1 Reply Latest reply on Oct 31, 2016 9:27 AM by SafeBoot

    Operating System refresh and EPEMBR

    osd

      I'm looking for support regarding the EPEMBR during an Operating System refresh process.

       

      I have a requirement to be able to reinstall a device's existing operating system remotely. This is achieved using Microsoft SCCM, initiating a wipe and load Task Sequence from within the Operating System, completing the following actions which are all automated steps:

       

      1. Stage the WinPE boot image to the local disk
      2. Restart
      3. Boot into WinPE
      4. Format and Partition the disk
      5. Apply the Operating System
      6. Install drivers
      7. Restart to the Operating System
      8. Install Applications
      9. Complete

       

      This sequence is successful on a device without McAfee Drive Encryption 7.1 installed however unsuccessful on a device which the product installed. Below is an explanation of the challenges, steps taken to resolve and questions remaining.

       

      1. Unable to Boot into WinPE following staging the WinPE boot image

      In the sequence above on an encrypted device, the steps to stage the WinPE boot image and restart complete successfully however a 'Missing Operating System' error is presented when attempting to boot into WinPE. Referencing the McAfee Drive Encryption OS Refresh Guide for MBR systems (https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 24000/PD24854/en_US/SCCM2012MBRDE71.pdf), the following steps were added to the Task Sequence prior to staging the WinPE boot image:

       

      - Shutdown EEPC Service. This step is a command line option and requires the following string to be added to the “Command Line” field.
      SC Stop “McAfee Endpoint Encryption Agent”
      - Save EEPC MBR. This step is a command line option and requires the following string to be added to the “Command Line” field.
      EpeWinUpgradeTool.exe –SaveMBR C:\EpeMBR.dat
      - Unlock EPE Files. This step is a command line option and requires the following string to be added to the “Command Line” field.
      EpeWinUpgradeTool.exe –setfilelocks unlock
      - Unhide EPE Files. This step is a command line option and requires the following string to be added to the “Command Line” field.
      Attrib –r –s –h c:\safeboot.*
      - Restore EPE MBR. This step is a command line option and requires the following string to be added to the “Command Line” field. The forceMBR switch will spawn a new EpeWinUpgradeTool process that will keep replacing the EPEMBR at select intervals so that is not replaced by the standard Windows MBR during the task sequence process.
      EpeWinUpgradeTool.exe –forceMBR C:\EpeMBR.dat

       

      The sequence is now modified as per below and the issue encountered booting into WinPE is resolved:

       

      1. Action the steps listed above
      2. Stage the WinPE boot image to the local disk
      3. Restart
      4. Enter credentials to bypass pre-boot authentication (manual but could be automated with an additional cmdline)
      5. Boot into WinPE
      6. Format and Partition the disk
      7. Apply the Operating System
      8. Install drivers
      9. Restart to the Operating System
      10. Install Applications
      11. Complete

       

      2. Unable to initialise WinPE fully following the attempted boot into WinPE

      With the modification above, the device will attempt to boot into WinPE but this will fail to initialise fully because the disk (C:) where the boot image has been stage cannot be accessed. Executing Diskpart to show the disk status shows it as RAW and inaccessible.

      Modifying the boot image to contain the three drivers referenced in the McAfee Drive Encryption OS Refresh Guide for MBR systems (MfeEpePC.sys, Mfeccde.sys, MfeEpeOpal.sys) resolved this issue therefore the sequence is now modified as per below:

       

      1. Action the steps listed above
      2. Stage the *modified* WinPE boot image to the local disk
      3. Restart
      4. Enter credentials to bypass pre-boot authentication (manual but could be automated with an additional cmdline)
      5. Boot into the *modified* WinPE
      6. Format and Partition the disk
      7. Apply the Operating System
      8. Install drivers
      9. Restart to the Operating System
      10. Install Applications
      11. Complete

       

      3. Unable to Restart to the Operating System

      With the combined modifications above, the device will continue from step 5 (Boot into WinPE) and report success for the Format and Partition disk, Apply Operating System and Install Drivers step. The disk shows it is formatted as expected via diskpart while within the WinPE environment, the Operating System is applied successfully and drivers are injected. However step 9 (Restart to the Operating System) is the first time the sequence exits the WinPE environment and boots to the OS. This step results in a 'Missing Operating System' error preventing the process from continuing. I'm unable to get into the Operating System beyond this point.

       

      There are no errors returned during the Format and Partition Disk step however I am *assuming* there is protection applied to the MBR preventing modification. I currently do not have a workaround or solution to this issue hence asking for support.

       

      I understand the McAfee Drive Encryption OS Refresh Guide for MBR systems has additional steps within WinPE and using USMT which are not referenced here however the objective is different to what that guide is detailing. I want to wipe the existing operating system (including any encryption) and re-install.

       

      The issue described above is only a problem in this exact scenario. In a wipe and load scenario on an encrypted device initiated via network boot or media, using the same modified WinPE environment, I do not experience this issue. This is only an issue when initiating the deployment via the Operating System and staging the boot image locally.

       

      The questions I wanted to ask were:

      1. Is it expected behaviour in the scenario described above, with the modifications, that the MBR is protected from being overwritten?
      2. Is there a mechanism to overwrite the EPEMBR within the WinPE environment in my scenario
      3. Is there any utility aside from the Refresh Tool and DETech which can assist with what I'm trying to achieve

       

      SafeBoot - you were supporting another user with a similiar query in this thread (https://community.mcafee.com/thread/45370?start=0&tstart=0) however it didn't reach a conclusion. I would be interested to know if the -SetFileUnlocks can assist in this scenario within WinPE to provide a solution. I have failed to succeed with that yet.

       

      Thanks

        • 1. Re: Operating System refresh and EPEMBR

          Good write up - thanks for being so concise.

           

          My first reaction is the problem is caused by you not adding the EEPC drivers to your new OS at step 2.8 - you say "install drivers" - did you include the EEPC drivers?

           

          From what I understand, you're maintaining an encrypted disk throughout the process. You can't stop the disk being encrypted if you're booting from it (and using an EEPC mbr). Since you're also storing the PE image on the (encrypted) disk - I don't see how you can avoid maintaining the encryption throughout.

           

          Formatting a disk (while EEPC thinks it should be encrypted) doesn't remove the encryption - it just leads to an (encrypted) disk with no data on it.

           

          If you want to end up with an OS on an unencrypted disk, you need to stage your WinPE image on an unencrypted part to start with, then boot into it (avoiding going through an EEPC MBR) - then you can format the user drive and clear the MBR.