We are in the beginning stages of migrating from WinXP to Win7 using Microsoft s "Zero-Touch Installation" (ZTI) method. Part of the process involves decrypting the disk so that the user s data can remain in-place when Windows 7 is installed (Once Windows 7 is installed, EEPC 6.1.3 is applied). In order to do the decryption, we are using a script which does the following:
1. Determine the machine s Safeboot object name
2. Move the machine object into a Safeboot group whose policy dictates no encryption
3. Have the machine inherit the policy settings from its new group.
4. Force synchronization with the Safeboot server.
5. Monitor the machine s crypt state until it is "None". This process has been working fine until the past week.
(script is attached)
This past week, the majority of the machines never reported back as being decrypted, and so ZTI could not continue. Upon inspecting the Safeboot client log on these machines, we are seeing a common error:
e00200009 "unable to get disk partition"
I've run into this error before, but only when I had a USB storage device connected to the machine. This is definitely not the case with our user base. We were able to add a reboot into the ZTI process when this is encountered, and that generally resolves the issue, however, we are really interested to find out why we are encountering this at all! We had done a lot of testing uisng freshly built test machines, but the error is occuring more often than not on users' machines, especially if they have a lot of locally-stored data.
Thanks so much in advance!
hum - nothing too bad there, but the 5.1 version didnt have as rich logging or corruption reporting as later versions.
So, I hate to ask this, but what changed in your environment? Did you update something like AV to a new major version, install host protection, or something which would monitor disk access etc?
The error means that the driver can't get the partition information from the machinem, so anything related to low level disk, repartitioning etc will cause problems. It could even be related to a change in user rights.Message was edited by: SafeBoot on 4/17/12 11:58:25 AM EDT
I know that we've upgraded VirusScan a few times over the years. Also, we have McAfee Host DLP 3.x & 9.1 out there now as well. All of our endpoint security products are McAfee brand, if that matters.
Here's the McAfee "About" contents from a typical machine:Message was edited by: ajacobs to remove private info on 4/17/12 2:05:38 PM CDT
Mike, I see some IPs and DNS info that may not be a good idea to post here. I'd like to edit that stuff out if possible. Let me know.
Also, I know we had some issues for email customers with DAT 6682. I'm wondering if there may be other inadvertent issues as a result?
I believe 6683 has been released so you may want to move to it.
Thanks for picking up on the IPs. Please feel free to edit the entry.
I'll let our VirusScan SME know about the DAT issue, though I don't think that's factoring in with this particular issue since it predates that specific DAT.