6 Replies Latest reply on Sep 17, 2014 8:13 AM by SafeBoot

    Uninstalling Drive Encryption Issue

    tharion_aaronh

      One of our machines has recently had a problem with Drive Encryption installed on it when booting it comes up with an error reading the password file and to get into the machine it requires an administrator recovery.

       

      This was the log our ePo received from the machine;

       

           [0xEE050014] [0xEE050014] Could not read \users\inprogress.pb from the PBFS: expected identifier UIXP but found

       

      Now I googled and read a few articles stating the best way to recover a machine with Drive Encryption issues, is to inactivate the policy on just that machine wait for the disks to decrypt uninstall Drive Encryption and then reinstall and reenable the policy.

       

      However I have failed at the first hurdle, I have setup the policy on the ePo server for just the corrupt machine to inactive drive encryption under the product settings, pushed the new policy out to the machine.

       

      The disks and status in the Drive Encryption still show as Encrypted and Active, I have left it over the weekend to make sure it wasn't decrypting, but still the same result, I have also then tried removing the encryption users from the machine but still the same result.

       

      Does anyone have any suggestions on what to try to recover? I don't really want to have to copy the data off and format the drives from scratch.

       

       

      Thanks for your time


      Aaron

        • 1. Re: Uninstalling Drive Encryption Issue

          You don't say what version of DE, so it's hard to be exact, but you really have three choices

           

          1. You can look at the logs on the client side and try to work out why it's not picking up the policy

           

          2. You can use DETech/EETech etc and decrypt the drive, then start again

           

          3. You can use DETech/EETech standalone and e-boot the machine so it rebuilds the PBFS

          • 2. Re: Uninstalling Drive Encryption Issue
            tharion_aaronh

            Thanks SafeBoot, the version of DE is 7.1.0.389.

             

            I am not sure which of the above would be easiest, but I am having problems getting DETech burned onto a disk so I guess for the moment at least its going to have to be take a crack at option 1.

             

            I have pasted in the last section from the log, apart from the PBFS being corrupt I can't see anything obvious, would the PBFS issue stop the DE Agent from picking up the policy and decrypting the disks?

             

             

            2014-07-15 12:45:26,398 INFO    UserLib                              Loading user index

            2014-07-15 12:45:26,398 WARNING MfeEpeEsEncryptionInformationService ..\..\..\Src\EpeGenInfoHandler.cpp: EPE_gen_info_handler::handle_get_user_info_query: 474: [0xEE050014] Could not read \users\inprogress.pb from the PBFS: expected identifier UIXP but found <?xm

            2014-07-15 12:45:26,414 INFO    EpoPlugin                            epoAudit: dispatching audits to AgentHandler

            2014-07-15 12:45:26,414 ERROR   EpoPlugin                            collectProperties: failed to handle property collection: [0xEE050014] [0xEE050014] Could not read \users\inprogress.pb from the PBFS: expected identifier UIXP but found <?xm

            2014-07-15 12:45:28,254 INFO    EpoPlugin                            enforcePolicy: new policy store created (session 1404999285).

            2014-07-15 12:45:28,707 INFO    EpoPlugin                            enforcePolicy: Waiting for OptIn users (i.e. non-default UBP users) before enforcing policy.

            2014-07-15 12:45:29,081 INFO    EpoPlugin                            enforceUserPolicy: User (tharion\aaronh) added to policy store.

            2014-07-15 12:45:29,097 INFO    StatusService                        Policy enforcement has started

            2014-07-15 12:45:29,097 INFO    EpoState                             == Start of policy enforcement ==

            2014-07-15 12:45:29,097 INFO    EpoPlugin                            enforceUserPolicy: Dispatching enforce policy event.

            2014-07-15 12:45:29,097 INFO    EpoPlugin                            policyHandler: handling EnforcePolicy event

            2014-07-15 12:45:29,159 INFO    EpoPlugin                            policyHandler: checking for machine ID/ePO server change.

