AutoDomain Endpoint Encryption Deployment Script for “SafeBoot”
NOTE – the latest version of the script has a slightly different UI from the one shown below – I’ll update it at some point in the future – Please see the manual included in the zip for details.
The “AutoDomain” project evolved over many months from a need to assist customers in deploying my companies encryption product, known then as “SafeBoot Device Encryption for PC’s” and now “McAfee Endpoint Encryption for PCs“. Though an extremely competent encryption tool with more options than you can think of, it can be cumbersome to deploy en mass. The most problematic item, and this is true with any full disk encryption tool, is knowing who the legitimate users of the PC are.
Windows doesn’t track this, and most IT departments have no better idea. It seems that people generally believe that ANYONE can log into any Windows PC in the average corporate environment – while this may seem to be true, the facts are that anyone can log into the network from any pc and once logged into the network once on any pc, that person will be able to login offline.
This is of course completely different from “anyone can login”, though, that’s what people expect. AutoDomain was designed to solve this by mining the local machine for cached accounts, and setting them as valid pre-boot users. Effectivly, if you’d ever used the machine in the past, when run the script would ensure you could continue using the machine in the future by assigning your Encryption user ID as a valid pre-boot user of that machine. Of course, no script ends up the way it was designed, and AutoDomain is no exception – it’s grown out of all proportion and includes such variable functionality as:
- Create users and machines on demand
- Auto-move machines and users into groups based on name, AD information etc
- Rename machines if needed, recover from the name already being in use
- Notify users by email that they have been assigned to machines
- Capture the users Windows credentials on assignment/creation and set up SSO
- Aut0-link users to connectors (and thus their AD counterparts)
- Correctly remediate from AutoBoot mode, set up permanent autoboot mode
- Check the current Windows user has a preboot countepart before uninstalling AutoDomain
- Check (and remediate) for competitive product and incompatible situations before activation
- Support auto-add new user on discovery (using ActiveInstaller)
- And of course many, many other features…
The current version of the script is pretty much self-sufficient. Although earlier versions needed tweaking for each environment, since the v5 version was released they are pretty much static, and mostly used packed as EXE’s (the source script is VBS). AutoDomain is built from a number of helper classes, so when you look at it, it may seem overwhelming. But, using something like PrimalScript, you can see that a good 4/5 of the script is included class modules which can be ignored (or reused for other scripts of your own).
The latest version of the script can be obtained from your McAfee consultant if you’re a customer, or from CTOGoneWild. There is no “official” support for this tool as it was designed to be customized to your environment, but most of the McAfee consultants are very knowledgeable about it, and most of our larger deployments end up using it.
Below is the legal note from the script , please remember you can’t call McAfee support about this tool – they simply don’t have the skill set to support it, BUT, the consultants do, and we acknowledge this is a vital tool for deployment so you’ll get as much help as you need from the Professional Services team.
Finally, if you enjoy this script and it saves you a whole bunch of time and effort, you might want to send me something from my Amazon Gift List? Thanks!
' LEGAL AND SUPPORT INFORMATION ' ============================= ' This script is the invention of Simon Hunt, an individual, and ' though I work for McAfee, this script is not supported by, or ' authorised by McAfee itself as a corporate entity. There is no ' official support for this script, though you can get assistance ' from the author at his discretion. You may also be able to get ' assistance through the community forums at ' http://community.mcafee.com. ' If you use this script in a mission-critical way, you may want ' to consider contacting McAfee And agreeing some professional ' services support, outside the terms of your normal technical ' support contract. ' McAfee will offer support for any McAfee specific API calls in ' this script, but, not the logic of the script itself.