drive encryption 7.1 windows os refresh guide - master ...windows operating systems in master boot...
TRANSCRIPT
McAfee Drive Encryption 7.1
Windows OS Refresh Recommended Process
Guide for Master Boot Record Systems Only
December 3rd 2013
Version: 1.0
1
Notices
Copyright
Copyright © 2013 McAfee Inc, McAfee Data Protection. All rights reserved.
This document contains proprietary information of McAfee Inc. and is subject to a license agreement or
nondisclosure agreement. No part of this document may be reproduced, transmitted, transcribed, stored
in a retrieval system, or translated into another language, in any form or by any means, without the prior
written consent of McAfee.
Trademarks
This document may make reference to other software and hardware products by name. In most if not all
cases, the companies that manufacture these other products claim these product names as trademarks. It
is not the intention of McAfee Inc. to claim these names or trademarks as its own.
DisclaimerThe information contained in this document is subject to change without notice.
MCAFEE INC. MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
McAfee Inc. shall not be liable for errors contained herein or for incidental or consequential damages in
connection with the furnishing, performance, or use of this material.
McAfee reserves the right to add, subtract or modify features or functionality, or modify the product, at its
sole discretion, without notice.
McAfee makes no commitment, implied or otherwise, to support any functionality or technology discussed
or referenced in this document.
2
3
IntroductionThe McAfee Drive Encryption product provides full disk encryption for enterprises.
Purpose and ScopeThe purpose of this document is to provide a recommended process for refreshing systems running
Windows operating systems in Master Boot Record (MBR) mode only, which are encrypted with McAfee
Drive Encryption 7.1.
The purpose of the process described in this document is to refresh the Windows operating system
without the need of decrypting the hard drive and uninstalling McAfee Drive Encryption. In this guide, OS
Refresh is referred to as the process whereby the disk hosting the operating system, is cleared and a new
operating system installed by laying an image using a tool that works on file level and not on sector level.
The process and utilities provided, address the common problems occurring, whilst maintaining the
encrypted drive during OS refresh.
Intended AudienceThe intended audience for this document are; IT administrators with a thorough knowledge and experience
in re‐imaging via Microsoft System Center 2012 R2 Configuration Manager (SCCM), Microsoft Deployment
Toolkit (MDT) 2013 and McAfee Drive Encryption 7.1. Here are the main products and features that you
will need to have knowledge of:
• McAfee Drive Encryption administration
• Microsoft System Center 2012 R2 Configuration Manager (SCCM)
• Microsoft Windows Assessment and Deployment Kit (ADK) 4.0
• Microsoft Deployment Toolkit (MDT) 2013
• Understanding of MBR and PC boot process
• Understanding of Windows Registry
• Understanding of Windows command line usage
• Understanding of the use and purpose of Operating System drivers
RequirementsThe minimum requirements for the server environment which hosts the Microsoft System Center
Configuration Manager (SCCM) are as follows:
• Microsoft System Center 2012 R2 Configuration Manager (SCCM)
• Microsoft Windows Assessment and Deployment Kit (ADK) 4.0
• Microsoft Deployment Toolkit (MDT) 2013
• User State Migration Tool (USMT)
• McAfee Drive Encryption 7.1
Any images must be captured via SCCM or MDT by following Microsoft official guidelines.
For more information please visit: http://technet.microsoft.com/en‐us/library/dd744389(v=ws.10).aspx
4
Planning the Refresh ProcessThe following section here describes how to plan and prepare a refresh process for Windows operating
systems. This includes describing the McAfee Drive Encryption boot process, preparation of images and
requirements for the refresh process.
Overview of the McAfee Drive Encryption Boot ProcessThe following diagram shows how a system with McAfee Drive Encryption active, boots using the Master
Boot Record (MBR) boot process.
The McAfee Drive Encryption Master Boot Record replaces the standard Master Boot Record (Sector 0 of
the boot disk) during activation.
