compatibility of command-line options Command-line options are case sensitive. If you enter an invalid or an unrecognized option, the upgrade fails. Specifying multiple options can result in conflicting actions. Here's how Endpoint Upgrade Assistant resolves conflicting command-line options: Options --keepma --keephips --keephips --keepma Result Does not upgrade McAfee Agent or remove Host Intrusion Prevention if they are compatible with Endpoint Security. --tag=2 --keepma --keephips Does not upgrade McAfee Agent or McAfee Host IPS if they are compatible with Endpoint Security. Reports endpoint events in the Custom 2 field on the System Properties tab in the McAfee epo System Details page. See also Planning your deployment options on page 15 Using Package Creator to create custom product installers on page 23 McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide 21
3 Upgrading with McAfee epo Create a deployment task in McAfee epo 22 McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide
4 4 Upgrading with other solutions Contents Using Package Creator to create custom product installers Requirements for Package Creator Workflow for upgrading with third-party tools Create product installers with Package Creator Using Package Creator to create custom product installers Use the Endpoint Upgrade Assistant Package Creator tool to create product installers for deployment with third-party solutions or McAfee epo. This custom product installer contains everything needed to upgrade systems to Endpoint Security: the installers for each product you plan to upgrade and the Upgrade Automation client software. Package Creator requires administrator credentials. Downloading Package Creator You need to download Package Creator from Software Manager or your McAfee product download site and install it on a system that has access to the product installers you plan to deploy. Locating the installers Package Creator generates a single product installer that contains an Endpoint Security installer, a McAfee Agent installer, McAfee DLP installer (if needed), and the Upgrade Automation client software. You must download all the installers for the products you plan to upgrade on the system where you run Package Creator. It uses these installers to create the final upgrade installer. Products to upgrade Package Creator lets you select the same product upgrade options that are available when creating deployment tasks with Endpoint Upgrade Assistant and McAfee epo. For example, select Endpoint Security modules to install and existing McAfee products to upgrade or remove. McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide 23
4 Upgrading with other solutions Requirements for Package Creator Product deployment method The way you plan to deploy upgrades determines the type of product installer that Package Creator creates: A package for use with McAfee epo Check in this file to the McAfee epo server. Package Creator validates the package while creating it. Best practice: Check and increase the package size limit in McAfee epo before uploading large packages. This package can deploy all individual product installers with one deployment task and ensures that no additional downloads are required when upgrading to Endpoint Security. Because it contains the installer for McAfee Agent, you can move endpoints from one McAfee epo server to another during upgrades. Best practice: Use Package Creator to create a deployment package when you plan to move endpoints to a new McAfee epo server during the upgrade. An application for use with third-party deployment solutions Check in this file to the repository for your third-party tool. This is a self-extracting.exe file that extracts the installers, then runs Upgrade Automation to automatically upgrade endpoints with the selected options. See also Create product installers with Package Creator on page 25 Planning your deployment options on page 15 Supported command-line options for upgrades on page 19 Increase package size limit in McAfee epo on page 33 Requirements for Package Creator If you plan to use Package Creator to create installers for deployment with McAfee epo, you must install required Microsoft libraries on the system where you run Package Creator. Package Creator uses EEDK to create McAfee epo deployment packages, and these libraries ensure that the packages are signed by McAfee:.NET 4.5 framework Workflow for upgrading with third-party tools Follow this workflow to upgrade endpoints using third-party deployment solutions. You must have administrator credentials to use Endpoint Upgrade Assistant Package Creator. Before upgrading, ensure that your environment and the systems you plan to upgrade meet the requirements. See the McAfee Endpoint Security Installation Guide and McAfee epolicy Orchestrator Product Guide for more information about these tasks. 1 Download Package Creator from Software Manager. 2 Prepare policies as needed. If you are migrating legacy policies Review and revise your settings to eliminate unused, outdated, and duplicate settings. If you are preconfiguring policies Create a custom package using Package Creator. See the McAfee Endpoint Security Installation Guide for instructions. 3 On the Endpoint Upgrade Assistant landing page, analyze your environment. 24 McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide
Upgrading with other solutions Create product installers with Package Creator 4 4 On the Overview tab, view all products that require upgrades and determine which systems are suitable for immediate upgrade. 5 Download the installers for products you plan to upgrade. Download the McAfee Agent (version 5.0.5 or later) frame file from your target McAfee epo server. The file is named FramePkg.exe. Files named SmartInstaller.exe or Frminst.exe don't work. Download the version of Endpoint Security to install. Download Endpoint Security Bundle as a.zip file from Software Manager or the McAfee product download page: https://secure.mcafee.com/apps/downloads/my-products/login.aspx?region=us. A grant number is required to download the bundle. Download McAfee Data Loss Prevention and Device Control (if required) from Software Manager or the McAfee product download page. This is also available as a.zip file from Software Manager or the McAfee product download page. 6 Manually update your McAfee epo server with the latest AMCore and Exploit Prevention content files required for Endpoint Security. See the McAfee Endpoint Security Installation Guide for instructions. See the Endpoint Security Common Product Guide for more information about content files. 7 (Required only when migrating legacy product settings.) Migrate policies, client tasks, and other settings from supported legacy products on the McAfee epo server. You need to install the Migration Assistant extension before migrating. See the McAfee Endpoint Security Migration Guide for more information. 8 Configure policies as needed. 9 Run Package Creator and create an executable product installer for third-party deployment. 10 Check in the product installer to the repository for your third-party tools, then deploy to endpoints. Best practice: Restart the endpoints manually after upgrading, taking care to consider the effects of restarts in server environments. Upgrade Automation doesn't restart endpoints after deployment. Create product installers with Package Creator Use Package Creator to create a single package or installation file that contains all the individual product installers required for upgrades. Then deploy the file with third-party solutions or McAfee epo. Before you begin You must have administrator credentials to use Package Creator. Before upgrading, ensure that your environment and the systems you plan to upgrade meet the requirements. Task 1 Download Package Creator if you haven't already done so, then install it on an endpoint that has access to the product installers you want to deploy. Download the software from Software Manager or your McAfee product download site. 2 In Package Creator, specify the locations of the installers for Endpoint Security and McAfee Agent. The installer for McAfee Agent is called a frame package (FramePkg.exe). McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide 25
4 Upgrading with other solutions Create product installers with Package Creator 3 Select optional components to install. By default, all components are selected. Threat Prevention is required, but Endpoint Security Firewall and Web Control are optional. 4 Select upgrade options, as needed. Do not upgrade versions of McAfee Agent that are compatible with McAfee Endpoint Security Do not remove McAfee Host Intrusion Prevention (do not install Endpoint Security Firewall) 5 Select the type of product installer to create: A package.zip file to deploy with McAfee epo. An executable application to install with third-party tools. 6 Verify that you've specified the correct information, then click Create. Tasks Download the McAfee Agent frame package file on page 26 Package Creator needs a compatible installer for McAfee Agent, to include in the custom installer that it generates. You need to download this installer, called a frame package, from your target McAfee epo server. Download the McAfee Agent frame package file Package Creator needs a compatible installer for McAfee Agent, to include in the custom installer that it generates. You need to download this installer, called a frame package, from your target McAfee epo server. The correct file is named FramePkg.exe. Files named SmartInstaller.exe or Frminst.exe don't work. Task 1 In McAfee epo, click System Tree New Systems. 2 For How to add systems, select Create and download agent installation package. 3 For version, select Windows and 5.0.5 or later. 4 Click OK to download a valid McAfee Agent installer from your McAfee epo server. 26 McAfee Endpoint Upgrade Assistant 1.6.0 Product Guide Product Guide