Zero-touch image a Pointsec encrypted drive?

Hi All,
We are attempting to execute a wipe-and-load in-place deployment from an installation of Windows XP SP3 x86 to Windows 7 Enterprise SP1x64 using Microsoft SCCM 2007 R2, and WinPE 3.0. When we run our OSD task sequence on a machine that does NOT have the hard drive encrypted with Pointsec for PC version: 6.1.1. Our task sequence runs correctly with no errors.

When we run our OSD task sequence on a machine that DOES have the hard drive encrypted with the previously mentioned version of Pointsec FDE, we receive the following error when the machine is booting into WinPE to begin the task sequence:

"Unable to read task sequence configuration disk. For more information, please contact your system administrator or helpdesk operator"

We worked with Checkpoint support for around 3 weeks without any success.  Microsoft didn’t provide much help either, only suggested decrypting the drive -- then running our sequence. Checkpoint support has stated that they are not aware  of any remote decryption functionality with their product.

What we are looking at now is finding a way to remotely wipe the hard drive (quick format of some sort), then using PXE to load the task sequence once the drive has been freed from the grips of Pointsec.

Does anyone out there have a better way to remtoely wipe a machine?  From what we've been able to test, we believe just wiping the MBR would do the trick.

Thank you, in adavanced, for your help.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
in your task sequence start diskpart and clean the disk, then create your partitions
SchandorAuthor Commented:
Thank you for the comment, but we already have already attempted using diskpart as the first step in the task sequence -- but the problem is the task sequence cannot read it's own instructions to get going. Therefore having diskpart as first step is irrelevant, as that first step is never even reachedHere is the order of operations:

1. Mandatory advertisement of task sequence is sent to machine.
2. Some relevant instructions to the task sequnce are placed in some cached location on the C:\
3. The machine restarts and boots into WinPE
4. Once in PE the task sequence tries to reference that data that it placed in that cache on the C:\
5. Task sequence fails, as the data cached on the C:\ is not readable to the WinPE environment. Only the OS that the Pointsec encryption was installed on can read the encrypted drive.

If the boot sector is blown away manually (KillDisk 1%), we can easily use a boot media disc, kick off our task sequence, then it succeeds without a hitch. Problem is we have 2000 mahcines to move to Win7, so we can't manually touch every machine.The solution we are working on now, is to remotely wipe the drive and then have the machine PXE boot to start the task sequence. We are also looking at PXE booting the machine, then the task sequence begins by using the Diskpart commands after booting into WinPE.
David Johnson, CD, MVPOwnerCommented:
That sounds like the best solution
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

If the FDE product can use an "admin" logon, can you build the FDE product into your PE image and have it automatically enter credentials ?

If you are thinking of going down the PXE route, if you have all of the GUIDs/MAC addresses for the machines, you could I suppose configure a file per machine that boots "something" to wipe the HD, delete its GUID/MAC address file and then reboot, at which point it would pick up the "default" PXE config and start WDS...

I must admit that I "love" WDSLinux :-)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SchandorAuthor Commented:
The resolution to our problem with advertising our Windows 7 task sequence can be summed up in three letters – PXE

When we were trying to advertise our Windows 7 OSD task sequence before, we were initiating the task sequence while Windows XP was the loaded OS on the machine. This would inevitably cause a failure of the task sequence every time it was run because some kind of component or instruction for the task sequence would be cached on the C:\. Once the machine restarted into WinPE to continue the task sequence, the WinPE OS did not have the ability to access the previously cached content for the task sequence as it was encrypted and could only be accessed by the OS where Pointsec is installed (in this case, Windows XP).

Answer?  Take Windows XP out of the equation. By installing WDS, adding the PXE role to one of our distribution points, and configuring the network to allow for the PXE traffic, we were able to bypass initiating the task sequence from inside of Windows XP – and in turn network boot directly into WinPE at the very beginning the task sequence.  At that time there is no cached information on the C:\ belonging to the task sequence – therefore the task sequence kicks off without a hitch and begins the format and partition of the hard drive. Pointsec, and all of its encrypted data is destroyed, and the hard drive is now free to receive Windows 7 and subsequently – BitLocker
SchandorAuthor Commented:
We solved it ourselves but I'm rewarding points to commentors as the solution may be useful to others.
Jerry DunningCommented:
Can you post the solution to this problem?
David Johnson, CD, MVPOwnerCommented:
And I thought you were booting from winpe 3.0? It's always the little details that trip the experts up.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.