The McAfee Drive Encryption MBR is referred to as the EPEMBR. The control is passed to the EPEMBR
following BIOS initialization and the code contained in the EPEMBR is executed. The EPEMBR contains a
pointer to the first sector of a sector chain that hosts the BootCode (safeboot.rsv), which is executed
straight after the EPEMBR. It also contains a pointer to the first sector of a sector chain of the Drive
Encryption file system (Safeboot.fs), which hosts the Windows OS original MBR that is executed after
successful authentication.
It is important that the two files (Safeboot.rsv, Safeboot.fs) and the EPEMBR are maintained on the disk
and are never moved at a sector level. The files are sector chains and copying the file from one place to
another does not work as they are not real files. They appear in this way inside the operating system to
prevent it from being moved or overwritten.
Any Windows OS refresh process has to make sure that the EPEMBR and the two McAfee Drive Encryption
files are maintained without being moved. In the case of the EPEMBR this is fairly straight forward as it is
only contained within one sector hence taking a backup and then restoring the file by writing back to sector
0 is sufficient. However, for the two McAfee Drive Encryption files that span across multiple sectors the
only way to preserve them is by using the Microsoft User Migration Tool (USMT) Hardlink feature. This
new feature is used to preserve user files during upgrades without the requirement of taking copies to
another media. So the same can be applied to the McAfee Drive Encryption files.
When the USMT runs, it creates a second pointer to files inside a protected folder. During the refresh
process, at the point where the disk is cleared, all files are deleted apart from the ones that have hard links
created.
Preparing the Operating System imagesIn order to refresh an operating system, an image has to be prepared that will be laid over the encrypted
disk. This can be done in a number of ways via SCCM or MDT. However, any image that is captured, which
results in a WIM file, must have the McAfee Drive Encryption drivers and registry entries injected prior to
the refresh process. This will allow the new system to access the disk when it tries to boot. To do this
McAfee has provided an executable called EpeWinUpgradeTool.exe for 32‐bit systems and the
EpeWinUpgradeTool64.exe for 64‐bit systems. This tool can be run from a command line with
5
Administrator rights to inject the McAfee Drive Encryption drivers and registry amendments.
6
Prior to running the tool extract the following files from the MfeEEPC32.msi (for 32bit systems) or the
MfeEEPC64.msi (for 64bit systems):
• • • • MfeEpePC.sys
• • • • Mfeccde.sys
• • • • MfeEpeOpal.sys
Place these files within a folder located in a convenient location.
Example – C:\Drivers
From a command line run the following command for x64 architecture:
Example – EpeWinUpgradeTool64.exe –inject C:\drivers C:\OSWIMFILE.wim
This will inject the McAfee Drive Encryption drivers and make the necessary registry amendments in the
target WIM file. Once complete, the WIM file can either be imported into the SCCM/MDT environment or
have its contents re‐distributed to the distribution points within SCCM/MDT.
Preparing the Windows PE images (Boot image)The Windows PE environment is used for installing or refreshing operating systems. The McAfee Drive
Encryption driver has to be included within the Windows PE image so the encrypted drive can be accessed
by the installer. If you are planning to refresh for both 32‐bit and 64‐bit systems, then you will require two
independent PE images, one for 64‐bit and one for 32‐bit respectively. To do this the procedure is the same
as injecting the McAfee Drive Encryption drivers and registry amendments into an Operating System WIM
file.
Prior to running the EpeWinUpgrade Tool extract the following files from the MfeEEPC32.msi (for 32bit
systems) or the MfeEEPC64.msi (for 64bit systems) .
Note: The drivers are the same for both the Operating System injection and the Boot Image injection:
• • • • MfeEpePC.sys
• • • • Mfeccde.sys
• • • • MfeEpeOpal.sys
Place these files within a folder located in a convenient location.
Example – C:\Drivers
From a command line run the following command for x64 architecture:
Example – EpeWinUpgradeTool64.exe –inject C:\drivers C:\BOOTWIMFILE.wim
This will inject the McAfee Drive Encryption drivers and make the necessary registry amendments in the
target WIM file. Once complete the WIM file can either be imported into the SCCM/MDT environment or
have its contents re‐distributed to the distribution points within SCCM/MDT.
