Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 5 subscribers
  • Views 29244 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SafeGuard Easy 4.30 and OSD in SCCM

JohnS

I'm having some problems with SGE in a OS Deployment, XP to Win 7 in SCCM.

The drive is to be formatted during the OSD task sequence and no data on the drive is to be saved. I've prepared the WinPE image with the filter drivers as described in article 66019 and prepared a .cfg file that disables warning messages to show when MBR has been changed and disables the restore MBR option.

The new image seems to get applied correctly and I can read the disk fine during the task sequence but after restart the floppy icon still appears and it stops at "loading operating system". I've tried using bootsect /nt60 c: /mbr as the first step after the inital restart to WinPE, I've also tried diskpart with "clean" command but none of these has worked. SGE seems to reside in the MBR no matter what I do.

Is there any solution to get SGE out of the MBR and get the drive completely clean from WinPE?

EDIT: I should add that removing SGE from the MBR works fine with diskpart and option clean when I boot to WinPE from a CD, however, this is a Zero Touch scenario so WinPE must be staged and started from the disk. Also, we have the option to uninstall the with a uninstall.cfg file, but that also means a decrypt is needed if I understand correctly, and that simply takes too long in this scenario.

:12557


This thread was automatically locked due to age.
  • 0

    Not sure I understand what you're trying to do... If you're PXE booting to Win PE you can do a disk clean, partition and reformat as the first step in your OSD which will remove Safeguard completely.

    You can then do a software install after your new OS is ready to reinstall SGE.

    Or did I miss something in your problem?

    :12693
  • 0

    Well, almost =)

    First I run the cfg file to allow changes to the MBR. WinPE with filter drivers then get's staged on the encrypted disk, a reboot follows into WinPE, I run diskpart clean, reformat and apply the new image, another reboot follows some steps later before the applications are to get installed / re-installed. This is where  it breaks since SafeGuard is somehow still in MBR. The floppy icon is still present, and it hangs on "loading operating system..."

    At this point the only working solution so far is to insert a WinPE CD and boot from that and perform "bootsect /nt60 /mbr". That will wipe the MBR and the task sequence will resume after restart and continue with the application installs /re-installs. But this is not a solution since this is a Zero Touch scenario. The MBR needs to be cleaned out completely automatically.

    :12767
  • 0

    Hi John

    Just wodnering if you ever found a solution to this? Im stuck at the same point.

    Cheers.

    :17889
  • 0

    Hi Donmak,

    No solution seems to exist for this particular scenario. The problem seems to be this:

    Since the task sequence uses the disk  to store needed files, you need to have a WinPe prepared with the filter drivers. This enables you to read and write to the encrypted disk. However, once the filter drivers are loaded they also effectivly protect the mbr from being overwritten. Thereby causing a catch 22 scenario. You need the filter drivers to read the task sequence on the disk, but you can't rewrite the mbr as long as they are loaded. And without the filter drivers, you can't read the disk...

    Also tried using a tool from Sophos that was said to be able to stop the filter driver directly. Sadly this tool was meant for SafeGuard Enterprise and didn't work.

    Ended up reverting to performing a full decryption followed by an uninstallation of SGE (SGE is still present in mbr if not uninstalled) before initiating the OS deployment. So an OS deployment that could've been completed in about 2 hours if there was a way around this, now takes at least 6 hours and causes decreased performance for the user while decryption takes place.

    Let me know if you have better luck at this than me =)

    :17945
  • 0

    Yep looks that way. Using bootsect.exe SCCM returns "\Device\Harddisk0\DR0    Could not write new bootcode to this disk: Access is denied.

    Have tried using commands with Bootrec.exe and no luck.

    I guess we are the only two people who have done a Safeguarded XP to Win7 refresh. Supprised about the lack of information out there. This is the only website I could find with some information about Safeguard and task sequencing (http://deploywindows.info/2011/02/14/utimaco-safeguard-easy-and-the-osd-process/ )

    :18027
  • 0

    Hi John,

    Just thought I'd follow up on this since I got it working

    The fltdonothing.exe file worked a treat (obtained from Sophos support). The filter disabler is advertised as working for Enterprise 5.6 but we use Safeguard Easy 4.5 and had no issues using it (can't comment on 4.3 though) but even at worst if it doesn't work you could always upgrade your client to 4.5 without decrypting then use the filter disabler.

    Anyway for those who are interested:

    Create a config file to disable Safeguards POA

    Add SGE filter drivers to your boot.wi m (InstallSGE2WinPE20 .bat can do this for you - works fine with WinPE3.0)

    Obtain FltDoNothing.exe from Sophos support

    Mount your boot.wim and insert file into windows\system32\ folder

    Add boot.wim to SCCM

    In your task sequence add the disable POA to turn off before reboot

    After reboot into PE step - add command line %systemroot%\system32\FltDoNothing.exe 1 (before format and partition disk)

    Task sequence will disable the safeguard filter drivers, then format drive, apply Windows 7 and everything else. Upon reboot  SGE will no longer be in the MBR and it will boot happily into Windows 7 unencrypted.

    Saves us 6 hours per deployment decrypting... happy days!

    :21699
  • 0

    John, or anyone else who has been successful with this, what version of FltDoNothing.exe are you  using.

    We obtained v2.1, but is only seems to work under 5.5. We have 4.x deployed, and when running FltDoNothing.exe we are getting

    *** missing filter or wrong version

    Thoughts?

    :22005
  • 0
    Hi Donmak, That is interesting news! I have version 2.1 of fltdonothing.exe. I will give this a shot tomorrow using the guide you provided
    :22797
  • 0

    Hi again,

    I've just tried our ZTI task sequence using the FltDoNothing.exe (version 2.1) accroding to Donmak's post, but I can't get it to work. A quick call to Sophos support in the UK was rather futile as well. All they could say was that 4.30 is probably too old and that the FltDoNothing may not work for this version. A complete decyption was recommended instead.

    Donmak; you said you disabled the POA beforehand. In v. 4.30 there's a MBR protection feature. Did you do any changes to that part in your setup or is that feature removed in 4.50?

    :22821
  • 0

    If you are using Safeguard Easy version 4.5, request fltdonothing.exe version 5.6 from Sophos support.  The default version support will release is 2.1, which doesn't work with 4.5 when you run it in Windows PE 3.0.  fltdonothing.exe version 5.6 is 99KB.  Follow the steps outlined here using the 5.6 version: http://social.technet.microsoft.com/Forums/en-US/configmgrosd/thread/fd9361bb-fe67-4d2b-9fbf-d86a56dc07b7

    :29717
Unfiltered HTML