This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Boot to Windows PE in Task Sequence

Hello,

 

I intend to re image several hundred devices and need to pull user data off using SCCM task sequence. I have already worked with support and they gave me a document to skip through the POA on startup and use FLTdoNothing.exe to "unlock" the drive. My issue is, it does not see the disk (I am assuming) because of the POA? Any ideas out there on how to do this? My task sequence works great on an Unencrypted machine. 

 

thanks



This thread was automatically locked due to age.
  • Hi Patrick,

    Please help me with the following"

    1. Is the drive slaved?

    2. Is the drive still on the machine?

    3. Is the drive requiring a CR to log in?

    4. Do you want to access the data on all 200 drives?

    If the machine is still accessible you can just copy it from each machine. I believe the following information may help you with the current scenario. 

     

    1. Create a config file to disable Safeguards POA

    2. Add SGE filter drivers to your boot.wi m (InstallSGE2WinPE20 .bat can do this for you - works fine with WinPE3.0)

    3. Obtain FltDoNothing.exe from Sophos support

    4. Mount your boot.wim and insert file into windows\system32\ folder

    5. Add boot.wim to SCCM

    6. In your task sequence add the disable POA to turn off before reboot

    After rebooting into PE step - add command line %systemroot%\system32\FltDoNothing.exe 1 (before format and partition disk)

    Task sequence will disable the safeguard filter drivers, then format drive, apply Windows 7 and everything else. Upon reboot, SGE will no longer be in the MBR and it will boot happily into Windows 7 unencrypted.

    Haridoss Sreenivasan
    Technical Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 1. Is the drive slaved?  No it is not

    2. Is the drive still on the machine?  Yes it is

    3. Is the drive requiring a CR to log in?  No, it is not. it is a working Win 7 machine that you can log into with domain credentials

    4. Do you want to access the data on all 200 drives?  SCCM will do the user profile upload to the state store. 

     

    Below is the instruction I received from support which is pretty much what you have suggested. I have tried it several times, and when it boots to PE it fails at initializing hardware devices. 

     

    Here is the KB below to re-deploy Windows on to SafeGuard Enterprise encrypted clients

    Issue
    This article describes how to take a system that is encrypted with SGN 5.50.x and above and re-image it via SCCM to a point where either Windows XP or Windows 7 is re-installed and ready to be encrypted again. This process will include backing up user data.

    This article assumes that you already have your own Windows Image file and just need to make the necessary changes.

    NOTE: SCCM uses PE 3.0. Since the Windows PE 3.0 (WIM) image is applied to the encrypted hard drive (while the existing OS is up and running), when the machine reboots and attempts to boot into PE this process will fail. To work around this issue, you must insert the SGN filter drivers into your PE WIM image .

    Known to apply to the following Sophos product(s) and version(s)

    SafeGuard Device Encryption 5.50 and above

    Operating systems

    Windows XP
    Windows 7

    Download: FltDoNothing

    What to do

    1. Copy the appropriate SCCM Windows PE WIM file to your system.
    2. Install SafeGuard Enterprise on to a system that has the Windows Automate Installation Kit 2.0 / 3.0 already installed.
    3. Click start > Programs > Microsoft Windows AIK > Windows PE Tools Command Prompt. (Run as Administrator!)
    4. In the command prompt type: "copype.cmd x86 c:\sources" (or a directory of your choosing) this directory will be created automatically.
    5. Copy ADDSGN2WINPE.cmd (located in c:\program files\sophos\safeguard enterprise\BaseEncryption\) and ImageX (C:\Program Files\Windows AIK\Tools\x86\Imagex.exe) to this directory
    6. Copy the PE WIM file to be used by SCCM into this directory.
    7. From the command line run "ADDSGN2WINPE2 SCCM.wim". This command will then mount the .wim file and copy the filter drivers to the windows\system32\drivers directory. It will also update the registry. Please note that "boot.wim" must be the name of the respective Win PE WIM file that will be used to boot the clients.
    8. Copy fltdonothing.exe to the WIM file:
      Mount the WIM:
      • Type Imagex.exe /mountrw "image_file" 1 "image_path" (i.e. c:\sources\imagex.exe /mountrw c:\sources\boot.wim 1 c:\sources\mount).
      • Change to the directory where the WIM is mounted to (i.e. c:\sources\mount\)
      • Copy fltdonothing.exe to this directory (i.e. c:\sources\mount\program files\fltdonothing.exe) and close the explorer window
      • Commit and save the modified image file using Imagex: (i.e. c:\sources>imagex.exe /unmount /commit c:\sources\mount\)
    9. The WIM file may now be uploaded and staged in the appropriate directory within your SCCM infrastructure.

    Overview of re-imaging process

    Preliminary steps:

    • In the SafeGuard Enterprise Management Console, enable the Secure Wake on LAN policy for the client to be re-imaged
    • Targeted SafeGuard Enterprise Clients need to be synchronized with the SafeGuard Enterprise Server to download new policy

    Within the SCCM task sequence, when re-imaging a machine the following takes place :

    1. C:\windows\system32\sgmcmdintn.exe -wolstart is run on the target computer. This disables POA allowing the system to reboot several times without requiring an authentication.
    2. SCCM pushes PE WIM to targeted system and reconfigures the boot configuration data to boot into PE upon reboot
    3. Target machine reboots,
      • Auto-login via POA
      • Loads PE WIM (which receives keys for filter drivers from POA)
      • SCCM backs up user data (via USMT to a State Migration Point)
      • X:\windows\system32\fltdonothing.exe 1 is executed. This disables the SafeGuard Enterprise filter drivers.
      • SCCM repartitions HD
      • SCCM lays down new OS
      • Applies hardware drivers
      • Sets-up OS and installs the SCCM Client
      • Install Updates/ Patches
      • Installs additional applications (if necessary)
      • Restores user state (via USMT from the State Migration Point)
      • Target system reboots
    4. On reboot the system no longer goes via POA. All data is now stored on the disk in clear.
    5. System joins domain.
    6. SGN installed.
    7. Drive encrypts.
  • Are there updated instructions to this?  I've tried following these but when I run ADDSGN2WINPE2 it doesn't find the drivers to inject into the .wim.  Also we use 64 bit architecture in our environment and Microsoft Windows AIK hasn't been around for while.

    So I was hoping for a more modern version of these instructions as we are trying to upgrade Windows 7 to Windows 10 and the machines with Safeguard 5.6 installed are taking a long time due to having to decrypt them first.