We currently use OS deployment in SCCM to refresh our encrypted devices (EEPC 6.2) with Windows 7, whilst retaining a fully encrytped disk. This method works really well and saves having to re-encrypt the drive once a new Windows 7 build has been applied. However there are some sites where we don't have access to SCCM and have to reimage devices using a USB stick.
What I would like to do is retain the fully encrypted disk after reimaging a PC to Windows 7 in a WinPE 3.0 environment using a USB stick. I think I am pretty close to achieving this, but it's not quite working. I will explain the whole process I am using:
1. Boot off a USB stick on an encrypted PC (EEPC 6.2). This boot stick uses WinPE 3.0 and includes all of the EEPC drivers and registry keys.
2. Run the EETech tool to authenticate with my token credentials. This allows me to see the contents of the disk with the operating system (C
3. Backup the EEPC MBR using the EpeWinUpgradeTool.exe (output shows success)
4. Unlock and Unhide the SafeBoot files
5. Delete all files from the disk, except C:\SafeBoot.fs, C:\SafeBoot.rsv and the backed up MBR dat file
6. To apply the Windows 7 WIM image it would not work unless I ran the EETECH tool again and this time Authorize with the code of the day, click "Edit Disk Crypt State" and "Clear Crypt List"
7. The Windows 7 image would then successfully apply and I then copy MfeEEAlg.sys and MfeEpePc.sys to C:\Windows\System32\Drivers in the new image
8. I write all of the correct EEPC registry keys (in ControlSet001) on the new image by loading the hive C:\Windows\System32\Config\System. Then I unload the hive.
9. Restore the EEPC MBR using the EpeWinUpgradeTool.exe (output shows success)
10. The preboot encryption logon appears and I log in with my credentials
11. At this the PC tries to boot into the OS and there a coloured squres to indicate corruption and the PC hangs and wont boot into windows (see attachment).
I suspect that this is something to do with clearing the Crypt List. Unfortunately if I don't do this I cannot apply an image to the disk (just authenticating with a token isn't enough to fully unlock the drive). My question is, is there another way to apply the WIM image without clearing the crypt list?
It would be nice if I could get this solution working, otherwise the only other option is to delete the partion, which kills the encryption and means that the disk has to fully encrpyt again after the image has been applied, which can take a whole day on some machines.
you cleared the crypt list, so you told EEPC that the drive was not encrypted (but it was) - that's the step which is breaking things.
If you can get at the files of the drive at step 5, do you know what's stopping the image being appled in step 6? Is the image disk level, or file level?
Thanks for the reply.
I am using GImageX to apply the WIM file which is file level imaging. After step 5, I can see all of the files on the drive, and I am able to successfully delete all of the files on the disk in preparation for the re-image (excluding the Safeboot files in the root which we need to keep). I don't format the drive because I think this destroys the EEPC.
When I try to apply the WIM image by GImageX, I get the following error:
Error 5 copying C:\Windows\Winsxs\x86_wwf-system.workflow.runtime
Error applying WIM
Access is denied.
The same thing happens if I use DISM to apply the WIM file.
As soon as I clear the crypt list, the image successfully applies, but as you mentioned, we don't really want to do this.
Any resolution yet on this issue, am facing the same issue when deploying the image through SCCM, have the WinpE and the Image updated with drivers and regsitry keys as mentioned in the below document http://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23245/en_US/M...
But there is some thing stopping from wiping the disking the operating system(not formatting as using Hardlink USMT) and getting the access denied error.
You won't be able to wipe the drive with the encryption drivers active, you need to switch them off using the os migration tools first.
I have done the below steps in WinPE, which step should be tunred off for the wiping and applying operating system to work.
Iam using a 64bit WinpE as am migrating to Windows 64bit.
1. Insert the driver files. The driver files can be extracted from an Windows 7 64bit system with existing Endpoint Encryption installation.
copied the files from windows/system32/drivers folder to C:\Windows\system32 on windows PE folder:
MfeEpePc.sys & MfeEEAlg.sys
2. Open the registry editor and load the System Hive from the Windows PE folder
windows/system32/configuration (The following examples assume that you have loaded the hive with
the name pe3.
3. Insert the following registry keys for the MfeEpePc.sys driver
4. For release versions of 6.1.2 or greater insert the following registry keys for MfeEEAlg.sys driver
5. Find the following registry entry
6. Edit the current value which is usually as follows:
7. And change it to the following:
Please let me know which step am missing, a small typo in my post am copying the drivers to \Windows\System32\Drivers in the WinpE