Management of Native Encryption 5.x Known Issues

Technical Articles ID: KB91240
Last Modified: 2023-09-26 14:32:49 Etc/GMT

Environment

Management of Native Encryption (MNE) 5.x

Summary

Recent updates to this article

Date	Update
September 21, 2023	Added a known issue with reference number MNE-6417.
April 27, 2023	Added MNE 5.2.3 General Availability (GA) resolved and known issues.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Issue resolutions in updates and major releases are cumulative; Technical Support recommends that you install the latest version. To find the most recent release for your product, go to the Product Downloads site.

Contents:
Click to expand the section you want to view:

Product release information

Product Version	Release Date
MNE 5.2.3 (GA)	April 27, 2023
MNE 5.2.2 (GA) Repost¹	December 23, 2022
MNE 5.2.2 (GA)	October 11, 2022
MNE 5.2.1 (GA)	December 14, 2021
MNE 5.2.0 Hotfix 1 (GA)	May 27, 2021
MNE 5.2.0 (GA)	April 14, 2021
MNE 5.1.1 Hotfix 2 (GA)	March 23, 2021
MNE 5.1.1 Hotfix 1 (GA)	January 12, 2021
MNE 5.1.1 (GA)	November 10, 2020
MNE 5.1.0 (GA)	June 9, 2020
MNE 5.0.2 (GA)	October 8, 2019
MNE 5.0.2 (RTS)	September 24, 2019
MNE 5.0.1 (GA)	May 14, 2019
MNE 5.0.0 (GA)	March 12, 2019

¹	Reposted and updated DEGO extension for Trellix rebranding.

To view all MNE Release Notes, visit our Product Documentation site.

Critical known issues

Reference Number	Related Article	Found in Version	Fixed in Version	Issue Description
MNE-5941	KB94582	5.2.0	5.2.0 Hotfix 1	Issue: Installation of MNE 5.2.0 fails while you install on Windows 10. The installer rolls back because it fails to start the MNE Service. The logs record the error below: Failed to load Crypto Library
MNE-5904	-	5.1.1 HF1	5.2.0	Issue: FileVault Activation/Key Escrow fails on M1 chipset-based Mac systems. Reason: Apple introduced ARM-based M1 chipset in the latest Mac systems. These systems exhibit a different behavior with MNE, when compared to the Apple Silicon DTK environment that was used to validate for zero-day support. Resolution: With version 5.2.0, a macOS system with an M1 chip no longer fails to escrow the key to ePolicy Orchestrator (ePO). NOTE: MNE 5.1.1 HF1 is no longer available for download. There's no impact on Mac systems that aren't based on the M1 chipset.
MNE-5149	-	5.0.0	5.1.0	Issue: New Active Directory (AD) Users are unable to authenticate at MNE preboot. Resolution: A redesign now ignores the non-interactive service control logon, and only considers Interactive workstation logon for MNE preboot user provisioning.
MNE-4584	-	5.0.0	5.1.0	Issue: Activation isn't tried on the next policy enforcement. The issue is seen when none of the authentication methods can be applied.
MNE-5208	-	5.0.0	5.1.0	Issue: A memory handle leak is observed in the Windows Management Instrumentation Service during a property collection.
1271300	-	5.0.0	5.0.1	Issue: The system becomes unresponsive during Windows logon when MNE 5.0 and SQL are running.
1230491	KB90380	4.1.3	-	Issue: [FileVault] MNE fails to activate on macOS High Sierra with Apple File System (macOS 10.13 or later), with an AD-provisioned account. Reason: Apple has introduced a secure token on macOS High Sierra systems with APFS that uses FileVault encryption. The administrator must add a secure token to the provisioned account, before FileVault can be activated. Resolution: See the related article for how to add an AD user to FileVault.