            2014-07-15 12:45:29,175 INFO    EpoPlugin                            themeHandler: theme ID change detected (old: 1, new: 15E092C3-184A-4625-B3D6-CE75B1783D3D).

            2014-07-15 12:45:29,175 WARNING EpoPlugin                            themeHandler: no theme package found.

            2014-07-15 12:45:29,175 ERROR   EpoPlugin                            themeHandler: failed to unzip new theme file.

            2014-07-15 12:45:29,175 INFO    EpoPlugin                            userHandler: handling AddLocalDomainUsers event

            2014-07-15 12:45:29,190 INFO    EpoPlugin                            userHandler: handling AddLocalDomainUsers response

            2014-07-15 12:45:29,222 INFO    EpoPlugin                            userHandler: processing user updates/requests

            2014-07-15 12:45:29,237 INFO    UserLib                              Loading user index

            2014-07-15 12:45:29,237 WARNING MfeEpePcEncryptionProviderPlugin     ..\..\..\Src\EpeGenUserHandler.cpp: EPE_gen_user_handler::get_updated_users: 530: [0xEE050014] Could not read \users\inprogress.pb from the PBFS: expected identifier UIXP but found <?xm

            2014-07-15 12:45:29,253 INFO    EpoPlugin                            epoAudit: dispatching audits to AgentHandler

            2014-07-15 12:45:29,268 ERROR   EpoPlugin                            userHandler: failed to perform user updates: [0xEE010002] [0xEE050014] Could not read \users\inprogress.pb from the PBFS: expected identifier UIXP but found <?xm

            2014-07-15 12:45:29,268 ERROR   StatusService                        Failed to process a batch of user data received

            2014-07-15 12:45:29,268 INFO    EpoState                             == End of policy enforcement ==

            2014-07-15 12:45:29,268 INFO    StatusService                        Policy enforcement has completed

            • 3. Re: Uninstalling Drive Encryption Issue
              dwebb

              Hi, it looks like you've upgraded this client from a previous version. 

               

              What version was it on prior to the upgrade?

               

              WRT building a DETech disk, please see P53 of the DETech guide for 7.1 https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 24000/PD24871/en_US/de_710_detech_user_guide_en-us_Rev.B.pdf

               

              Best option is to use a floppy disk....failing that, USB may work on some BIOS (and not on others due to BIOS irregularities), or CD.  The basic process requires that you use the "bootdisk.exe" in conjunction with the DETech image file EETech.RTB to burn the image to the boot device.

               

              Once you've booted from the boot device, you can emergency boot the system which will rebuild the PBFS from scratch.

               

              HTH

              • 4. Re: Uninstalling Drive Encryption Issue
                pjw2012

                Hi Aaron

                 

                I have exactly the same issue. Did you overcome this in the end?

                 

                Pete

                • 5. Re: Uninstalling Drive Encryption Issue
                  tharion_aaronh

                  Pete,

                   

                  No unfortunately I ended up wrecking the machine completely. I booted using the DETech disk as dwebb advised using the Emergency Boot option and it booted into the OS fine, the status changed from active to recovery. I then waited for it to for the policies to be reapplied from the ePolicy server and the status then changed back to active, rebooted and the original issue occurred again.

                   

                  So next time through the options in DETech I told it to restore the MBR back to the default McAfee Disk Encryption MBR and now it won't Emergency Boot or Boot with Challenge Response code from Server it comes up with a message stating the EEPC boot sector is corrupt.

                   

                  Is taking so much of my time to try and rebuild I have given up and am just reformatting the machine and reinstalling the OS from scratch and will then re-add Disk Encryption back on once the machine is up and running though it does mean I have lost all data on the machine, luckily there wasn't much on it anyway.


                  Aaron

                  • 6. Re: Uninstalling Drive Encryption Issue

                    Yes, removing the MBR from the machine means you loose any data re the encryption status, the pre-boot etc.

                     

                    the data is STILL RECOVERABLE though, you just need to use the force decrypt options. 

                     

                    I'll mark this question as answered.