Hello! I'm new to this forum and I screwed up big time! Long story short, laptop crashed, and stupid me thought it was a good idea to place the HD on another laptop, of course it was not booting so AFTER the McAfee Encryption login I sent to troubleshoot and ran fixmbr commands.
When I rebooted I was obviously no longer getting the MCAfee Encryption preloader since MBR got messed up. I have been trying without success to do "Emergency Boot" or decrypt the drive but DETech is not working for me.
1. DE Tech not showing Enable USB or Emergency Boot
2. When I click on Token I get "Error EE020006 Drive Encryption disk information not present."
3. Disk Information shows "Disk ID 00, ERROR: Disk Information not available"
4. Workspace shows "The Workspace is empty"
Any ideas?? Please help!
In DETech, if you are not seeing those two buttons, we would want to check on which specific DETech utility that you are using. I would suspect that you are using a DETech utlity in a WinPE environment which wouldn't have those two options.
I would recommend checking in the ePO console to make sure that the system is in legacy BIOS mode before we go any further. If you drill into the system in ePO and then go to the drive encryption tab. There will be a few items and then an option to click for "more" below. After clicking that, look at "firmware type" and please let us know what is reflected there. That will help ensure we advise on the specifics of DETech to choose. Another item for that consideration would be your preferred goals with this recovery. For some, they are going to try to get this specific one back to working while others prefer to get the data from the disk and then rebuild. I know that you mentioned an emergency boot but the trouble there is that the emergency boot only works to get past a problem\issue with MDE preboot. If I follow correctly, you were previously able to get past PBA but then could not get into Windows properly which an emergency boot may not be able to help with if the cause for the initial issue had to do with the OS itself. Once we know more about the firmware type and any preferences you may have in recovery, we can help guide toward the proper DETech. From there, we can provide a few things that we would want to do in a very specific order per the situation but there will be some variable depending upon the specific type, build, etc.
Assuming the system is a legacy BIOS system, with the MBR replaced, altered, damaged, etc. then many MDE options will not be initially available in DETech. We'll need to have the recovery XML file for this system from the ePO server to be able to authenticate with.
When you go into the workspace, until you specify something to be loaded, it should be empty, so that may not be of concern unless you had already tried to load something specifically.
Before taking any action, it is recommendable to take a sector level clone of the disk and then any work that is done can be performed on the clone, ensuring that if something is to go wrong for any reason, the initial disk is left unaltered.
Hello @cross and thanks for replying! Answers to your questions below:
1. Yes I believe I was using a DETech utility in WIN PE environment, how can I use the one that has the 2 options I mentioned?
2. I am only interested in getting the data from the drive, not fixing the load and being able to get into Windows.
3. I have the xml file and the daily code however we have limited access to EPO and unable to view many settings.
4. I will be cloning the disk with sector level, any tool you recommend?
Thanks for helping!
We don't yet know which utility will be the best to use in this situation. One very critical item is to confirm the boot type. Once we know that, we may be able to repair the boot components, at least to a point of being ablt to backup the data from the drive. To confirm that, it may be necessary, if you don't have the necessary access in ePO, to "tap" a colleague that has the proper rights, to get that firmware type information from ePO for this specific system.
As far as cloning, it comes down to any software that can make a sector level copy of the drive and that would need to be done using an identical make, model, size, etc. drive.
Thanks again @cross ! Took your advice and tried to get help from someone who has more access than we do, however he was unable to find the properties tab, I am sharing what he found. Any ideas where he needs to go so I can guide him? Thanks!
While in the system tree, when the system is located, click on the name of the system which should "drill in" to the system information. On the resulting page, there will be several tabs, "system properties", "products", "McAfee Agent", etc. One of those should be "Drive Encryption", we want to select that one. When you do, it should show four information items and then below that, should have an option for "more" that you can click. On the page that comes up, roughly in the middle, there should be an entry for "firmware type" that should have what we are looking for.
Hello @cross , we tried getting to that information but maybe my friend doesn't have the right permissions. Quick update, used winpe_amd64_DETech_7.2.8.iso (fat32 and booted usb legacy) as advised by our SEC Team and was able to Authorize with the daily code and Authenticate with the xml although it said "Failed to retrieve key check from disk the primary disk...:" I clicked on Restore MBR and it said it was restored. I exited the DETech but it still did not boot into Windows, giving an "EPC has been corrupted message".
I again booted using the DETech iso and got this message "A version mismatch has been detected between this version of DETech/WinTech ... DETech/WinTech Version 7.2 and McAfee Drive Encryption version 7.1.. I clicked OK, authorized, authenticated, clicked again on Authenticate with File and was able to view all my files!! Disk information is also now present and not showing an error.
My files have been recovered now, however I am unable to view any hidden files, any idea how I would go about restoring the image properly and making it boot? Should I use EETech version 7.1? Thank you!
The current error message for MDE suggests that an emergency boot is now needed for MDE, however, part of that requires that the operating system needs to be functional on the system. I'm not quite clear on what the problem was with the OS exactly. Can you tell me more about what is going on with that aspect of it? Emergency booting to a "broken" operating system will not really gain anything in the situation. If the OS is functional otherwise, then emergency booting should be able to get you to the OS and then while online, when corresponding with ePO (or agent handler) it should rebuild the MDE preboot file system.