Schandor
asked on
Zero-touch image a Pointsec encrypted drive?
Hi All,
We are attempting to execute a wipe-and-load in-place deployment from an installation of Windows XP SP3 x86 to Windows 7 Enterprise SP1x64 using Microsoft SCCM 2007 R2, and WinPE 3.0. When we run our OSD task sequence on a machine that does NOT have the hard drive encrypted with Pointsec for PC version: 6.1.1. Our task sequence runs correctly with no errors.
When we run our OSD task sequence on a machine that DOES have the hard drive encrypted with the previously mentioned version of Pointsec FDE, we receive the following error when the machine is booting into WinPE to begin the task sequence:
"Unable to read task sequence configuration disk. For more information, please contact your system administrator or helpdesk operator"
We worked with Checkpoint support for around 3 weeks without any success. Microsoft didn’t provide much help either, only suggested decrypting the drive -- then running our sequence. Checkpoint support has stated that they are not aware of any remote decryption functionality with their product.
What we are looking at now is finding a way to remotely wipe the hard drive (quick format of some sort), then using PXE to load the task sequence once the drive has been freed from the grips of Pointsec.
Does anyone out there have a better way to remtoely wipe a machine? From what we've been able to test, we believe just wiping the MBR would do the trick.
Thank you, in adavanced, for your help.
We are attempting to execute a wipe-and-load in-place deployment from an installation of Windows XP SP3 x86 to Windows 7 Enterprise SP1x64 using Microsoft SCCM 2007 R2, and WinPE 3.0. When we run our OSD task sequence on a machine that does NOT have the hard drive encrypted with Pointsec for PC version: 6.1.1. Our task sequence runs correctly with no errors.
When we run our OSD task sequence on a machine that DOES have the hard drive encrypted with the previously mentioned version of Pointsec FDE, we receive the following error when the machine is booting into WinPE to begin the task sequence:
"Unable to read task sequence configuration disk. For more information, please contact your system administrator or helpdesk operator"
We worked with Checkpoint support for around 3 weeks without any success. Microsoft didn’t provide much help either, only suggested decrypting the drive -- then running our sequence. Checkpoint support has stated that they are not aware of any remote decryption functionality with their product.
What we are looking at now is finding a way to remotely wipe the hard drive (quick format of some sort), then using PXE to load the task sequence once the drive has been freed from the grips of Pointsec.
Does anyone out there have a better way to remtoely wipe a machine? From what we've been able to test, we believe just wiping the MBR would do the trick.
Thank you, in adavanced, for your help.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That sounds like the best solution
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We solved it ourselves but I'm rewarding points to commentors as the solution may be useful to others.
Can you post the solution to this problem?
And I thought you were booting from winpe 3.0? It's always the little details that trip the experts up.
ASKER
1. Mandatory advertisement of task sequence is sent to machine.
2. Some relevant instructions to the task sequnce are placed in some cached location on the C:\
3. The machine restarts and boots into WinPE
4. Once in PE the task sequence tries to reference that data that it placed in that cache on the C:\
5. Task sequence fails, as the data cached on the C:\ is not readable to the WinPE environment. Only the OS that the Pointsec encryption was installed on can read the encrypted drive.
If the boot sector is blown away manually (KillDisk 1%), we can easily use a boot media disc, kick off our task sequence, then it succeeds without a hitch. Problem is we have 2000 mahcines to move to Win7, so we can't manually touch every machine.The solution we are working on now, is to remotely wipe the drive and then have the machine PXE boot to start the task sequence. We are also looking at PXE booting the machine, then the task sequence begins by using the Diskpart commands after booting into WinPE.