7
It is also required to place a copy of the EpeWinUpgradeTool into the boot image. If the image is 32‐bit use
the EpeWinUpgradeTool.exe if the image is 64‐bit use the EpeWinUpgradeTool64.exe.
Creating LockedFiles.regTo prevent the McAfee Drive Encryption files from being moved at a sector level once the Task Sequence is
complete the following registry entry will need to be created and called lockedfiles.reg. Make sure the
location of the SafeBoot.fs and SafeBoot.rsv in the registry file match the actual locations on disk.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MfeEpePc\LockedFiles]
"0"="C:\\SafeBoot.fs"
"1"="C:\\SafeBoot.rsv"
Preparing the User State Migration Tool (USMT)The user state migration tool has a number of components but the XML required to be modified is
MigUser.xml. The following additions will need to be made to make sure that all required McAfee Drive
Encryption Files are not moved at a sector level:
<component type="Documents" context="System">
<displayName>Component to migrate all McAfee Drive Encryption files</displayName>
<role role="Data">
<rules>
<include>
<objectSet>
<pattern type="File"> C:\[SafeBoot.fs]</pattern>
<pattern type="File"> C:\[Safeboot.rsv]</pattern>
</objectSet>
</include>
</rules>
</role>
</component>
<component type="Documents" context="System">
<displayName>Component to migrate all McAfee Drive Encryption registry files
</displayName>
<role role="Data">
<rules>
<include>
<objectSet>
<pattern type="File"> C:\[lockedfiles.reg]
</pattern>
</objectSet>
</include>
</rules>
</role>
</component>
Preparing the Target Machine for OS refreshThe target machines will require both the EpeWinUpgrade tool and the file lockedfiles.reg to be stored
locally on the PC in the root of C:\ prior to the Task Sequence being initiated.
8
Operating System Refresh Process Overview for PC’s with
McAfee Drive Encryption activeThe main requirements for a refresh process on a system with McAfee Drive Encryption active, is to
preserve the boot order of the system as well as the data files used by McAfee Drive Encryption. This can
accomplished using the EpeWinUpgradeTool.exe and EpeWinUpgradeTool64.exe tools that provide
several arguments to aid during the process. An overview of what is required can be broken up into the
three basic phases:
1st Stage ‐‐‐‐ Booting on current Windows OS
• Shutdown McAfee Drive Encryption Agent service
• Capture and store the McAfee Drive Encryption MBR (EPEMBR)
• Make sure that the McAfee Drive Encryption files are part of the USMT XML definitions and
insert a step so USMT hardlinks and preserves the required McAfee Drive Encryption files
• Unlock McAfee Drive Encryption files
• Unhide McAfee Drive Encryption files
• Restore EPEMBR just before the system restarts as final step
2nd Stage ‐‐‐‐ Booting on Windows PE
• Store McAfee Drive Encryption MBR (EPEMBR) as first step in the process
• Restore McAfee Drive Encryption MBR (EPEMBR)
3rd Stage ‐‐‐‐ Booting on new Windows OS
• Make sure that USMT runs the load state tool to restore McAfee Drive Encryption files
• Amend registry with LockedFiles.reg
• Hide McAfee Drive Encryption files
EpeWinUpgradeTool ExpandedA utility was developed to allow administrators to carry out the necessary steps during the OS refresh
process. As previously mention in this guide the utility is called EpeWinUpgradeTool.exe (32‐bit) and
EpeWinUpgradeTool64.exe (64‐bit). The utility can be run at the command line with administrative rights
9
and offers the following options:
-SaveMbr <filename> Stores the EPEMBR to a file specified by filename
-SetMbr <filename> Restores the EPEMBR from a file specified by
filename
-SetFileLocks <Lock:Unlock> It locks or unlocks the McAfee Drive Encryption
files. Use "Lock" or "Unlock" for command
-Inject <Drivers Dir> <Image> Injects McAfee Drive Encryption drivers into a WIM
Image
-MountWim <Image> <Mount Path> Mount Image in a specified Directory
-UnmountWim <Mount Path> [Save] Unmount the image. Update image if “Save”
-ForceMBR <Filename> Restore MBR from file continuously
10
Creating the Task Sequence
Using the Create MDT Task Sequence option from within the SCCM we are now going to create the initial
task sequence that will be used to refresh the Operation System
• Using the Task Sequence Wizard select the Task Sequence Template “Client Task Sequence”
• Name the Task Sequence and add comments if required
11
• Enter required details for joining a network
• It is required that an image is captured and prepared based on the steps in this document prior to
12
this point so there is no need to capture an image
• Select the correct architecture Boot image, again this should have been prepared as detailed in
this document
13
• Select the required Microsoft Deployment Toolkit Package
14
• Specify the Operating System that will be used in the refresh process. This will need to have been
prepared using the steps detailed previously in this document.
15
• Select the deployment method that is required
16
• Select the required Configuration Manager Client Package
17
• Specify the USMT package, making sure the package contains the amendments for the
MigUser.xml stated previously in this document.
18
• Select the correct settings package required for the client machine
19
• Select the required Sysprep package settings.
20
• Check the overall summary and complete the remaining steps until completion.
• On completion of the task sequence wizard all mentions to FORMATING and PARTITIONING will
need to be removed or disabled, this does not prevent a refresh of the operating system but
instead will only allow the OS partition to be wiped and upgraded.
• The Task Sequence will now need to be edited to include specific EEPC tasks. The first steps that
will need to be added to the current task sequence under the branch State Capture. From the
diagram below the branch EpeCapture has been added which includes the following steps
• Shutdown EEPC Service. This step is a command line option and requires the following
string to be added to the “Command Line” field.
SC Stop “McAfee Endpoint Encryption Agent”
• Save EEPC MBR. This step is a command line option and requires the following string to
be added to the “Command Line” field.
EpeWinUpgradeTool.exe –SaveMBR C:\EpeMBR.dat
21
• Unlock EPE Files. This step is a command line option and requires the following string to
be added to the “Command Line” field.
EpeWinUpgradeTool.exe –setfilelocks unlock
• Unhide EPE Files. This step is a command line option and requires the following string to
be added to the “Command Line” field.
Attrib –r –s –h c:\safeboot.*
• Restore EPE MBR. This step is a command line option and requires the following string
to be added to the “Command Line” field. The forceMBR switch will spawn a new
EpeWinUpgradeTool process that will keep replacing the EPEMBR at select intervals so
that is not replaced by the standard Windows MBR during the task sequence process.
EpeWinUpgradeTool.exe –forceMBR C:\EpeMBR.dat
• The next amendment to the Task Sequence is during the WinPE stage with the following changes,
as seen in the diagram below
• Save EEPC MBR. This step is a command line option and requires the following string to
be added to the “Command Line” field.
EpeWinUpgradeTool.exe –SaveMBR X:\EpeMBR.dat
• Restore EPE MBR. This step is a command line option and requires the following string
to be added to the “Command Line” field.
EpeWinUpgradeTool.exe –forceMBR X:\EpeMBR.dat
22
23
• Next is to amend the newly refreshed Operating Systems registry and to hide the Epe Files that
were previously unhidden. Add the following steps to the location shown in the diagram. Until the
refreshed machine has been rebooted, do not run any clean up tasks such as Windows Defrag as
the Epe Files will still be in an unlocked state.
• Registry Entry for Locked Files. This step is a command line option and requires the
following string to be added to the “Command Line” field.
Regedit /s lockedfiles.reg
• Hide EPE Files. This step is a command line option and requires the following string to be
added to the “Command Line” field.
Attrib +r +s +h c:\safeboot.*
24
• The last edit to be made is the removal of any tasks relating the disabling or enabling of BitLocker.
25