none
Windows 7 <> Sophos Encryption <> Removal of Disk Encryption

    Question

  • Hi All

    We are currently starting to deploy Windows 7 Enterprise Service Pack 1 onto exisiting Computer Accounts that have Windows XP Professional with Service Pack 3 in our environment.

    For deploying we are using ConfigMgr 2007 R3 in conjunction with MDT 2010 Update 1 using a Task Sequence that Captures User State and then restores at the end of the build.

    At present everything is fine with deploying to Desktop Computers but we have a issue with deploying to Laptop Computers. Currently on our Laptop Computers we have Full Disk Encryption installed using Sophos SafeGuard 5.6. The problem that we are facing is that because of the Full Drive Encryption, the Task Sequence returns an error when rebooting into WinPE, saying "Unable to read task sequence configuration disk. For more information, please contact your system administrator or helpdesk operator."

    I have managed to copy the SMSTS.log file off WinPE and have noticed that the following entries appear:

    LOGGING: Finalize process ID set to 776 TSBootShell 09/12/2011 22:07:38 780 (0x030C)
    ==============================[ TSBootShell.exe ]============================== TSBootShell 09/12/2011 22:07:38 780 (0x030C)
    Succeeded loading resource DLL 'X:\sms\bin\i386\1033\TSRES.DLL' TSBootShell 09/12/2011 22:07:38 780 (0x030C)
    Debug shell is enabled TSBootShell 09/12/2011 22:07:38 780 (0x030C)
    Waiting for PNP initialization... TSBootShell 09/12/2011 22:07:38 804 (0x0324)
    ::GetVolumeNameForVolumeMountPointW( sDevicePath, szDeviceVolumeId, szDeviceVolumeId.size()), HRESULT=80070003 (c:\qfe\nts_sms_fre\sms\framework\tscore\devicepath.cpp,159) TSBootShell 09/12/2011 22:07:39 804 (0x0324)
    DevicePath::DeviceNamespaceWin32Path(sDevicePath, rsWin32Path), HRESULT=80070003 (c:\qfe\nts_sms_fre\sms\framework\tscore\devicepath.cpp,115) TSBootShell 09/12/2011 22:07:39 804 (0x0324)
    DevicePath::ArcToWin32Path(pszBootPath, rsLogicalPath), HRESULT=80070003 (c:\qfe\nts_sms_fre\sms\framework\tscore\bootsystem.cpp,111) TSBootShell 09/12/2011 22:07:39 804 (0x0324)
    ConvertBootToLogicalPath failed (0x80070003). Retrying (0)... TSBootShell 09/12/2011 22:07:39 804 (0x0324)

    The Section from ::GetVolumeNameForVolumeMountPointW( sDevicePath, szDeviceVolumeId, szDeviceVolumeId.size()), HRESULT=80070003 to ConvertBootToLogicalPath failed (0x80070003). Retrying (0)... TSBootShell repeats for 30 attempts.

    Then the following appears:

    Failed to find the current TS configuration path TSBootShell 09/12/2011 22:08:09 804 (0x0324)
    ConfigPath::FindConfigPath(sConfigPath), HRESULT=80070003 (e:\nts_sms_fre\sms\client\tasksequence\bootshell\bootshell.cpp,550) TSBootShell 09/12/2011 22:08:09 804 (0x0324)
    Failed to find the configuration path.
    The system cannot find the path specified. (Error: 80070003; Source: Windows) TSBootShell 09/12/2011 22:08:09 804 (0x0324)
    Execution failed with error 80070003. TSBootShell 09/12/2011 22:08:09 804 (0x0324)
    Finalizing logging from process 776 TSBootShell 09/12/2011 22:08:09 804 (0x0324)
    Finalizing logs to root of first available drive TSBootShell 09/12/2011 22:08:09 804 (0x0324)
    Successfully finalized logs to X:\SMSTSLog TSBootShell 09/12/2011 22:08:09 804 (0x0324)
    Cleaning up task sequencing logging configuration. TSBootShell 09/12/2011 22:08:09 804 (0x0324)
    hMap != 0, HRESULT=80070002 (c:\qfe\nts_sms_fre\sms\framework\tscore\environmentscope.cpp,136) TSBootShell 09/12/2011 22:08:09 804 (0x0324)
    m_pGlobalScope->open(), HRESULT=80070002 (c:\qfe\nts_sms_fre\sms\framework\tscore\environmentlib.cpp,321) TSBootShell 09/12/2011 22:08:09 804 (0x0324)
    this->open(), HRESULT=80070002 (c:\qfe\nts_sms_fre\sms\framework\tscore\environmentlib.cpp,533) TSBootShell 09/12/2011 22:08:09 804 (0x0324)
    hMap != 0, HRESULT=80070002 (c:\qfe\nts_sms_fre\sms\framework\tscore\environmentscope.cpp,136) TSBootShell 09/12/2011 22:08:09 804 (0x0324)
    m_pGlobalScope->open(), HRESULT=80070002 (c:\qfe\nts_sms_fre\sms\framework\tscore\environmentlib.cpp,321) TSBootShell 09/12/2011 22:08:09 804 (0x0324)
    this->open(), HRESULT=80070002 (c:\qfe\nts_sms_fre\sms\framework\tscore\environmentlib.cpp,533) TSBootShell 09/12/2011 22:08:09 804 (0x0324)
    hMap != 0, HRESULT=80070002 (c:\qfe\nts_sms_fre\sms\framework\tscore\environmentscope.cpp,136) TSBootShell 09/12/2011 22:08:09 804 (0x0324)
    m_pGlobalScope->open(), HRESULT=80070002 (c:\qfe\nts_sms_fre\sms\framework\tscore\environmentlib.cpp,321) TSBootShell 09/12/2011 22:08:09 804 (0x0324)
    this->open(), HRESULT=80070002 (c:\qfe\nts_sms_fre\sms\framework\tscore\environmentlib.cpp,533) TSBootShell 09/12/2011 22:08:09 804 (0x0324)
    !sTSMDataPath.empty(), HRESULT=80070002 (c:\qfe\nts_sms_fre\sms\framework\tscore\resolvesource.cpp,1395) TSBootShell 09/12/2011 22:08:09 804 (0x0324)
    There is no TSM local data path being set TSBootShell 09/12/2011 22:08:09 804 (0x0324)
    Command line for extension .exe is "%1" %* TSBootShell 09/12/2011 22:08:09 780 (0x030C)
    Set command line: "X:\sms\bin\i386\TsProgressUI.exe" /Register:WinPE TSBootShell 09/12/2011 22:08:09 780 (0x030C)
    Executing command line: "X:\sms\bin\i386\TsProgressUI.exe" /Register:WinPE TSBootShell 09/12/2011 22:08:09 780 (0x030C)
    ==========[ TsProgressUI started in process 884 ]========== TsProgressUI 09/12/2011 22:08:09 888 (0x0378)
    Command line: "X:\sms\bin\i386\TsProgressUI.exe" /Register:WinPE TsProgressUI 09/12/2011 22:08:09 888 (0x0378)
    Registering COM classes TsProgressUI 09/12/2011 22:08:09 888 (0x0378)
    sbModulePath = X:\sms\bin\i386\TsProgressUI.exe TsProgressUI 09/12/2011 22:08:09 888 (0x0378)
    Unregistering class objects TsProgressUI 09/12/2011 22:08:09 888 (0x0378)
    Shutdown complete. TsProgressUI 09/12/2011 22:08:09 888 (0x0378)
    Process completed with exit code 0 TSBootShell 09/12/2011 22:08:09 780 (0x030C)
    Successfully registered TS Progress UI. TSBootShell 09/12/2011 22:08:09 780 (0x030C)
    Failed to create instance of progress UI (0x800401F0) TSBootShell 09/12/2011 22:08:09 780 (0x030C)
    Executing command line: X:\windows\system32\cmd.exe /k TSBootShell 10/12/2011 08:42:02 780 (0x030C)
    The command completed successfully. TSBootShell 10/12/2011 08:42:02 780 (0x030C)
    Successfully launched command shell. TSBootShell 10/12/2011 08:42:02 780 (0x030C)

    What I need to be able to do is to completely wipe the Hard Drive as part of the Task Sequence. As part of the task sequence for the build I have even tried adding a Format and Partition Disk action, and also a custom command line that runs a Disk Command and neither of these options work.

    Has anybody had to remove a Encrypted Drive before.

    Regards

     

     

     

    Tuesday, December 13, 2011 12:23 PM

Answers

  • Hi

    After some further research I will need to try the following:

    http://www.sophos.com/support/knowledgebase/article/66019.html

    http://deploywindows.info/2011/02/14/utimaco-safeguard-easy-and-the-osd-process/

    Also a bit of information from Sophos:

    As per our conversation,this article describes how to take a system that is encrypted with SGN 5.50 and re-image it via SCCM to a point where either Windows XP or Windows 7 is reinstalled and ready to be encrypted again. This process will include backing up user data.

    This article assumes that you already have your own Windows Image file, and just need to make the necessary changes.

    NOTE: SCCM uses PE 3.0. Since the Windows PE 3.0 (WIM) image is applied to the encrypted hard drive (while the existing OS is up and running), when the machine reboots and attempts to boot into PE this process will fail. To work around this issue, you must insert the SGN filter drivers into your PE WIM image .

    What to do

    1. Copy the appropriate SCCM Windows PE WIM file to your system.
    2. Install SGN on to a system that has the Windows Automate Installation Kit 2.0 already installed.
    3. Click start > Programs > Microsoft Windows AIK > Windows PE Tools Command Prompt. (Run as administrator)
    4. In the command prompt type: copype.cmd x86 c:\winpe_x86 (or a directory of your choosing) this directory will be created automatically.
    5. Copy ADDSGN2WINPE.CMD (c:\program files\sophos\b\safeguard enterprise\BaseEncryption\) and IMAGEX to this directory
    6. Copy the PE WIM file to be used by SCCM into this directory.
    7. From the command line run ADDSGN2WINPE2 .wim. This command will then mount the .wim file and copy the filter drivers to the windows\system32\drivers directory. It will also update the registry.
    8. Copy fltdonothing.exe to the WIM file.
    9. Mount the WIM:
      • Type IMAGEX /mountrw 1
      • Change to the directory WIM is mounted to, e.g. Cd c:\SGNTest\Temp\windows\system32
      • Copy fltdonothing.exe to this directory, e.g. copy c:\SGNFiles\fltdonothing.exe.
      • Commit and save the .WIM. Type ImageX /unmount /Commit.
    10. The WIM file may now be uploaded and staged in the appropriate directory within your SCCM infrastructure.


    Overview of re-imaging process

    Preliminary steps:

    • In the SGN management console, enable the WOL policy for the client to be reimaged.
    • Targeted SGN clients synchronize with the SGN server to download new policy.

    Within the SCCM task sequence, when reimaging a machine the following takes place :

    1. C:\windows\system32\sgmcmdintn.exe -wolstart is run on the target computer. This disables POA allowing the system to reboot several times without requiring an authentication.
    2. SCCM pushes PE WIM to targeted system and reconfigures the boot configuration data to boot into PE upon reboot
    3. Target machine reboots,
      • Auto-login via POA
      • Loads PE WIM (which receives keys for filter drivers from POA)
      • SCCM backs up user data (via USMT to a State Migration Point)
      • X:\windows\system32\fltdonothing.exe 1 is executed. This disables the SGN Filter drivers.
      • SCCM repartitions HD
      • SCCM lays down new OS
      • Applies hardware drivers
      • Sets-up OS and installs the SCCM Client
      • Install Updates/ Patches
      • Installs additional applications (if necessary)
      • Restores user state (via USMT from the State Migration Point)
      • Target system reboots
    4. On reboot the system no longer goes via POA. All data is now stored on the disk in clear.
    5. System joins domain.
    6. SGN installed.
    7. Drive encrypts.

    Hopefully this will work.

    • Marked as answer by Robinson Zhang Tuesday, December 27, 2011 9:41 AM
    Tuesday, December 13, 2011 3:54 PM

All replies

  • I'm not using Sophos, but we are connecting to our MBAM server in Winpe and pulling the recovery key from the SQL db and unlocking the drive if it's encrypted, the links below might give you some ideas of doing something similar with Sophos

     

    Customising Windows 7 deployments - part 5.
    Enabling Bitlocker in WinPE on Dell computers [Jul 2011]

    How can I determine if theres a TPM chip on my Dell system for BitLocker ?
    Using the following script [Aug 2011]

    Is the TPM Chip Enabled or Disabled in the Bios on my system ? 
    Use this WMI query to find out [Aug 2011]

    How can I determine if the drive is Encrypted (Protected) or not during a BitLocker task sequence in WinPE ?
    Using the GetProtectionStatus Method [Aug 2011]?

    How can I determine if there's a TPM chip on my Lenovo system for BitLocker ?
    Easy when you know how [Sep 2011]

    How can I retrieve my BitLocker Recovery Key from MBAM in WinPE
    Connecting to MBAM from WinPE [Sep 2011]



    My Step by Step ConfigMgr Guides
    I'm on Twitter > ncbrady
    Tuesday, December 13, 2011 1:06 PM
    Moderator
  • Hi

    After some further research I will need to try the following:

    http://www.sophos.com/support/knowledgebase/article/66019.html

    http://deploywindows.info/2011/02/14/utimaco-safeguard-easy-and-the-osd-process/

    Also a bit of information from Sophos:

    As per our conversation,this article describes how to take a system that is encrypted with SGN 5.50 and re-image it via SCCM to a point where either Windows XP or Windows 7 is reinstalled and ready to be encrypted again. This process will include backing up user data.

    This article assumes that you already have your own Windows Image file, and just need to make the necessary changes.

    NOTE: SCCM uses PE 3.0. Since the Windows PE 3.0 (WIM) image is applied to the encrypted hard drive (while the existing OS is up and running), when the machine reboots and attempts to boot into PE this process will fail. To work around this issue, you must insert the SGN filter drivers into your PE WIM image .

    What to do

    1. Copy the appropriate SCCM Windows PE WIM file to your system.
    2. Install SGN on to a system that has the Windows Automate Installation Kit 2.0 already installed.
    3. Click start > Programs > Microsoft Windows AIK > Windows PE Tools Command Prompt. (Run as administrator)
    4. In the command prompt type: copype.cmd x86 c:\winpe_x86 (or a directory of your choosing) this directory will be created automatically.
    5. Copy ADDSGN2WINPE.CMD (c:\program files\sophos\b\safeguard enterprise\BaseEncryption\) and IMAGEX to this directory
    6. Copy the PE WIM file to be used by SCCM into this directory.
    7. From the command line run ADDSGN2WINPE2 .wim. This command will then mount the .wim file and copy the filter drivers to the windows\system32\drivers directory. It will also update the registry.
    8. Copy fltdonothing.exe to the WIM file.
    9. Mount the WIM:
      • Type IMAGEX /mountrw 1
      • Change to the directory WIM is mounted to, e.g. Cd c:\SGNTest\Temp\windows\system32
      • Copy fltdonothing.exe to this directory, e.g. copy c:\SGNFiles\fltdonothing.exe.
      • Commit and save the .WIM. Type ImageX /unmount /Commit.
    10. The WIM file may now be uploaded and staged in the appropriate directory within your SCCM infrastructure.


    Overview of re-imaging process

    Preliminary steps:

    • In the SGN management console, enable the WOL policy for the client to be reimaged.
    • Targeted SGN clients synchronize with the SGN server to download new policy.

    Within the SCCM task sequence, when reimaging a machine the following takes place :

    1. C:\windows\system32\sgmcmdintn.exe -wolstart is run on the target computer. This disables POA allowing the system to reboot several times without requiring an authentication.
    2. SCCM pushes PE WIM to targeted system and reconfigures the boot configuration data to boot into PE upon reboot
    3. Target machine reboots,
      • Auto-login via POA
      • Loads PE WIM (which receives keys for filter drivers from POA)
      • SCCM backs up user data (via USMT to a State Migration Point)
      • X:\windows\system32\fltdonothing.exe 1 is executed. This disables the SGN Filter drivers.
      • SCCM repartitions HD
      • SCCM lays down new OS
      • Applies hardware drivers
      • Sets-up OS and installs the SCCM Client
      • Install Updates/ Patches
      • Installs additional applications (if necessary)
      • Restores user state (via USMT from the State Migration Point)
      • Target system reboots
    4. On reboot the system no longer goes via POA. All data is now stored on the disk in clear.
    5. System joins domain.
    6. SGN installed.
    7. Drive encrypts.

    Hopefully this will work.

    • Marked as answer by Robinson Zhang Tuesday, December 27, 2011 9:41 AM
    Tuesday, December 13, 2011 3:54 PM
  • Hi there,

    I am looking for the fltdonothing.exe file but I cannot find this. Where should it be?

     

    Dean

    Tuesday, January 31, 2012 10:01 AM
  • If you are using Safeguard Easy version 4.5, request fltdonothing.exe version 5.6 from Sophos support.  The default version support will release is 2.1, which doesn't work with 4.5 when you run it in Windows PE.  fltdonothing.exe version 5.6 is 99KB.
    Wednesday, September 19, 2012 7:45 PM