Non-critical known issues

General
Reference Number	Related Article	Found in Version	Fixed in Version	Issue Description
Trellix MNE-6284	-	5.2.2	5.2.3	Issue: Trellix products in the 'Task Manager' aren't updated with the Trellix names.
Trellix MNE-3032	-	5.0.0	5.2.2	Issue: MNE doesn't display the Successful hardware test output.
Trellix MNE-4373	-	4.1.5	5.2.2	Issue: The MneService_Activity log message shows 'NOT' detected when it tries to install MNE.
Trellix MNE-5707	-	4.1.5	5.2.2	Issue: MNE threat event Log doesn't display in the protection workspace.
Trellix MNE-5719	-	5.1.1	5.2.2	Issue: The Enter password pop-up on MNE Mac is observed to be clipped on DE, FR, and ES languages.
Trellix MNE-6107	-	5.2.0	5.2.2	Issue: MNE 5.2.0.24 with upgraded MA 5.7.3.245 requires frequent recovery of the key and password.
Trellix MNE-6108	-	5.2.1	5.2.2	Issue: An issue is detected with the API query for non-admin users after upgrading from MNE 5.2.0 to 5.2.1.
MNE-5946	-	5.2.0	5.2.1	Issue: [Uninstall] The product removal tool doesn't decrypt the disk during an uninstall, and doesn't warn the user about the status of BitLocker. You're unable to block the removal of MNE when the 'Applied Protector' feature is either 'Network Unlock,' or 'Preboot.'
MNE-5943	-	5.1.0	5.2.1	Issue: [Install] The MNE default deployment task can't be removed when the policy and task retention feature is disabled.
MNE-5544	KB93462	5.1.0	5.2.0	Issue: When a system is deleted from ePO, it doesn't uninstall MNE macOS (MNE for Mac). Workaround: See the related article for details.
MNE-5285	-	-	5.2.0	Issue: After successful installation, MNE doesn't appear in the product assignment list in ePO.
MNE-5569	-	-	5.2.0	Issue: The Data Exchange Layer enters into a sleeping state when the MNE extension is installed.
MNE-5168	-	-	5.2.0	Issue: A new user is unable to log on during preboot. The user name switches between NETBIOS and FQDN versions of the domain name.
MNE-5702	-	-	5.2.0	Issue: When setting a filter in ePO to display the 'Not Reported' encryption status, no results are returned.
MNE-5740	-	-	5.2.0	Issue: MNE doesn't show the correct product code on the detecting Prod ID (deprecated) column.
MNE-5543	-	-	5.2.0	Issue: The FIPS compliance report, which previously correctly reported systems successfully, now fails during the OS Disk check. Resolution: The FIPS compliance report now successfully obtains protector types, enable TPM + Enhanced PIN, TPM + Shared PIN.
MNE -5904	-	-	5.2.0	Issue: A macOS system fitted with the M1 chip fails to escrow the key to ePO with MNE installed on the client system.
MNE-5159	-	5.0.0	5.1.0	Issue: MNE doesn't correctly rotate the recovery keys on secondary drives.
MNE-4451	-	5.0.0	5.0.2	Issue: Key escrow messaging fails to reflect the accurate status of the recovery key backup.
1270203	-	5.0.0	5.0.1	Issue: MNE reports systems as noncompliant when external USB devices are connected.
MNE-4917	KB91878	5.0.0	-	Issue: Incorrect information is seen in the "MNE recovery key through scripting" section of the MNE Product Guide recovery key section. It states the following: "it is possible to use the keyword recoveryKeyId with the command mc.mne.recoverMachine, when retrieving a BitLocker recovery key using a Key ID" But, using this keyword results in the following error: Error 0 : Error setting parameters for command: mne.recoverMachine Resolution: The keyword serialNumber must be used instead of recoveryKeyId.
MNE-3593	KB91271	5.0.0	-	Issue: MNE 5.0 prevents you from uninstalling after you switch the protection from Network Unlock to Preboot. Resolution: Change the protection back to Network Unlock. See the related article for details.
MNE-3617	KB91272	5.0.0	-	Issue: New users can't log on with Preboot after you transfer systems between ePO servers. Resolution: After the system has been transferred to the new ePO server, the ePO administrator must first disable Preboot and then re-enable it. See the related article for details.
1122494	-	4.1	-	Issue: If an MNE extension upgrade fails, the latest queries and reports aren't downgraded and removed from the default MNE dashboard.
1099086	-	4.0	-	Issue: [ePO] The Network unlock of volumes for system under the MNE Server setting page is hard to navigate with the screen reader.
1102848	KB85963	4.0	-	Issue: If you switch from Network Unlock to another authentication type with Hardware Test enabled, it leaves fixed volumes locked.
1054974	-	3.0	-	Issue: When two users from two separate domains have the same name, and have logged on to the same system, the system properties show only one of those users. Specifically, it shows the last domain that the user logged on to.
MNE-3004	KB91316	5.0.0	Expected Behavior	Issue: MNE 5.0 Preboot can't provision a user whose password must change at the next logon.
MNE-3078	KB91315	5.0.0	Expected Behavior	Issue: New users are unable to recover their password using the Self-Service Portal. This problem also affects users who Preboot doesn't provision for other reasons.
