none
McAfee RefreshTool to bypass encryption

    General discussion

  • Out of curiosity, has anyone used the RefreshTool provided by McAfee to bypass encryption? I have a sudden need to use hard-link migration in USMT and wholedisk encryption has been a major kink in the process. I tried running through McAfee's documentation and the document seems incomplete. Just wondering if anyone has experience with this and if they got it working correctly.
    -Nick O.
    • Changed type Nick Ourso Friday, May 10, 2013 7:01 PM
    Monday, January 16, 2012 9:22 PM

All replies

  • Hi Nick,

    Yes I'm using it at my company, and have completed around 700 hard-link migrations on Lenovo laptops since implemented about 8 months ago.  I was a beta tester of the tool.  After much tinkering and testing I've gotten it to work pretty well, but still lose 3-5% to the dreaded 92h error during the ugprade.   Fortunately most of those failures were recoverable with their tools.  If you have any specific questions I'm happy to help.



    • Edited by XxX sdk XxX Monday, January 16, 2012 10:15 PM
    Monday, January 16, 2012 10:13 PM
  • So do you know what seems to cause the 92h error? I am trying to tweak our setup and seem to encounter it a lot more often than I'd like.
    Friday, March 09, 2012 3:27 PM
  • We were able to get the RefreshTool to work after much trail and error. Interestingly enough, we cannot get an image to apply because of an access denied error in WinSxS. (In this scenario, we're deploying images through SCCM 2007, not MDT.) The error doesn't occur on unencrypted devices or devices that are decrypted. After receiving no real assistance from McAfee and Microsoft Premier, we simply decided to call it a day and proceed without hard-link migration.

    I work for a healthcare company and patient information is of the utmost importance. Losing 3-5% of devices to any sort of error would not be acceptable, so it's just as well that we have to find another method for moving data.


    -Nick O.

    Friday, March 09, 2012 9:10 PM
  • Did you put the refresh tool in .\tools\SafeBoot? What are you using for the "start in" path when executing the command?

    http://social.technet.microsoft.com/Forums/en-US/mdt/thread/fc829e92-cc23-44a1-af9c-2402402de318/#fc829e92-cc23-44a1-af9c-2402402de318

    Thank you


    Saturday, March 10, 2012 11:01 PM
  • I have the tools stored in a different place in my file structure. However, they all seem to run correctly until after Windows 7 is installed. I get an error on the Restore Safeboot MBR step (saying the MBR is already Safeboot and it can't be replaced, but McAfee warns of this in their documentation and says to put a continue on error with that one.) I also get an error and the deployment halts with the –SetHookFlags step. When this happens, a reboot comes back with the 92h error and won't let me boot back into the machine until I use the Safetech tools to restore the MBR from the database. Once I do that, the machine boots back into PE and finishes configuring the OS. At that point I have to manually finish the rest of the deployment steps (working to create a task that finishes it off for me though.) The safeboot files are migrated back with the USMT loadstate and I can install McAfee back on the machine after I finish. Everything works as it should overall, but that error and fixing it is a major hassle and very time consuming. It's not a catastrophe or loss of data, just seriously annoying.

    I AM upgrading from 32 bit XP to 64 bit Win7. I am using the respective tools with the correct OS versions or at least I think. My WinPE is 64 bit, so I'm using the 64 bit OSRefresh tool during those steps and later. I use the 32 bit tool while the machine is still in XP for the first few steps. Could that be my issue?

    Monday, March 12, 2012 4:12 PM
  • How far are you getting with the Windows 7 installation?  Do you have the encryption software prepped on your gold image?

    FWIW, I keep my safeboot tools in %TOOLROOT%, and call them from there.

    Tuesday, March 13, 2012 2:30 AM
  • I get to the part after the install where my MDT task is set to restore the MBR and set the hook flags. The computer should restart at that point, but my error occurs and halts the task sequence. The tools work within XP to store the MBR and unlock/unhide the other Safeboot files. It also apparently within WinPE stores the MBR before it installs the OS, because I can see the SafebootMBR.dat file in the root of X: when I go into the command prompt after the task fails. The paths to the tools are the same in all the places it works, as it is in the step that fails.

