Not sure this is going to be a cut and dry answer or not, but I was hoping to get a little clarification on first steps after encountering a "missing operating system" error. I feel like I get different answers when calling support for this. Both solutions require booting the system with Safetech. Authorizing and Authenticating with the .sbd file. Next, I've had one support person tell me to "fix Safeboot MBR, and reboot." that worked and took less than a minute to resolve. The other solution was to locate the encrypted sectors from the workspace and perform a force decrypt.
So I'm just wondering what would be safe to try first. Can we just do a "fix Safeboot MBR" first and see if that works? If it does not, then call support and proceed with other options?
The key is to find out what happened.
If it is just MBR damaged (virus probably or misuse of MS tools), then SafeTech "Restore SafeTech MBR" from SDB file would work.
There is procedure to make sure that you have got proper SDB file though.
You will know that you have got SafeBoot MBR replaced, if missing OS error comes instead of EEPC pre-boot screen.
If missing OS comes after filling EEPC pre-boot credentials, then OS on disk might be damaged so different recovery is needed (WinTech CD).
Then you would need to inspect MBR separately or watch boot process very closely. It displays some messages very quickly prior to Windows boot.
Oh, and don't use autoboot - not recommended.Message was edited by: peter_eepc on 3/4/10 10:24:28 AM EST
Thanks for the clarification. If Restoring Safeboot MBR doesn't do any harm, then we'll try that first. If we reboot and a new message occurs, then we know that we have a corrupted Safeboot filesystem and we need to proceed with other options.
As for the autoboot, I didn't want to go down that road but we had to walk a fine line between security and operational impact. Don't ask me why, it wasn't my idea, but we deployed McAfee HIPS, Endpoint Encryption and DLP to our users in 1 year. This covers 4,000 laptops, most remote and never log into our domain on the LAN. I just have to manage all of them as the ePO Admin and then I have a bunch of Desktop Support people that have to troubleshoot the issues with the products. I'm trying to simplify processes for them as much as possible because I'm the only one the can call. I'm the only ePO admin and unofficial "McAfee Expert" for all our McAfee products..which are A LOT!
I will be making a recommendation in the near future to turn on pre-boot authentication. I'm sure it won't go over well with our users.
I hope that you are not going to get caught in external security audit, prior to implementing recommended settings.
Who said that security is easy, low impacting and cheap?
We're getting a spike in volume on these, appear to be related to Fake AV infections, perhaps pdf or java related vulnerabilities. 2 corrupt MBRs in 2 days, vs 1 in the prior 18 months.
Fix (so far):
Boot to WinTech, authenticate from SDB
Disk - Replace eepc MBR (get errors)
Boot to WinTech again, authenticate from SDB
Get Disk Info (sector info)
Force Crypt (input sector info)
Machine will then boot to windows after the decryption completes. Note: If on network, it will synch, create a new object, and start encrypting again. Make sure you clean the machine before it reboots!
Yep, this could very easily be my issue as well. We have around 10,000 users with access to the internet and probably have on average 10 Fake Alert infections each week. (We're testing Artemis now to see if this cuts down on the number of infections!) Often the techs are just re-imaging the laptops without really trying to recover from the error. This was the first time I called support and they walked me through fixing the MBR and it worked perfectly. Another tech was walked through finding the sectors and force decrypting the drive. Another tech was told to decrypt the drive but he rebooted the machine mid-way through the force decrypt because he thought it "locked up".
Do you know of a way to grant techs the ability to export machine configs from EEM without giving them permission to do anything else?