MNE-3064	KB91243	5.0.0	Expected Behavior	Issue: Users are prompted to confirm their enhanced PIN after an upgrade to MNE 5.0. Resolution: The MNE 4.x distinguishing issue between TPM and PIN is resolved in MNE 5.0.0. But, users must resupply their enhanced PIN during policy enforcement so that it can configure the correct authentication type. See the related article for more details.
1110423	KB86213	4.0	Expected Behavior	Issue: Servers that use Network Unlock that have no network connection when the system is turned on need to do one of the following: Restart the MNE service. Restart the system after it's reconnected to the network for Network Unlock to operate.
1048977	-	-	Expected Behavior	Issue: Compliance Report gives conflicting information regarding the encryption state when a volume transitions between an encrypted and decrypted state, or conversely after a policy enforcement.
1049955	-	-	Expected Behavior	Issue: When you upgrade MNE from an earlier version to MNE 4.x, recovery keys aren't expired. This issue is seen when exposed through recovery pages or DPSSP, before the client upgrade process has completed.
Windows BitLocker
Reference Number	Related Article	Found in Version	Fixed in Version	Issue Description
MNE-3582	KB91314		Microsoft Windows v1803	Issue: An MNE 5.0 user enters into an endless recovery loop on a Surface Pro 4 Tablet. Resolution and Workaround: See the related article.
-	-	5.0	-	Issue: MNE 5.0 removes BitLocker authentication from Windows 7 after upgrade from 4.1.x.
1122952	-	4.1	-	Issue: The postponement timer doesn't persist across system reboots.
1127648	-	4.1	-	Issue: If the change credential Control Panel applet isn't closed after use, it prevents subsequent activation attempts from completing successfully.
1055149	-	4.0	-	Issue: Hardware test failure after reboot doesn't send an audit to the ePO server.
1109898			-	Issue: Overloading Network Unlock might cause network unlock key requests to perpetually time out. NOTE: With this release, the Network Unlock feature is intended only for use with servers.
1049957	-	3.0	-	Issue: Hardware test failure after a system restart fails to send an audit.
964274	-	-	Expected Behavior	Issue: [BitLocker] This error is seen after you enable BitLocker with password authentication on other drives and encrypt the client, and click Collect and send properties. The MNEService.log records the following error: Could not find keys for Volume {} Resolution: This behavior is as expected because there's a requirement that MNE reports information about all historical volumes on the system. This information includes volumes that have been removed. Part of the information-gathering process tries to query the keys for the volume that has been removed. These volumes aren't stored for security reasons. Thus, the keys aren't available. The entry shows that when gathering volume information, an attempt is made to get the keys for the volume. But none is available. This entry is only a DEBUG level entry and isn't an error message. It's intentionally present for removed volumes.
Mac OS X, macOS[FileVault]
Reference Number	Related Article	Found in Version	Fixed in Version	Issue Description
MNE-6417	KB85855	5.2.3	-	Issue: Unable to start applications from the Menulet application in macOS Sonoma systems. Workaround: Start the application from the /Applications folder. NOTE: The issue is tracked via Endpoint Security for Mac (ENSM) Jira reference number 'ENSM-5607'. See the ENSM known issues article for more details and updates.
MNE-6308	-	5.2.x	-	Issue: While upgrading to MNE 5.2.3 on a macOS platform, an issue is observed where post ENSM/FMP 10.7.9 upgrade and before MNE 5.2.3 upgrade, MNEHost and MNEMacTool crash due to a codesign issue. Reason: ENSM/FMP 10.7.9 is FireEye certificate signed and previous versions of MNE are non-FireEye certificate signed, thereby causing the crash. NOTE: Once MNE is upgraded to version 5.2.3 successfully, the crash isn't seen.
1253616 MNE–4437	KB90916	4.1.5	5.0.2	Issue: Key rotation fails on macOS 10.14 (Mojave).
-	-	5.0	Expected Behavior	Issue: As of macOS Mojave 10.14 or later, the user can select between light- and dark-mode themes. The dark-mode theme isn't supported with MNE. If dark mode is selected when MNE is installed, it doesn't update the look of any MNE components. In dark mode, some MNE user interface components don't render appropriately, and might make reading text on the components harder. There are no known functional issues when you operate MNE with macOS in dark mode.