    I used the 2nd method in the McAfee documentation to create my "golden" Win7 WIM. I mounted the WIM and installed the EE driver just as I did in my PE images. Then at the end of the process I install the application and sync to the server. As I said, if I use SafeTech and restore the EEPC MBR from the database, the computer will boot again, finish the Win7 configuration and be ready for me to install the rest of my drivers/apps and do my configuration/run loadstate to pull in the hardlinked USMT files. I can install the EEPC application at the end and sync it and it works just fine. I just cannot get it to restore the MBR and set the hook flags after Win7 is installed within the task sequence.

    Tuesday, March 13, 2012 1:21 PM
  • We have it working, but its a giant PITA. We have the x86 tools in Tools\x86 and the x64 tools in Tools\x64. the task path is %DEPLOYROOT%\Tools\x86 (or x64).

    Plus we were supporting both Safeboot 5.2 and McAfee EEPC 6.1.2.  Finally convinced them to upgrade everyone first. Our biggest problem was USMT failures, due to a domain migration and SIDHistory problems causing two profiles to point to the same folder under docs and settings.

    Tuesday, March 13, 2012 9:55 PM
  • One thing everyone might find helpful. I add McAfee support to my PE boot images on the fly every time I create them using an UpdateExit script, located in the C:\Program Files\Microsoft Deployment Toolkit\Samples folder.

    The safeboot.sys and SbAlg.sys files go in \Extra\x86\Windows\System32\Drivers and \Extra\x64\Windows\System32\Drivers , the SBWinPE.reg file goes in \Scripts. The UpdateExit script runs every time you rebuild your boot wims, imports the PE registry and modifies it, so you don't need to mount and edit the wims manually.

    ' // ***************************************************************************
    ' //
    ' // Copyright (c) Microsoft Corporation.  All rights reserved.
    ' //
    ' // Microsoft Deployment Toolkit Solution Accelerator
    ' //
    ' // File:      UpdateExit.vbs
    ' //
    ' // Version:   <VERSION>
    ' //
    ' // Purpose:   Sample "Update Deployment Share" exit script
    ' //
    ' // ***************************************************************************


    Option Explicit

    Dim oShell, oEnv


    ' Write out each of the passed-in environment variable values

    Set oShell = CreateObject("WScript.Shell")
    Set oEnv = oShell.Environment("PROCESS")

    WScript.Echo "INSTALLDIR = " & oEnv("INSTALLDIR")
    WScript.Echo "DEPLOYROOT = " & oEnv("DEPLOYROOT")
    WScript.Echo "PLATFORM = " & oEnv("PLATFORM")
    WScript.Echo "ARCHITECTURE = " & oEnv("ARCHITECTURE")
    WScript.Echo "TEMPLATE = " & oEnv("TEMPLATE")
    WScript.Echo "STAGE = " & oEnv("STAGE")
    WScript.Echo "CONTENT = " & oEnv("CONTENT")


    ' Do any desired WIM customizations (right before the WIM changes are committed)

    If oEnv("STAGE") = "WIM" Then

    ' CONTENT environment variable contains the path to the mounted WIM

    Dim sCmd, rc, strLog, fso, filetxt

    Set fso = CreateObject("Scripting.FileSystemObject")
    Set filetxt = fso.CreateTextFile(oEnv("DEPLOYROOT") & "\boot\UpdateExitLog_" & oEnv("ARCHITECTURE") & ".txt", True)

        strLog = strLog & "---- Beginning UpdateExit.vbs WIM section ----" & vbCrLf
        strLog = strLog &  "Adding Safeboot Registry keys to WinPE (UpdateExit.vbs)..." & VbCrLf

