One of our machines has recently had a problem with Drive Encryption installed on it when booting it comes up with an error reading the password file and to get into the machine it requires an administrator recovery.
This was the log our ePo received from the machine;
[0xEE050014] [0xEE050014] Could not read \users\inprogress.pb from the PBFS: expected identifier UIXP but found
Now I googled and read a few articles stating the best way to recover a machine with Drive Encryption issues, is to inactivate the policy on just that machine wait for the disks to decrypt uninstall Drive Encryption and then reinstall and reenable the policy.
However I have failed at the first hurdle, I have setup the policy on the ePo server for just the corrupt machine to inactive drive encryption under the product settings, pushed the new policy out to the machine.
The disks and status in the Drive Encryption still show as Encrypted and Active, I have left it over the weekend to make sure it wasn't decrypting, but still the same result, I have also then tried removing the encryption users from the machine but still the same result.
Does anyone have any suggestions on what to try to recover? I don't really want to have to copy the data off and format the drives from scratch.
Thanks for your time
Aaron
Solved! Go to Solution.
Hi, it looks like you've upgraded this client from a previous version.
What version was it on prior to the upgrade?
WRT building a DETech disk, please see P53 of the DETech guide for 7.1 https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24871/en_US/...
Best option is to use a floppy disk....failing that, USB may work on some BIOS (and not on others due to BIOS irregularities), or CD. The basic process requires that you use the "bootdisk.exe" in conjunction with the DETech image file EETech.RTB to burn the image to the boot device.
Once you've booted from the boot device, you can emergency boot the system which will rebuild the PBFS from scratch.
HTH
You don't say what version of DE, so it's hard to be exact, but you really have three choices
1. You can look at the logs on the client side and try to work out why it's not picking up the policy
2. You can use DETech/EETech etc and decrypt the drive, then start again
3. You can use DETech/EETech standalone and e-boot the machine so it rebuilds the PBFS
Thanks SafeBoot, the version of DE is 7.1.0.389.
I am not sure which of the above would be easiest, but I am having problems getting DETech burned onto a disk so I guess for the moment at least its going to have to be take a crack at option 1.
I have pasted in the last section from the log, apart from the PBFS being corrupt I can't see anything obvious, would the PBFS issue stop the DE Agent from picking up the policy and decrypting the disks?
2014-07-15 12:45:26,398 INFO UserLib Loading user index
2014-07-15 12:45:26,398 WARNING MfeEpeEsEncryptionInformationService ..\..\..\Src\EpeGenInfoHandler.cpp: EPE_gen_info_handler::handle_get_user_info_query: 474: [0xEE050014] Could not read \users\inprogress.pb from the PBFS: expected identifier UIXP but found <?xm
2014-07-15 12:45:26,414 INFO EpoPlugin epoAudit: dispatching audits to AgentHandler
2014-07-15 12:45:26,414 ERROR EpoPlugin collectProperties: failed to handle property collection: [0xEE050014] [0xEE050014] Could not read \users\inprogress.pb from the PBFS: expected identifier UIXP but found <?xm
2014-07-15 12:45:28,254 INFO EpoPlugin enforcePolicy: new policy store created (session 1404999285).
2014-07-15 12:45:28,707 INFO EpoPlugin enforcePolicy: Waiting for OptIn users (i.e. non-default UBP users) before enforcing policy.
2014-07-15 12:45:29,081 INFO EpoPlugin enforceUserPolicy: User (tharion\aaronh) added to policy store.
2014-07-15 12:45:29,097 INFO StatusService Policy enforcement has started
2014-07-15 12:45:29,097 INFO EpoState == Start of policy enforcement ==
2014-07-15 12:45:29,097 INFO EpoPlugin enforceUserPolicy: Dispatching enforce policy event.
2014-07-15 12:45:29,097 INFO EpoPlugin policyHandler: handling EnforcePolicy event
2014-07-15 12:45:29,159 INFO EpoPlugin policyHandler: checking for machine ID/ePO server change.
2014-07-15 12:45:29,175 INFO EpoPlugin themeHandler: theme ID change detected (old: 1, new: 15E092C3-184A-4625-B3D6-CE75B1783D3D).
2014-07-15 12:45:29,175 WARNING EpoPlugin themeHandler: no theme package found.
2014-07-15 12:45:29,175 ERROR EpoPlugin themeHandler: failed to unzip new theme file.
2014-07-15 12:45:29,175 INFO EpoPlugin userHandler: handling AddLocalDomainUsers event
2014-07-15 12:45:29,190 INFO EpoPlugin userHandler: handling AddLocalDomainUsers response
2014-07-15 12:45:29,222 INFO EpoPlugin userHandler: processing user updates/requests
2014-07-15 12:45:29,237 INFO UserLib Loading user index
2014-07-15 12:45:29,237 WARNING MfeEpePcEncryptionProviderPlugin ..\..\..\Src\EpeGenUserHandler.cpp: EPE_gen_user_handler::get_updated_users: 530: [0xEE050014] Could not read \users\inprogress.pb from the PBFS: expected identifier UIXP but found <?xm
2014-07-15 12:45:29,253 INFO EpoPlugin epoAudit: dispatching audits to AgentHandler
2014-07-15 12:45:29,268 ERROR EpoPlugin userHandler: failed to perform user updates: [0xEE010002] [0xEE050014] Could not read \users\inprogress.pb from the PBFS: expected identifier UIXP but found <?xm
2014-07-15 12:45:29,268 ERROR StatusService Failed to process a batch of user data received
2014-07-15 12:45:29,268 INFO EpoState == End of policy enforcement ==
2014-07-15 12:45:29,268 INFO StatusService Policy enforcement has completed
Hi, it looks like you've upgraded this client from a previous version.
What version was it on prior to the upgrade?
WRT building a DETech disk, please see P53 of the DETech guide for 7.1 https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24871/en_US/...
Best option is to use a floppy disk....failing that, USB may work on some BIOS (and not on others due to BIOS irregularities), or CD. The basic process requires that you use the "bootdisk.exe" in conjunction with the DETech image file EETech.RTB to burn the image to the boot device.
Once you've booted from the boot device, you can emergency boot the system which will rebuild the PBFS from scratch.
HTH
Hi Aaron
I have exactly the same issue. Did you overcome this in the end?
Pete
Pete,
No unfortunately I ended up wrecking the machine completely. I booted using the DETech disk as dwebb advised using the Emergency Boot option and it booted into the OS fine, the status changed from active to recovery. I then waited for it to for the policies to be reapplied from the ePolicy server and the status then changed back to active, rebooted and the original issue occurred again.
So next time through the options in DETech I told it to restore the MBR back to the default McAfee Disk Encryption MBR and now it won't Emergency Boot or Boot with Challenge Response code from Server it comes up with a message stating the EEPC boot sector is corrupt.
Is taking so much of my time to try and rebuild I have given up and am just reformatting the machine and reinstalling the OS from scratch and will then re-add Disk Encryption back on once the machine is up and running though it does mean I have lost all data on the machine, luckily there wasn't much on it anyway.
Aaron
Yes, removing the MBR from the machine means you loose any data re the encryption status, the pre-boot etc.
the data is STILL RECOVERABLE though, you just need to use the force decrypt options.
I'll mark this question as answered.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA