To use the
SysPrep Utility locally:
- Download the SysPrep Utility from the Downloads tab of the ServicePortal.
- Right-click the ZIP package and click Properties.
- Click Unblock if the option is present.
- Extract the ZIP package.
- Open the extracted package.
- Right-click setupSysPrep.exe and choose Run as administrator.
- Review and collect the following logs from %temp%\McAfeeLogs:
- McAfee_SysPrep_Bootstrapper_<timestamp>.log
- MFESysPrep.log
- MFESysPrep_child.log
NOTE: In some customer environments, the logs might be written to one of these locations:
- C:\Users\%username%\AppData\Local\Temp\McAfeeLogs\
- C:\Users\%username%\AppData\Local\Temp\1\McAfeeLogs\
- C:\Users\%username%\AppData\Local\Temp\2\McAfeeLogs\
To use the
SysPrep Utility with ePolicy Orchestrator (ePO):
- Download the SysPrep Utility from the Downloads tab of the ServicePortal.
- Right-click the ZIP package and click Properties.
- Click Unblock if the option is present.
- Check the ZIP package into the ePO Master Repository.
- Create a Product Deployment task that pushes the SysPrep Utility to the systems.
- Wake up the systems or wait for the scheduled task to complete.
- Review and collect the following logs from C:\Windows\Temp\McAfeeLogs:
- McAfee_SysPrep_Bootstrapper_<timestamp>.log
- MFESysPrep.log
- MFESysPrep_child.log
The following occurs when the utility runs:
- It automatically updates our Trust store for third-party injectors that we recognize and that exist on the system. It sends Event ID 1095 for these injectors and writes them to the logs.
- You can verify that trust has been added here: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\McAfee Trust
- It identifies any unknown injectors, and determines if they're signed or unsigned. It sends Event 1092 for these injectors and writes them to the logs.
- Lines indicating failure to add trust are denoted with an '[E]' following the date and time stamps.
Additional information:
- Events created by this utility don't populate to the Endpoint Common policy.
- Any entries in the Endpoint Common policy are injectors in the environment that ENS has already identified.
If no measures have been taken to trust that certificate or remove the third-party software from the environment, the application might cause issues for ENS sporadically throughout the environment.
