2 Replies Latest reply on May 26, 2013 10:05 PM by spectra

    Working: Config Manager 2007 OSD/Refresh & EEPC 6.2.0 encrypted drives

      With a great deal of help from the community, a McAfee engineer, long hard hours and what seems like hundreds of reimages, I have a working OS refresh process for EEPC 6.2.0 encrypted drives using Microsoft System Center Configuration Manager 2007 SP1.  Hopefully this information will help others and reduce the time spent setting up the your environment!  I have not tested and cannot confirm this but I have seen on other communities that this works in Config Manager 2012 as well, try it at your own risk.

       

      I am not going to write step by step instructions because the files I am attaching are pretty much self explanatory and I expect that if you are looking at this post, you have the knowledge necessary to interpret the contents of the files. Don't hesitate to post questions and I'll do my best to answer them!

       

      Important and helpful links:

       

       

       

      McAfee Article & Tools -  https://kc.mcafee.com/corporate/index?page=content&id=KB73035&pmv=print

      McAfee Whitepaper -  https://kc.mcafee.com/corporate/index?page=content&id=PD23245

      TechNet thread with helpful information -  http://social.technet.microsoft.com/Forums/en-US/configmgrosd/thread/e0048909-12 c0-4c94-a4bd-6b664d946fb1

       

       

      I am attching 5 files to this post for use as a reference:

       

       

       

      EEPC_Reg.ps1 -    PowerShell script used to add the appropriate registry entries for EEPC. These registry entries MUST be in your WinPE boot image and the full windows operating system that you are deploying. Two driver files MUST accompany these registry entries, both in WinPE and the full OS: MfeEpePc.sys & MfeEEAlg.sys. You should obtain these files from a working encrypted computer and they are located in C:\Windows\System32\Drivers. Make sure you obtain both 32-bit and 64-bit driver files and apply them to the appropriate boot image and OS by copying them to C:Windows\System32\Drivers. This is a very important step and is not very clear in the whitepaper.

       

       

       

      RestoreEEPCMBR_x64.vbs & RestoreEEPCMBR_x86.vbs-   VBScripts to restore the EEPC MBR during a reboot before the OS is loaded. See the task sequence later in this post for the exact location. Not sure who to give credit on this script but it was obtained from http://social.technet.microsoft.com/Forums/en-US/configmgrosd/thread/e0048909-12 c0-4c94-a4bd-6b664d946fb1 which is a great place for more information on this topic.

       

       

       

      SCCM_TaskSequence_EEPC.xml -   This is my working SCCM task sequence which can be imported into your environment if you wish. I have set this task sequence up to seamlessly handle both 32-bit & 64-bit OS refresh scenarios and it is very important to pay attention to which architecture your boot image is. I use a 32-bit boot image, a 64-bit boot image WILL NOT WORK with this task sequence.  One thing that we don't always do in our organization is backup and restore the user state and so I have made provision for using the USMT strictly for backing up and restoring the Safeboot files only, and this method is invoked using a task sequence variable.  I rely heavily on task sequence variables to accomplish many different scenarios and options so please take note of the variables and what role they play. 

       

       

       

      SCCM_TaskSequence_EEPC.mht -   This is a readable version of my working task sequence

       

       

       

      EEPC.xml-   USMT file used to backup only the Safeboot files or in conjunction with other USMT configuration files.

       

       

       

       

      Follow McAfee's whitepaper and do not skip a step but compare your final product to my task sequence and you should be set to go.  McAfee's whitepaper has one mistake and that is the step to hide the Safeboot files.  It instructs you to use this command  -  attrib -h C:\Safeboot.*  - the correct command is  -  attrib +h +s +r C:\Safeboot.*

       

       

       

      All the best!

      Tony

       

       

       

      Message was edited by: adriver on 2/26/13 3:15:26 PM CST