-	-	5.0.2 macOS Catalina 10.15	macOS issue	Issue: After an upgrade from macOS Mojave 10.14 to macOS Catalina 10.15, the option to enter the recovery key might be missing. After the upgrade, it's possible that the option to enter the recovery key during user logon (the "?" symbol in the password dialog box) is missing. This issue is observed in the beta 8 build of Catalina (build 19A558D), and isn't an issue with MNE 5.0.2. The issue has been reported to Apple via the beta feedback portal. Resolution: Customers must contact Apple to investigate.
-	-	5.0.2 macOS Catalina 10.15	macOS Issue	Issue: Mac users are prompted for consent when MNE enables FileVault. FileVault can't be enabled until such consent is provided. Resolution: Users are advised to provide consent for MNE to make sure that FileVault is enabled.
-	-	4.1.5	-	Issue: The MNE (FileVault) standalone installer comes packaged with the highest currently supported version of McAfee Agent (MA). If that MA version or later is already installed on the system before installation, the installer fails with a generic warning message. Workaround: Use the packaged version of MNE 4.1.5, which can be deployed from ePO, or the regular non-standalone installer of MNE, which doesn't contain MA.
1212078	KB89819	4.1.2	-	Issue: FileVault recovery isn't possible when automatic password expiration is enabled on macOS High Sierra or later systems. Workaround: Don't set the password expiration policy in ePO for systems that run macOS 10.13 or later. See the related article for details.
1109657	-	4.0	-	Issue: [FileVault for MAC AIR] The first two characters aren't displayed at the left side for the Custom message.
1110836	-	5.0	-	Issue: MNE 5.0 product details aren't displayed in the menulet on installation. This issue is seen on systems with either Endpoint Security for Mac or Endpoint Protection for Mac (EPM).
1055134	-	4.0	-	Issue: After you disable FileVault, ePO continues to report MNE users in the MNE User Property tab.
1212353	KB89825	4.1.2	Expected Behavior	Issue: MNE can't accept the FileVault password when it tries to manage and take over FileVault. This issue is seen when the Mac User Logon password isn't the same as the FileVault password. Resolution: Sync the passwords before you try to manage FileVault. See the related article for details.
1212900	KB89834	4.0.0	Expected Behavior	Issue: MNE Mac Remote Provisioning tool requires a reboot before communication with ePO. Resolution: Restart the computer.
-	-	-	Expected Behavior	Issue: MNE 4.0 co-exists only with EPM 2.3 or later. If an earlier version of EPM is installed, the MNE OS X client doesn't install on that system.
-	-	-	Expected Behavior	Issue: MNE successfully disables FileVault, only if both a Recovery Key is available in ePO, and the Policy mode is changed from Manage FileVault/Turn on (Enable) FileVault to Manage FileVault/Turn off (Disable) FileVault.
-	-	-	Expected Behavior	Issue: If the FileVault status on a client system is FileVault is Off, but needs to be restarted to finish, the MNE policy enforcement can't enable FileVault. The status doesn't change until the system is restarted. But, password settings and logon banner settings are applied.
-	-	-	Expected Behavior	Issue: The MNEUninstall task fails if the Manage FileVault/Turn on (Enable) FileVault policy is applied to the client system.
910502	-	-	Expected Behavior	Issue: If you turn off FileVault from ePO, it disables all other policy settings. The other settings include password settings, Logon banner settings, and destroy FileVault key settings, and any that the user sets on the client system.
910511	-	-	Expected Behavior	Issue: A user can't log on to the client system. This issue is seen after the ePO administrator has enforced the password settings policy on the client system with the Require change after the following number of days [X] (1–180) option selected. In addition, the screen saver is enabled on the client system because of how the macOS is designed.
Data Protection Self Service Portal (DPSSP)
Reference Number	Related Article	Found in Version	Fixed in Version	Issue Description
977621	-	2.0	Expected Behavior	Issue: There's no DPSSP permission available to restrict certain users from running DPSSP queries.

Related Information

To receive information about product updates, sign up for the Support Notification Service.

For End of Life (EOL) information, see Product End of Life Information.
For EOL policy details, see the Corporate Products EOL policy.

Definitions:

EOL period—The time frame that runs from the day we announce product discontinuation, until the last date that we formally support the product. In general, after the EOL period is announced, no enhancements are made.
EOL date—The last day that the product is supported, according to the terms of our standard support offering.

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

Management of Native Encryption 5.x Known Issues

Environment

Summary

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Management of Native Encryption 5.x Known Issues

Environment

Summary

Related Information

Affected Products

Languages:

Choose your region

Title

Title