none
OSD and 3rd Party encryption

    Question

  •  

    I've setup and advertised an OSD image to some test laptops and desktops.  Laptops are encrypted with Utimaco encryption. 

     

    The Task sequence runs fine on desktops without encryption.   On the laptops, I get the error: 

    "ConvertBootToLogicalPath failed"

     

    Failed to find the configuration path.  The system cannot find the path specified (Error 80070003).

     

    I've tried using Diskpart before and after the TS step "Restart in Windows PE" but that doesn't work. 

     

    I also saw this article regarding running convert.exe before staging the boot image http://technet.microsoft.com/en-us/library/bb932144.aspx, this didn't work either.

     

    Has anyone used SCCM / OSD to reimage a machine with a 3rd party encryption tool?

    Thursday, July 31, 2008 7:28 PM

All replies

  • I am having the exact same problem.  We use WinMagic SecureDoc on our laptops.  PXE boot TS's work fine, its just the TS's that launch from Windows that stage the boot image that have the problem.  The error you mentioned shows up in the smsts.log.  On the screen I see an "Unable to read task sequence configuration disk" message.  The wizard is at the "Initializing hardware devices..." window at the time of the error.

     

    I just upgraded to SP1 last week.  One thing I noticed that was different is when an image is copied down it now copies to C: rather than E:.  Not sure why or if this has anything to do with it.  The smsts.log shows that it is trying to access e:\nts_sms_fre\sms\...and can't.

     

    I have opened an incident with MS and will report what I find out.

     

    Neal

     

    • Proposed as answer by MaxSoullard Thursday, July 25, 2013 9:32 AM
    • Unproposed as answer by MaxSoullard Thursday, July 25, 2013 9:32 AM
    Thursday, July 31, 2008 8:14 PM
  • In the SMS 2003 OSD days, I made a solution handling this issue. The encrytion tool was actually also SafeGuard Easy.

     

    I was able to PXE-boot the clients and wipe the encrypted disk using diskpart, but not via an advertisement from full OS.

    So what I did was: In the Validation phase (SMS 2003 OSD phase) using a VBScript I copied the SMS 2003 OSD boot CD-ROM ISO-file to the C-drive, and modified the boot files to boot on the ISO file in stead of the full Windows XP. The OSD boot CD was built on WinPE 1.5 and Windows Server 2003 with the "boot in memory" fuctionality.

     

    Then I was able to wipe the disk using diskpart. However, I really don't think this was a supported scenario 

     

    I got the inspiration from Johan's article: http://www.myitforum.com/articles/8/view.asp?id=8814

     

    Please note that I was using SMS 2003 and not ConfigMgr, so I have never tried this with ConfigMgr. And again, really don't think this is a supported scenario, so if I were you, I would look for a more "pretty and clean" solution  Maybe ask Utimaco if there is a solution.

     

    Thursday, July 31, 2008 9:11 PM
  • Any news on this? I'm facing the same issue with Safeguard Easy, and would be keen on finding a solution.

     

    Wednesday, September 03, 2008 6:34 PM
  • hi ..is there a solution? We're facing the same issue in SCCM with another encryption tool...

    Tuesday, February 02, 2010 2:13 PM
  • Neal - Were you able to find out anything?  I would be very interested to hear
    Monday, June 07, 2010 7:15 PM
  • Does anyone know how to do this?  I am able to do it with PGP / SCCM and PGP / MDT but not Ultimaco.   I have a customer who is lookign to upgrade from XP to Win 7 and they can't sacrifice having the disks wiped manually to change out the OS and reencrypt. 
    Friday, July 30, 2010 7:02 PM
  • I've been looking at this as well, and the key to me it seems will be getting filter drivers for the version of Utimaco SGE that work with the latest WinPE.  The drivers for BartPE are obviously XP, not Win7, and they do not seem to work.  You cannot install the version we are running (4.30.1) on windows 7, which leads me to believe a plugin for WinPE 3.0 will be hard to come by.  I'm going to see if my coworker who originally dealt with Utimaco can get some information from them on this.
    Tuesday, September 07, 2010 6:03 PM
  • Here's what I found:

    http://www.sophos.com/support/knowledgebase/article/66019.html

    Specifically:  ftp://SGEwinpe:SGEwinpe@ftp.ou.utimaco.de

    There is a pre-built winPE 2.0 that can read the encrypted drive and there are instructions on how to add the filter drivers to your own PE image using a batch file.  I tried it on our WinPE 3.0 image and it is working great. 

     

     

    Wednesday, September 08, 2010 2:22 PM
  • Old post but I'm trying to get this to work in a task sequence atm.

    The filter drivers above works fine for reading the encrypted drive that WinPE get's staged on. The disk get's formatted and the windows 7 image is applied. However, after the next reboot SafeGuard Easy still resides in the MBR even though a config file has run that instructs SGE to allow changes to the MBR and hangs at "loading operating system". Tried using diskpart to clean the MBR, bootsect /mbr and bootrec /fixmbr from within the task sequence but that doesn't work either.

    Only solution so far is to from that point boot from a WinPE CD (starts before the SGE PBA) and perform a bootsect /mbr, then reboot again to the task sequence which then continues correctly.

    Any ideas on how to do this without external media?

    Wednesday, May 11, 2011 10:06 AM
  • A solution inside the Task Sequence would be to use the format.com command from the x: drive. Since the format command is already in the ram (x:) drive it doesn't required to be copied to the encrypted partition, later if you prefer you can rerun diskpart.

     

    Command line:  FORMAT.com C: /V:System /FS:NTFS /X /Q /Y

     

    Start in:    x:\windows\system32

    Thursday, July 25, 2013 9:32 AM
  • The solution is not Microsoft's to provide -- the issue is caused by the third-party vendor injecting their product into the normal flow of Windows operations without accounting for this scenario. Your only real course of action is to treat all deployments as replaces and use an SMP (or UNC) for user data or contact the vendor for information on pausing or temporarily disabling the encryption during the OSD process so the drive is accessible in WinPE.

    Jason | http://blog.configmgrftw.com

    Thursday, July 25, 2013 2:20 PM