Upgrade

Changes with ePO 5.10 Service Pack 1

ePO 5.10 Update 15 is the latest update in the initial series of cumulative updates (CUs) for ePO 5.10. The next release after that may have two different packages. Cumulative update indicates any update that is applied using the ePO 5.10 update tool.

• ePO 5.10 Service Pack 1 (ePO 5.10 SP1): This package can be used to install ePO for the first time and includes the updates in CU 1-15. It is also used to upgrade some versions of ePO 5.9.1 and earlier to ePO 5.10 SP1.

• ePO 5.10 Service Pack 1 Update (ePO 5.10 SP1 CU): This package can be used to upgrade an existing ePO 5.10 server to service pack 1. You do not need to install this if you have already installed ePO 5.10 Service Pack 1.

EPO 5.10 SP1 Update is the last update to support both upgrading from and rolling back to ePO 5.10 CU 1–15. The update numbering then resets so that the next release after ePO 5.10 SP1 might be ePO 5.10 SP1 Update 1 (ePO 5.10 SP1 CU1), and so on. If you are on ePO 5.10 Update 15 or earlier, you must first apply ePO 5.10 SP1 CU before upgrading to ePO 5.10 SP1 CU1 or later.

See KB96141 (opens in a new tab)for the full list of upgrade paths supported for ePO - On-prem 5.10 Service Pack 1.

• The upgrade path does not allow an upgrade from ePO 5.3.0 or earlier to ePO 5.10 SP1.

• The Pre-Installation Auditor (embedded in the ePO 5.10 installer) verifies the ePolicy Orchestrator and SQL Database readiness for upgrade to ePO 5.10.

• The Pre-Installation Auditor utility provides remediation steps for any conflicts found.

• The Pre-Installation Auditor utility file (ePIP.exe) is also provided in the extracted folder and can be executed outside of the ePO installer file (setup.exe).

After upgrading to ePO 5.10, you might need to rebuild indexes if index fragmentation gets too high or the built-in task fails to rebuild those indexes. Rebuilding the indexes is beneficial for better ePO performance. See KB87769 (opens in a new tab)for details.

Upgrading ePO Checklist

Plan the Upgrade

• Read the release notes.

• Review Knowledge Base articles for ePO:

  • Known Issues: KB90382(opens in a new tab)

  • Upgrade Paths: KB86693(opens in a new tab)

  • Upgrade Paths for Service Pack 1 (SP1): KB96141(opens in a new tab)

  • Minimum Supported Extensions/Versions: KB94079(opens in a new tab)

  • Policy & System Migration: KB88822(opens in a new tab)

• Gather required information: Grant Number License Key Database server and Database name DB Server credentials Primary administrator account credentials for ePO Keystore encryption passphrase

• The Pre-Installation Auditor runs in installer by default.

Prepare the Environment

• Perform any updates as recommended by the Pre-Installation Auditor for the ePO server.

• Back up ePO databases and directories.

• Update registered server certificates.

• Disable Trellix Agent installation tasks set to Run Immediately.

• Disable scheduled server tasks and Windows tasks.

• Disable third-party software.

Prepare SQL Database

• Perform any updates for the SQL Server as recommended by the Pre-Installation Auditor assessment of the SQL database.

• Update your Windows Server to the latest Microsoft Service Packs and hotfixes.

• Make sure that IPv6 is enabled.

Perform the Upgrade

Download and extract the software

Download the ePO software to your Windows Server.

Stop automatic updates

Disable Windows updates to ensure they do not interfere with your ePO installation or upgrade.

Stop remote Agent Handlers services before upgrading

If you use remote Agent Handlers in your environment, you must stop two services on each remote Agent Handler server to successfully complete your upgrade.

Stop ePO services

Make sure that the Apache Tomcat service stops.

Start and complete the InstallShield wizard

Use Setup.exe to upgrade your ePO server.

Upgrade your remote Agent Handlers

When you upgrade your ePO server software, you must manually reinstall the Agent Handler software on any remote Agent Handlers installed throughout your environment. Agent Handlers are not automatically updated to the latest version when the ePO server is upgraded.

Restart Process and Verify Upgrade

To remediate vulnerabilities in your ePO environment, migrate SHA-1 certificates to SHA-2 or higher; refer to KB87017(opens in a new tab).

Verify the upgrade:

1. Run a query or server task.

2. Perform an Agent wake-up call with one or more managed systems.

3. Verify registered servers are communicating with the ePO server.

Migrate SHA-1 Certificates to SHA-2 or Higher

The Certificate Manager allows you to:

• Migrate certificates that are signed by older signing algorithm to the new algorithm, such as SHA-1 to SHA-256

• Regenerate your certificates when your existing certificates are compromised due to vulnerabilities in your environment

• Migrate or regenerate certificates for managed products that are derived from McAfee ePO root CA

This task replaces certificates that are used for all these ePO operations:

• Agent-server communication

• Authenticating to browsers

• Certificate-based user authentication

Read the instructions carefully before proceeding with the steps. If you activate the new certificates before they are populated on the systems in your network, those systems will not be able to connect to your ePO server, until the agents on those systems are re-installed

Using Certificate Manager

The Certificate Manager page provides information about the installed Root Certificate, Agent Handler certificates, server certificates, and other certificates that are derived from ePO root Certificate Authority (CA).

Log on as an administrator, then click Menu > Configuration > Certificate Manager.

Click Regenerate Certificate

.

After the certificates regenerate, wait for sufficient saturation of the new certificates throughout your environment. As agents communicate to the ePO server, they are given the new certificate. The percentage of agents that have received the newly-generated certificates is provided in the Certificate Manager under Product: Agent Handler > Status. This distribution percentage is based on the number of agent-server communications that have occurred since the certificates were regenerated. Unmanaged inactive systems will affect this percentage.

Note: Make sure that the distribution percentage is as close to 100% as possible before you continue; otherwise, any pending systems will not receive the newly generated certificates and will be unable to communicate with ePO after the certificates are activated. You can stay in this state for as long as is necessary to achieve sufficient saturation.

1. Once you've achieved a distribution percentage close to 100%, click Activate Certificates to carry out all future operations using the new certificates. A backup of the original certificates is created, and a message appears.

2. Click OK. You must reinstall any agents that still use the old certificates to restore agent-to-server communication.

Once activation of certificates is complete, perform these steps:

1. Stop the Agent Handler services (including the Remote Agent Handler services).

2. Restart the ePO services.

3. Start the Agent Handler services.

Monitor your environment and make sure that your agents are successfully communicating. You can cancel the migration at this point to roll back the certificate and restore agent-to-server communication; however, after you’ve completed the next step, you can no longer cancel the certification migration.

Click Finish Migration to complete the certificate migration. The certificate backup, taken during activation, is deleted.

Summary

For any issues during the migration, click Cancel Migration to revert to the previous certificates. If you cancel the migration, stop the Agent Handler services, restart the ePO service, and start the Agent Handler service again. You can start the certificate migration again after fixing any issues.