Batch file to disable Windows boot partition from booting

I work for a State agency that manages tens of thousands of machines, and as part of our retiring process we have been using diskpart to disable the active bit on the partition so that it will not boot again so that a worker can't just go grab any machine off the storage shelf and put it back into production. This has been working fine until PGP was updated and now with that update PGP disables changes to the MBR so our batch script no longer works to disable the machines from booting up. I have been messing around with the wmic commands to see if I can get them to disable the drive in the BIOS but I am not having much luck, probably because I don't have much experience with them.

 I ask for a batch file because I am more familiar with it, but I am open to anything that will work and help me get this to work. Any help is very much appreciated.
-Ryan
Ryan BennettAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan CraciunIT ConsultantCommented:
You need to do this remotely?
Cause if you don't, then just boot from a memory stick with Linux and wipe the partition table.

Of course, if you don't do this remotely then you could just pull the HDD out...

HTH,
Dan
Darrell PorterEnterprise Business Process ArchitectCommented:
Please try this process.
If you don't have it, download PSTools from Microsoft SysInternals Website, extract the tools, install them, and run PSEXEC.EXE and accept the license agreement.
From a machine with the PGP tool installed, presuming your batch file is named "DisableBoot.BAT" do the following from an administrative-level command prompt:
psexec.exe -d -i -s cmd.exe /k "C:\Tools\DisableBoot.BAT"

The -d tells the PSExec to not wait for the PSExec process to complete.
The -i tells PSExec that the command to be executed needs to interact with the existing desktop application.
The -s tells PSExec that the command will run as local System.
The /k tells the command processor to remain after completing the execution of DisableBoot.bat.  This is for debugging purposes only.
Ryan BennettAuthor Commented:
Dan - We are putting the batch script into a ZENworks bundle and then force running that bundle on machines that are being retired. So yes this needs to be setup to basically run remotely.


WalkaboutTigger - I could not get the command to work no matter how a massaged it. Question on that though, I'm wondering how would running it this way will be different than simply manually or remotely running or calling the batch script would be? I'm not super familiar with PSExec so I could totally be wrong, but even though psexec is calling the batch file, my thinking is that PGP would still block modification of the MBR.

 Thanks very much!
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

Ryan BennettAuthor Commented:
I say "it will run remotely", but actually ZENworks will in reality be downloading the script to each local machine then triggering it locally on the machine for us, so the script itself will be running as if someone executed it from the local machine, but it is all automated without interaction except of a password prompt for security so we can't accidentally disable all the machines in a given department.

 Hope that explains it better, sorry if I'm confusing the issue.
Dan CraciunIT ConsultantCommented:
You could use HxD or another disk-level hex editor and test deleting the beginning of the disk until you find the part that is not protected by PGP.
Then check how much you need to delete to make the disk un-bootable.
Darrell PorterEnterprise Business Process ArchitectCommented:
PGP may block it from a normal user, but may not from the SYSTEM account.
Are you using a unified or single-vendor workstation platform?  If so, you could use a manufacturer-specific BIOS utility to change the SATA mode from AHCI to normal or, if PGP is using the TPM, you could reset the TPM to factory defaults using a BIOS-specific utility.

What hardware manufacturer are you using?
Ryan BennettAuthor Commented:
We have a variety of hardware venders, but I have been trying a similar approach with wmic commands to disable the disk without any luck.

And I had read somewhere about deleting the first 512 bytes of the disk might be the answer. But not sure how to script that.

Could either of you give an example of how to go about either of these approaches.
Dan CraciunIT ConsultantCommented:
You could delete/rename the file c:\bootmgr, which would prevent Windows from loading.
Ryan BennettAuthor Commented:
Huh, I had not even thought of that one. I'll have to try that tomorrow. Should not be hard at all. Leave it to me to be as complicated as possible right out of the gate.
Ryan BennettAuthor Commented:
I have not had a chance to get back to this yet to try it out but I will on Monday.
Ryan BennettAuthor Commented:
it appears PGP replaces the bootmgr file, so that option is out.

Any other ideas cause I am fresh out, everything I try errors out, PGP blocks the action, Windows blocks the action, or the command runs and returns a success but doesn't actually do anything (assuming PGP blocked it).

 Thanks again.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ryan BennettAuthor Commented:
Appears that it can't be done in a way that is workable and not getting much interest from the "experts" to even attempt a workable script.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Batch

From novice to tech pro — start learning today.