        'Load SYSTEM registry hive from mounted WinPE WIM (path to CONTENT)
        sCmd = "Reg load HKLM\winpe " & oEnv("CONTENT") & "\Windows\System32\config\SYSTEM"
        strLog = strLog &  "About to run command: " & sCmd & VbCrLf
        rc = oShell.Run(sCmd, 1, True)
        strLog = strLog &  "REG LOAD rc = " & rc & VbCrLf

        sCmd = "Reg add HKLM\winpe\ControlSet001\services\Safeboot /f"
        strLog = strLog &  "About to run command: " & sCmd & VbCrLf
        rc = oShell.Run(sCmd, 1, True)
        strLog = strLog &  "REG add rc = " & rc & VbCrLf

        sCmd = "Reg add HKLM\winpe\ControlSet001\services\SBAlg /f"
        strLog = strLog &  "About to run command: " & sCmd & VbCrLf
        rc = oShell.Run(sCmd, 1, True)
        strLog = strLog &  "REG add rc = " & rc & VbCrLf

        sCmd = "Reg add HKLM\winpe\ControlSet001\services\MfeEpePc /f"
        strLog = strLog &  "About to run command: " & sCmd & VbCrLf
        rc = oShell.Run(sCmd, 1, True)
        strLog = strLog &  "REG add rc = " & rc & VbCrLf

        sCmd = "Reg add HKLM\winpe\ControlSet001\services\MfeEEAlg /f"
        strLog = strLog &  "About to run command: " & sCmd & VbCrLf
        rc = oShell.Run(sCmd, 1, True)
        strLog = strLog &  "REG add rc = " & rc & VbCrLf

        sCmd = "Reg import " & oEnv("DEPLOYROOT") & "\Scripts\SBWinPE.reg"
        strLog = strLog &  "About to run command: " & sCmd & VbCrLf
        rc = oShell.Run(sCmd, 1, True)
        strLog = strLog &  "REG import rc = " & rc & VbCrLf

        sCmd = "Reg unload HKLM\winpe"
        strLog = strLog &  "About to run command: " & sCmd & VbCrLf
        rc = oShell.Run(sCmd, 1, True)
        strLog = strLog &  "REG unload rc = " & rc & VbCrLf

        filetxt.Write(strLog)
        filetxt.Close

    End If



    ' Do any desired ISO customizations (right before a new ISO is captured)

    If oEnv("STAGE") = "ISO" then

        ' CONTENT environment variable contains the path to the directory that
        ' will be used to create the ISO.

    End if


    ' Do any steps needed after the ISO has been generated

    If oEnv("STAGE") = "POSTISO" then

        ' CONTENT environment variable contains the path to the locally-captured
            ' ISO file (after it has been copied to the network).

    End if

                        
    Tuesday, March 13, 2012 10:23 PM
  • It sounds like you are doing things per the documentation..

    "Please note that if you are upgrading from 32‐bit to 64‐bit then the first stage should use the 32‐bit executable whereas the
    second stage should use the 64‐bit version. The same applies if you refreshing from win 7 64 to win 764. In this case the 64‐bit version should be used at all stages:"

    What exactly does the error say?  Can you post bdd.log snippets?

    Wednesday, March 14, 2012 2:45 AM
  • Nice script Joe.  I run a similar script but I do it after MDT spits out my gold WIM.  I like to keep a "clean" copy for archiving, but your method is definitely easier.


    Nick I will add that a good majority of the 3-5% were older model (Lenovo T/X 60, T/X 61) laptops.  They were never valid win7 candidates in my opinion but the call was over my head.  To make it even more fun many of the failures were with the beta version of the tool. All in all I've had a very high level of success with "valid" devices, and production tools. On the rare occasion when the process does fail the supplied recovery tools did the trick to either repair the MBR and continue migration, or in last resort copy the user data to a safe network location.  I have not lost any user data to date.  I should have been more clear initially.
    • Edited by XxX sdk XxX Wednesday, March 14, 2012 3:01 AM
    Wednesday, March 14, 2012 2:53 AM
  • Yes, the process seems to work, but any hiccups around it can be a problem. for example running the 5.2 tools against 6.1 installs and vice versa. And if USMT scans, the OS upgrades, but then USMT restore fails, you dont get your safeboot.rsv and .fs files restored to C:.  Our SIDHistory issues, and bad profile keys in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList were giving us a ton of grief with USMT.

    If you check this key and find .bak keys, or two keys referencing the same profile folder, you'll have issues. We had to cut off any legacy domain profiles by referencing the legacy domain SID, and delete all .bak profiles before running USMT to get a clean scan and restore.

    Tip: don't let your techs delete profiles by just deliting the Docs and Settigns\<user id> folder. you need to tdo it through the control panel to keep this reg key clean.

    I use this subroutine in a preflight script to delete .bak keys. there's another section that enumerates all the keys and what folder they point to and logs it.

    '============

    Sub ProfileKeyCleanup

    Const HKEY_LOCAL_MACHINE = &H80000002
    Dim i, strKeyPath, strOriginalKey, strBackupKey, oReg, Return, Return2, subkey, strSubKeyPath, strValue
    Dim arrSubKeys, arrValueNames, arrValueTypes, strValueName

    Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")

    strKeyPath = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"

    strOriginalKey = "HKLM\" & strKeyPath
    strBackupKey = "HKLM\" & strKeyPath & "Backup"

    oReg.EnumKey HKEY_LOCAL_MACHINE, strKeyPath, arrSubKeys

     oLogging.CreateEntry "Subkeys under " & "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList", LogTypeInfo

    Set oShell = CreateObject("WScript.Shell")
    oLogging.CreateEntry "Backing up ProfileList key to ProfileListBackup", LogTypeInfo
    Return = oShell.Run("reg copy " & Chr(34) & strOriginalKey & Chr(34) & " " & Chr(34) & strBackupKey & Chr(34) & " /s /f", 1, True)
    oLogging.CreateEntry "Reg Copy returns " & Return, LogTypeInfo
    oLogging.CreateEntry "Enumerating ProfileList subkeys", LogTypeInfo


    For Each subkey In arrSubKeys

        If Right(subkey,4) = ".bak" Then
        oLogging.CreateEntry  "Bad key format found: " & subkey, LogtypeInfo
        oLogging.CreateEntry ".bak key found " & strOriginalKey & "\" & subkey & " - deleting", LogTypeWarning
        
        Return2 = oShell.Run("reg delete " & Chr(34) & strOriginalKey & "\" & subkey & Chr(34) & " /f", 1, True)
        oLogging.CreateEntry  "Reg delete return = " & Return2, LogTypeInfo
            
        End If
    Next

    End Sub

    Wednesday, March 14, 2012 1:07 PM
  • <![LOG[Failed to run the last action: Restore Safeboot MBR. Execution of task sequence failed.
    Unknown error (Error: E0050005; Source: Unknown)]LOG]!><time="11:33:09.830+000" date="03-14-2012" component="TSManager" context="" type="3" thread="1512" file="engine.cxx:214">

    When I searched the net for that Error Code, McAfee claims it has something to do with a DeviceLock Program. We don't have anything like that on our systems. I also started nosing around in the BIOS when you mentioned you had issues with Lenovo laptops on this. My "problem" laptops are also Lenovo. I disabled all the onboard security devices thinking something was causing the MBR to not be written back properly. No luck there.

    BUT...that search made me remember that these laptops originally had the Lenovo recovery partition crap on them. My MDT step to install completely formats the harddrive and doesn't create that Lenovo partition. I'm thinking the saved MBR does get restored, but is looking for that no longer around partition? Would that theoretically explain the issue?

    Wednesday, March 14, 2012 7:03 PM
  • You can't format the hard drive if you are doing a hard link migration. Did you mean you wiped and reloaded them previously?
    Wednesday, March 14, 2012 7:42 PM
  • Ladybug:  Some of our legacy XP images contained a recovery partition created by the Lenovo "Rescue and Recovery" app.  One of my pre-migration steps is to make sure that software is completely removed from the device.  Failure to do so leads to problems as natively it will not allow the "MININT" folder to be created on the C:\.  I have not tied failures to the recovery partition.

    Joe:  We think along the same lines.  I wrote a script that is run before the user capture that A) identifies the pesky .bak profiles B) enumerates the ProfileList, and scans through them one at a time, looking at the "ProfileImagePath" value.  If the ntuser.dat does not exist for that particular SID, it removes it and keeps moving.   I call ZTIUtility within the script so I can dump the actions taken by the script into BDD.log.  Unfortunately it was a common practice for the floor techs to simply delete the profiles from Docs\Settings folders.  This cleanup step has proven to be a time saver as USMT will loop on profiles that do not have a ntuser.dat file present 20 times before continuing.  From reviewing logs, I've seen some 5+ year old images have 20 or more profiles that were deleted improperly.   The .bak issue is a bit more complex, as I am super anal about profiles containing .000, .Domain.Com etc.  It's a manual cleanup step I have my techs do prior to migration as of now, although I'm looking into a "safe" way I can automate this.

    Friday, March 16, 2012 10:07 PM
  • I'm trying to get this tool implemented for v5.2

     and

    "Failed to run the last action: Restore Safeboot MBR. Execution of task sequence failed."

    is the exact error message and stopping point I'm getting too with following the McAfee documentation.

    Sunday, March 18, 2012 2:10 AM

  • I had trouble getting meaningful results back from these tools as well. They dont' seem to like returning usable errors, and messages are written to Stdout, where you can't read them. I actully wrote them into a wsf file so I could run them with WshShell.exec and capture stdOut in a variable and log it.

    Try to run the Mcafee tool manually from the command line in WinPE and see if it outputs something useful.
    Tuesday, March 20, 2012 4:24 PM
  • When I ran it from the command line in PE, I get the error that the MBR is already safeboot and will not be replaced. There IS something pretty screwy about my partitions. I looked again and apparently there is a strange partition structure on the two laptops I am currently getting the error with. From what I can see....they have the Lenovo recovery partition AND another hidden partition that somehow got on them from an old old image. It is showing up as partition 1 on disk 0. Since by default, the MDT step is supposed to install Win7 to that partition, I'm not sure what is happening completely. I haven't had time to pull up the log files and analyze a lot yet.

    And yes, after I read your post about the Refresh type not formatting, I smacked my forehead. DOH! It's not wiping that partition out, but I still think MDT and the Windows 7 Install step are not happy about that partition being in there and are doing something weird with the MBR somehow.

    Wednesday, March 21, 2012 4:53 PM
  • Finally got some results with all this. I did upgrade our MDT to the 2012 version, so keep that in mind.

    I rebuilt our PE images, both the 32 and 64 bit, with the Safeboot Drivers and registry keys, as the McAfee document says. I hadn't included these into the 32 bit PE image, because I was under the assumption that because I was upgrading to 64 bit and the process booted into my 64 bit WinPE (different backgrounds for the two, so I could tell at a glance which was being used or so I thought), that the 32 bit WinPE wim didn't need the Safeboot drivers. I may have been wrong on that assumption though.

    Also, I moved the McAfee tools to the Tools directory in my MDT structure as mentioned by JoeZeppy earlier in this thread. Some part of all of this worked. My task sequence finally worked all the way through. Yay!! Time to bring out the champagne. (Maybe that will wait until I get the rest of the laptops upgraded finally.)

    Thursday, May 03, 2012 8:27 PM
  • Congratulations! :') Ours has been working pretty consistently. I've added steps to set autoboot for a set number of times during the deployment, then clear that and set a timer so for the next 9 hours, you can reboot as often as you like for re-installs, patching etcetera. We found we had Altiris jobs stacking up after the deployment because if one of them required a reboot, all the rest had to wait till someone came around and logged in.

    Save this as ZTIEpeAutoboot.wsf and put it in your scripts folder along with epeTemporaryAutoboot.exe. It logs output to ZTIEpeAutoboot.log

    I set number of reboots at the beginning of deployment, so in case the job gets hung up for a while, it won't time out. Then I clear that at the end, and set it for 9 hours. Unlimited reboots allowed during that time.

    cscript "%SCRIPTROOT%\ZTIEpeAutoboot.wsf" "--number-of-reboots 4"

    cscript "%SCRIPTROOT%\ZTIEpeAutoboot.wsf" "--clear"

    cscript "%SCRIPTROOT%\ZTIEpeAutoboot.wsf" "--timeout-in-minutes 540"

    '-cut and paste below this line

    ' //***************************************************************************
    ' // File: ZTIEpeAutoboot.wsf
    ' //
    ' // Purpose: Template
    ' //
    ' // Usage: cscript ZTIEpeAutoboot.wsf [ "--number-of-reboots n" | "--clear" | "--timeout-in-minutes" ] [/debug:true]
    ' // Version: 1.0.0
    ' // Customer Script Version: 1.0.0 - JJS - JoeZeppy - 4/2012
    ' // Customer History:
    ' //
    ' //***************************************************************************
     
    '//----------------------------------------------------------------------------
    '//
    '// Global constant and variable declarations
    '//
    '//----------------------------------------------------------------------------
     
    Option Explicit
     
    Dim iRetVal
    Dim ArgObj
    Set ArgObj = WScript.Arguments  ' These Arguments read from the command line each segmented input to create a variable
    '//----------------------------------------------------------------------------
    '// End declarations
    '//----------------------------------------------------------------------------
     
    '//----------------------------------------------------------------------------
    '// Main routine
    '//----------------------------------------------------------------------------
     
    On Error Resume Next
    iRetVal = ZTIProcess
    ProcessResults iRetVal
    On Error Goto 0
     
    '//---------------------------------------------------------------------------
    '//
    '// Function: ZTIProcess()
    '//
    '// Input: None
    '//
    '// Return: Success - 0
    '// Failure - non-zero
    '//
    '// Purpose: Perform main ZTI processing
    '//
    '//---------------------------------------------------------------------------
    Function ZTIProcess()

        Dim sFile, strAutobootArgs
        Dim ScriptPath, ObjExec, strFromProc, strExitCode
        
        oLogging.CreateEntry "Setting EPEAutoboot", LogTypeInfo
        
        On Error Resume Next
        strAutobootArgs = Wscript.Arguments.Item(0)
        On Error GoTo 0
        
        ScriptPath = Left(WScript.ScriptFullName, Len(WScript.ScriptFullName) - Len(WScript.ScriptName))
        
        If strAutobootArgs <> "" Then
            oLogging.CreateEntry "Running from " & ScriptPath  & " with cmd line argument " & strAutobootArgs, LogTypeInfo
            Set ObjExec = oShell.Exec( ScriptPath & "epeTemporaryAutoboot.exe " & strAutobootArgs)
            Do
             strFromProc = ObjExec.StdOut.ReadLine()
            
            Loop While Not ObjExec.Stdout.atEndOfStream
            strExitCode = ObjExec.ExitCode

            'oShell.Popup strFromProc, 10, "Status", 64
            
            oLogging.CreateEntry strFromProc, LogTypeInfo
            oLogging.CreateEntry "Exit code = " & strExitCode, LogTypeInfo
            iRetVal = 0
            
        Else
            oLogging.CreateEntry "Autoboot not Set",LogTypeWarning
            iRetVal = 1
        End If
        
        If (iRetVal = 0) Or (iRetVal = 3010) Then
            ZTIProcess = Success
        Else
            ZTIProcess = Failure
        End If
        
        oLogging.CreateEntry "ZTIEpeTempAutoboot: Return code value = " & iRetVal, LogTypeInfo
        oLogging.CreateEntry "ZTIEpeTempAutoboot: Done ...", LogTypeInfo    
        
    End Function


    Friday, May 04, 2012 7:23 PM
  • One thing everyone might find helpful. I add McAfee support to my PE boot images on the fly every time I create them using an UpdateExit script, located in the C:\Program Files\Microsoft Deployment Toolkit\Samples folder.

    The safeboot.sys and SbAlg.sys files go in \Extra\x86\Windows\System32\Drivers and \Extra\x64\Windows\System32\Drivers , the SBWinPE.reg file goes in \Scripts. The UpdateExit script runs every time you rebuild your boot wims, imports the PE registry and modifies it, so you don't need to mount and edit the wims manually.

    ' // ***************************************************************************
    ' // File:      UpdateExit.vbs
    ' // ***************************************************************************                    

    JoeZeppy- since you're importing both the EE5 and EE6 files- have you had any conflict with an EE6 machine since EE5 is injected? What is in SBWinPE.reg file since the PartMgr change is different for each version.... EE5=Safebot/PartMgr, EE6=MfeEpePc/PartMbr.
    Friday, May 11, 2012 5:56 PM
  • We didn't, no. both sets of drivers are installed.

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\winpe\ControlSet001\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}]
    "Class"="DiskDrive"
    "ClassDesc"="@%SystemRoot%\\System32\\StorProp.dll,-17000"
    @="Disk drives"
    "IconPath"=hex(7):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
      74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,69,\
      00,6d,00,61,00,67,00,65,00,72,00,65,00,73,00,2e,00,64,00,6c,00,6c,00,2c,00,\
      2d,00,33,00,32,00,00,00,00,00
    "Installer32"="StorProp.Dll,DiskClassInstaller"
    "NoInstallClass"="1"
    "SilentInstall"="1"
    "UpperFilters"=hex(7):53,00,61,00,66,00,65,00,62,00,6f,00,6f,00,74,00,00,00,4d,\
      00,66,00,65,00,45,00,70,00,65,00,50,00,63,00,00,00,50,00,61,00,72,00,74,00,\
      4d,00,67,00,72,00,00,00,00,00

    [HKEY_LOCAL_MACHINE\winpe\ControlSet001\services\SafeBoot]
    "Type"=dword:00000001
    "Start"=dword:00000000
    "ErrorControl"=dword:00000003

    [HKEY_LOCAL_MACHINE\winpe\ControlSet001\services\SBAlg]
    "Type"=dword:00000001
    "Start"=dword:00000000
    "ErrorControl"=dword:00000003
    "Group"="Primary Disk"

    [HKEY_LOCAL_MACHINE\winpe\ControlSet001\services\MfeEpePc]
    "Type"=dword:00000001
    "Start"=dword:00000000
    "ErrorControl"=dword:00000003

    [HKEY_LOCAL_MACHINE\winpe\ControlSet001\services\MfeEEAlg]
    "Type"=dword:00000001
    "Start"=dword:00000000
    "ErrorControl"=dword:00000003
    "Group"="Primary Disk"

    • Edited by JoeZeppy Friday, May 11, 2012 9:05 PM
    Friday, May 11, 2012 9:04 PM
  • Safeboot / MfeEpePC / PartMgr.... Interesting, I'll give this a try.  We're refreshing XP (EE5) to 7 (EE6) and letting the EE6 install overtop EE5.  Would be great to only have 1 boot which could do that, plus Win7 (EE6) > Win7 (EE6) reimages.  Thanks!
    Friday, May 11, 2012 10:18 PM
  • has anyone gotten this working in OFFLINE mode -

    Meaning you PXE boot an ecnrypted system and do the backup with usmt from within WINPE? This is really bugging me, i'm sure it's possible.

    Friday, May 10, 2013 3:57 PM
  • has anyone gotten this working in OFFLINE mode -

    Meaning you PXE boot an ecnrypted system and do the backup with usmt from within WINPE? This is really bugging me, i'm sure it's possible.


    We do this regularly with SCCM. PXE boot, use EETech tools to gain access to the disk, and then proceed with the regular OSD task sequence.

    -Nick O.

    Friday, May 10, 2013 6:31 PM
  • Is there any tool to autoboot the systems during a ZTI migration from XP to Windows 7 with SCCM without touching the McAfee Console.

    One more issue is during the Apply OS step the TS errors with "The directory is not empty." because its not able to wipe the drive, any one seen this issue and how to resolve it. I tried using a script to delete the drive before apply OS step but no luck, there are some directories which are still out there.

    Thanks!

    Friday, May 17, 2013 4:34 AM
  • Is there any tool to autoboot the systems during a ZTI migration from XP to Windows 7 with SCCM without touching the McAfee Console.

    One more issue is during the Apply OS step the TS errors with "The directory is not empty." because its not able to wipe the drive, any one seen this issue and how to resolve it. I tried using a script to delete the drive before apply OS step but no luck, there are some directories which are still out there.

    Thanks!

    I'm not sure what you mean by "autoboot" but if you are referring to suspending preboot authentication, that can be done with a tool McAfee provides called TemporaryAutoboot. It will allow you specify a timeframe or number of reboots before preboot is put back in place. Because preboot auth is a policy change, you have to run your TS from a running OS. (A machine refresh scenario.) You cannot PXE boot and use the autoboot tool.

    As far as "directory is not empty," are you using USMT to migrate data? What do the logs show?


    -Nick O.

    Friday, May 17, 2013 3:50 PM
  • Yes, I was referring to bypass the preboot so the ZTI task sequence can reboot to migrate the systems, its a machine refresh scenario with SCCM client and not PXE boot.

    Is this the tool you are referring to which is talked about in this article  https://community.mcafee.com/community/business/data/epoenc/blog/2011/11/03/how-to-use-the-temporary-automatic-booting-feature

    Here is the files/folders causing issues

    \\?\C:\Program Files\Lotus\Notes\FRAMEW~1\rcp\eclipse\plugins - The directory is not empty.
    \\?\C:\WINDOWS\inf - The directory is not empty.
    \\?\C:\WINDOWS\source\i386 - The directory is not empty.
    \\?\C:\WINDOWS\system32\Macromed\Flash\Flash32_11_6_602_171.ocx - Access is denied.
    \\?\C:\Program Files\Lotus\Notes\FRAMEW~1\rcp\eclipse\plugins - The directory is not empty.
    \\?\C:\Program Files\Lotus\Notes\FRAMEW~1\rcp\eclipse\plugins - The directory is not empty.
    \\?\C:\Program Files\Lotus\Notes\framework\rcp\eclipse\plugins - The directory is not empty.
    \\?\C:\Program Files\Lotus\Notes\framework\rcp\eclipse\plugins - The directory is not empty.
    \\?\C:\Program Files\Lotus\Notes\framework\rcp\eclipse\plugins - The directory is not empty.
    The directory is not empty.
    The directory is not empty.
    \\?\C:\WINDOWS\source\i386 - The directory is not empty.
    \\?\C:\WINDOWS\system32\Macromed\Flash\Flash32_11_6_602_171.ocx - Access is denied.
    The directory is not empty.
    \\?\C:\WINDOWS\system32\Macromed\Flash\Flash32_11_6_602_171.ocx - Access is denied.
    \\?\C:\WINDOWS\system32\Macromed\Flash\Flash32_11_6_602_171.ocx - Access is denied.

    Here is what I did, launched notepad from PE command prompt and opened the directory and was able to delete the program files folder without issues but on the \\?\C:\WINDOWS\system32\Macromed\Flash\Flash32_11_6_602_171.ocx file it gives me an access  denied message saying you require permission from NT Authority\System to make changes to this file.

    There are two issues here, first with C:\Program Files\Lotus\Notes\framework\rcp\eclipse\plugins its belong of long names its not able to delete and second due to permissions C:\WINDOWS\system32\Macromed\Flash is not getting deleted.

    There may be more files/folders out there in the production systems with issues like this which will be unknown so just putting a script to delete just these known ones is not a solution.

    Is it a known issue, any one have seen this issue?

    Thanks!

    Friday, May 17, 2013 11:47 PM
  • The tool mentioned in your link is the tool I was referring to.

    The only time I've ever seen the repeated access is denied/directory is not empty issue is when USMT fails to unload the Software hive. In that case, you have to add an extra step after USMT completes: cmd /c REG UNLOAD HKLM\$DEST$SOFTWARE . Not sure what would be causing the issue if you are not using USMT.


    -Nick O.

    Monday, May 20, 2013 2:54 PM
  • I tried the command "cmd /c REG UNLOAD HKLM\$DEST$SOFTWARE" it doesnt run and gives me an error, not sure if the hive exists. Here is my Task Sequence.

    Any issues with the way am capturing the user state?
    • Edited by Mr.Spectra Tuesday, May 21, 2013 1:28 AM
    Tuesday, May 21, 2013 1:27 AM
  • It looks like the "Unload hive" setting needs to be enabled. In the above screenshot, it is disabled. That won't work as that is the step that will force the Software hive to be unloaded.

    If you highlight that task, you should see something like:

    That's a requirement or you will get repeated failures concerning USMT, which may be part of your issues with "access denied" on several files.

    Everything else looks sound. I do things a bit differently on the outset; I have the refresh tool packaged, for example, and I use the package during a "Run Command Line" step. But your method should be fine. Also be certain you are matching architectures to the tool used. In my XP-to-7 deployments, the x86 tool is used at first but the x64 tool is used at the end, since I'm now in Windows 7 x64. Additionally, verify the "Continue if some files cannot be captured" and "Capture locally be using links instead of copying files" are both checked in your Capture User Files and Settings task.


    -Nick O.

    Tuesday, May 21, 2013 2:57 PM