[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Zero-touch image a Pointsec encrypted drive?

Posted on 2011-10-07
Medium Priority
Last Modified: 2013-11-05
Hi All,
We are attempting to execute a wipe-and-load in-place deployment from an installation of Windows XP SP3 x86 to Windows 7 Enterprise SP1x64 using Microsoft SCCM 2007 R2, and WinPE 3.0. When we run our OSD task sequence on a machine that does NOT have the hard drive encrypted with Pointsec for PC version: 6.1.1. Our task sequence runs correctly with no errors.

When we run our OSD task sequence on a machine that DOES have the hard drive encrypted with the previously mentioned version of Pointsec FDE, we receive the following error when the machine is booting into WinPE to begin the task sequence:

"Unable to read task sequence configuration disk. For more information, please contact your system administrator or helpdesk operator"

We worked with Checkpoint support for around 3 weeks without any success.  Microsoft didn’t provide much help either, only suggested decrypting the drive -- then running our sequence. Checkpoint support has stated that they are not aware  of any remote decryption functionality with their product.

What we are looking at now is finding a way to remotely wipe the hard drive (quick format of some sort), then using PXE to load the task sequence once the drive has been freed from the grips of Pointsec.

Does anyone out there have a better way to remtoely wipe a machine?  From what we've been able to test, we believe just wiping the MBR would do the trick.

Thank you, in adavanced, for your help.
Question by:Schandor
LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 400 total points
ID: 36934806
in your task sequence start diskpart and clean the disk, then create your partitions

Author Comment

ID: 36943211
Thank you for the comment, but we already have already attempted using diskpart as the first step in the task sequence -- but the problem is the task sequence cannot read it's own instructions to get going. Therefore having diskpart as first step is irrelevant, as that first step is never even reachedHere is the order of operations:

1. Mandatory advertisement of task sequence is sent to machine.
2. Some relevant instructions to the task sequnce are placed in some cached location on the C:\
3. The machine restarts and boots into WinPE
4. Once in PE the task sequence tries to reference that data that it placed in that cache on the C:\
5. Task sequence fails, as the data cached on the C:\ is not readable to the WinPE environment. Only the OS that the Pointsec encryption was installed on can read the encrypted drive.

If the boot sector is blown away manually (KillDisk 1%), we can easily use a boot media disc, kick off our task sequence, then it succeeds without a hitch. Problem is we have 2000 mahcines to move to Win7, so we can't manually touch every machine.The solution we are working on now, is to remotely wipe the drive and then have the machine PXE boot to start the task sequence. We are also looking at PXE booting the machine, then the task sequence begins by using the Diskpart commands after booting into WinPE.
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 36944376
That sounds like the best solution
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 37

Accepted Solution

ArneLovius earned 1600 total points
ID: 36945870
If the FDE product can use an "admin" logon, can you build the FDE product into your PE image and have it automatically enter credentials ?

If you are thinking of going down the PXE route, if you have all of the GUIDs/MAC addresses for the machines, you could I suppose configure a file per machine that boots "something" to wipe the HD, delete its GUID/MAC address file and then reboot, at which point it would pick up the "default" PXE config and start WDS...

I must admit that I "love" WDSLinux :-)

Assisted Solution

Schandor earned 0 total points
ID: 36965418
The resolution to our problem with advertising our Windows 7 task sequence can be summed up in three letters – PXE

When we were trying to advertise our Windows 7 OSD task sequence before, we were initiating the task sequence while Windows XP was the loaded OS on the machine. This would inevitably cause a failure of the task sequence every time it was run because some kind of component or instruction for the task sequence would be cached on the C:\. Once the machine restarted into WinPE to continue the task sequence, the WinPE OS did not have the ability to access the previously cached content for the task sequence as it was encrypted and could only be accessed by the OS where Pointsec is installed (in this case, Windows XP).

Answer?  Take Windows XP out of the equation. By installing WDS, adding the PXE role to one of our distribution points, and configuring the network to allow for the PXE traffic, we were able to bypass initiating the task sequence from inside of Windows XP – and in turn network boot directly into WinPE at the very beginning the task sequence.  At that time there is no cached information on the C:\ belonging to the task sequence – therefore the task sequence kicks off without a hitch and begins the format and partition of the hard drive. Pointsec, and all of its encrypted data is destroyed, and the hard drive is now free to receive Windows 7 and subsequently – BitLocker

Author Closing Comment

ID: 36984665
We solved it ourselves but I'm rewarding points to commentors as the solution may be useful to others.

Expert Comment

by:Jerry Dunning
ID: 38196234
Can you post the solution to this problem?
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 38196257
And I thought you were booting from winpe 3.0? It's always the little details that trip the experts up.

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware is a growing menace to anyone using a computer or mobile device. Here are answers to some common questions about this vicious new form of malware.
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Suggested Courses
Course of the Month19 days, 11 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question