Showing results for 
Search instead for 
Did you mean: 
Level 7

Working: Config Manager 2007 OSD/Refresh & EEPC 6.2.0 encrypted drives

With a great deal of help from the community, a McAfee engineer, long hard hours and what seems like hundreds of reimages, I have a working OS refresh process for EEPC 6.2.0 encrypted drives using Microsoft System Center Configuration Manager 2007 SP1.  Hopefully this information will help others and reduce the time spent setting up the your environment!  I have not tested and cannot confirm this but I have seen on other communities that this works in Config Manager 2012 as well, try it at your own risk.

I am not going to write step by step instructions because the files I am attaching are pretty much self explanatory and I expect that if you are looking at this post, you have the knowledge necessary to interpret the contents of the files. Don't hesitate to post questions and I'll do my best to answer them!

Important and helpful links:

McAfee Article & Tools -

McAfee Whitepaper -

TechNet thread with helpful information -

I am attching 5 files to this post for use as a reference:

EEPC_Reg.ps1 -    PowerShell script used to add the appropriate registry entries for EEPC. These registry entries MUST be in your WinPE boot image and the full windows operating system that you are deploying. Two driver files MUST accompany these registry entries, both in WinPE and the full OS: MfeEpePc.sys & MfeEEAlg.sys. You should obtain these files from a working encrypted computer and they are located in C:\Windows\System32\Drivers. Make sure you obtain both 32-bit and 64-bit driver files and apply them to the appropriate boot image and OS by copying them to C:Windows\System32\Drivers. This is a very important step and is not very clear in the whitepaper.

RestoreEEPCMBR_x64.vbs & RestoreEEPCMBR_x86.vbs-   VBScripts to restore the EEPC MBR during a reboot before the OS is loaded. See the task sequence later in this post for the exact location. Not sure who to give credit on this script but it was obtained from which is a great place for more information on this topic.

SCCM_TaskSequence_EEPC.xml -   This is my working SCCM task sequence which can be imported into your environment if you wish. I have set this task sequence up to seamlessly handle both 32-bit & 64-bit OS refresh scenarios and it is very important to pay attention to which architecture your boot image is. I use a 32-bit boot image, a 64-bit boot image WILL NOT WORK with this task sequence.  One thing that we don't always do in our organization is backup and restore the user state and so I have made provision for using the USMT strictly for backing up and restoring the Safeboot files only, and this method is invoked using a task sequence variable.  I rely heavily on task sequence variables to accomplish many different scenarios and options so please take note of the variables and what role they play. 

SCCM_TaskSequence_EEPC.mht -   This is a readable version of my working task sequence

EEPC.xml-   USMT file used to backup only the Safeboot files or in conjunction with other USMT configuration files.

Follow McAfee's whitepaper and do not skip a step but compare your final product to my task sequence and you should be set to go.  McAfee's whitepaper has one mistake and that is the step to hide the Safeboot files.  It instructs you to use this command  -  attrib -h C:\Safeboot.*  - the correct command is  -  attrib +h +s +r C:\Safeboot.*

All the best!


Message was edited by: adriver on 2/26/13 3:15:26 PM CST
2 Replies
Level 11

Re: Working: Config Manager 2007 OSD/Refresh & EEPC 6.2.0 encrypted drives

Kind of you to share that with the community Tony, thanks!


0 Kudos
Level 7

Re: Working: Config Manager 2007 OSD/Refresh & EEPC 6.2.0 encrypted drives


Please can you explain in detail as am trying to make to refresh systems from XP to WIndows 7 using SCCM 2007 with all systems encrypted with McAfee EEPC and when trying to wipe and load the OS its throwing up the access denied error at every stage.

I have followed the steps as of the document below to load the drivers in WinpE

Iam able to get to point where its applying the OS but errors

WIM error:C:\Windows\winsxs\amd64_microsoft-windows-d..lient-adm.resources_31bf3856 ad364e35_6.1.7600.16385_en-us_936c40cbff4a0ef1. Permissions on the requested may be configured incorrectly.

Failed to run the last action: Apply Operating System. Execution of task sequence failed.

Is the documentation correct on adding drivers and registry to WinPE, without the drivers in WinPE the disk is not accesible as I tried to load a clean WinPE to see if that is going to work but it is not able to access the C: drive as its encrypted.

Any suggestions?


0 Kudos