mcafee drive encryption 7.x windows os refresh … introduction the mcafee drive encryption product...
TRANSCRIPT
1
McAfee Drive Encryption 7.x
Windows OS Refresh Process Guide for MBR Systems
Revision B
Last updated: 13 April 2018
Contents
Disclaimer Introduction Planning the refresh process Creating the Task Sequence
Disclaimer The information contained in this document is subject to change without notice.
MCAFEE, LLC MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
McAfee shall not be liable for errors contained herein or for incidental or consequential damages in connection
with the furnishing, performance, or use of this material.
McAfee reserves the right to add, subtract or modify features or functionality, or modify the product, at its sole
discretion, without notice.
McAfee makes no commitment, implied or otherwise, to support any functionality or technology discussed or
referenced in this document
2
Introduction The McAfee Drive Encryption product provides full disk encryption for enterprises.
Purpose and scope The purpose of this document is to provide a recommended process for refreshing systems running Windows
operating systems in Master Boot Record (MBR) mode only, which are encrypted with McAfee Drive Encryption
7.x.
The purpose of the process described in this document is to refresh the Windows operating system without the
need of decrypting the hard drive and uninstalling McAfee Drive Encryption. In this guide, OS Refresh is referred
to as the process whereby the disk hosting the operating system is cleared and a new operating system installed
by laying an image using a tool that works at file level and not at sector level. The process and utilities provided
address the common problems occurring, whilst maintaining the encrypted drive during OS refresh.
Intended audience The intended audience for this document are IT administrators with a thorough knowledge and experience in re‐
imaging via Microsoft System Center 2016 Configuration Manager (SCCM), Microsoft Deployment Toolkit (MDT)
6.3 and McAfee Drive Encryption 7.x.
Here are the main products and features that you will need to have knowledge of:
▪ McAfee Drive Encryption administration
▪ Microsoft System Center 2016 Configuration Manager (SCCM)
▪ Microsoft Windows 10 Assessment and Deployment Kit (ADK)
▪ Microsoft Deployment Toolkit (MDT) 6.3
▪ Understanding of MBR and PC boot process
▪ Understanding of Windows Registry
▪ Understanding of Windows command line usage
▪ Understanding of the use and purpose of Operating System drivers
Requirements The minimum requirements for the server environment which hosts the Microsoft System Center Configuration
Manager (SCCM) are as follows:
▪ Microsoft System Center 2016 Configuration Manager (SCCM)
▪ Microsoft Windows 10 Assessment and Deployment Kit (ADK)
▪ Microsoft Deployment Toolkit (MDT) 6.3
▪ User State Migration Tool (USMT)
▪ McAfee Drive Encryption (DE) 7.1.x, DE 7.2.x
Any images must be captured via SCCM or MDT by following Microsoft official guidelines.
For more information please visit: http://technet.microsoft.com/en‐us/library/dd744389(v=ws.10).aspx
3
Planning the refresh process The following section describes how to plan and prepare a refresh process for Windows operating systems. This
includes describing the McAfee Drive Encryption boot process, preparation of images and requirements for the
refresh process.
Overview of the McAfee Drive Encryption Boot Process The following diagram shows how a system with McAfee Drive Encryption active, boots using the Master Boot
Record (MBR) boot process.
<diagram?>
The McAfee Drive Encryption Master Boot Record replaces the standard Master Boot Record (Sector 0 of the boot
disk) during activation.
The McAfee Drive Encryption MBR is referred to as the EPEMBR. The control is passed to the EPEMBR following
BIOS initialization and the code contained in the EPEMBR is executed. The EPEMBR contains a pointer to the first
sector of a sector chain that hosts the BootCode (safeboot.rsv), which is executed straight after the EPEMBR. It
also contains a pointer to the first sector of a sector chain of the Drive Encryption file system (Safeboot.fs), which
hosts the Windows OS original MBR that is executed after successful authentication.
It is important that the two files (Safeboot.rsv, Safeboot.fs) and the EPEMBR are maintained on the disk and are
never moved at a sector level. The files are sector chains and copying the file from one place to another does not
work as they are not real files. They appear in this way inside the operating system to prevent it from being
moved or overwritten.
Any Windows OS refresh process has to make sure that the EPEMBR and the two McAfee Drive Encryption files
are maintained without being moved. In the case of the EPEMBR this is fairly straight forward as it is only
contained within one sector hence taking a backup and then restoring the file by writing back to sector 0 is
sufficient. However, for the two McAfee Drive Encryption files that span across multiple sectors the only way to
preserve them is by using the Microsoft User Migration Tool (USMT) Hardlink feature. This new feature is used to
preserve user files during upgrades without the requirement of taking copies to another media. So the same can
be applied to the McAfee Drive Encryption files.
When the USMT runs, it creates a second pointer to files inside a protected folder. During the refresh process, at
the point where the disk is cleared, all files are deleted apart from the ones that have hard links created.
Preparing the Operating System images In order to refresh an operating system, an image has to be prepared that will be laid over the encrypted disk.
This can be done in a number of ways via SCCM or MDT. However, any image that is captured, which results in a
WIM file, must have the McAfee Drive Encryption drivers and registry entries injected prior to the refresh process.
This will allow the new system to access the disk when it tries to boot. To do this McAfee has provided an
executable called EpeWinUpgradeTool.exe for 32‐bit systems and the EpeWinUpgradeTool64.exe for 64‐bit
systems. This tool can be run from a command line with Administrator rights to inject the McAfee Drive
Encryption drivers and registry amendments.
Prior to running the tool extract the following files from the MfeEEPC32.msi (for 32bit systems) or the
MfeEEPC64.msi (for 64bit systems):
▪ MfeEpePC.sys
▪ Mfeccde.sys
▪ MfeEpeOpal.sys
Place these files within a folder located in a convenient location:
4
Example – C:\Drivers
From a command line run the following command for x64 architecture:
Example – EpeWinUpgradeTool64.exe –inject C:\drivers C:\OSWIMFILE.wim
This will inject the McAfee Drive Encryption drivers and make the necessary registry amendments in the target
WIM file. Once complete, the WIM file can either be imported into the SCCM/MDT environment or have its
contents re‐distributed to the distribution points within SCCM/MDT.
Preparing the Windows PE images (Boot image) The Windows PE environment is used for installing or refreshing operating systems. The McAfee Drive Encryption
driver has to be included within the Windows PE image so the encrypted drive can be accessed by the installer. If
you are planning to refresh for both 32‐bit and 64‐bit systems, then you will require two independent PE images,
one for 64‐bit and one for 32‐bit respectively. To do this the procedure is the same as injecting the McAfee Drive
Encryption drivers and registry amendments into an Operating System WIM file.
Prior to running the EpeWinUpgrade Tool extract the following files from the MfeEEPC32.msi (for 32bit systems)
or the MfeEEPC64.msi (for 64bit systems).
Note: The drivers are the same for both the Operating System injection and the Boot Image injection:
▪ MfeEpePC.sys
▪ Mfeccde.sys
▪ MfeEpeOpal.sys
Place these files within a folder located in a convenient location.
Example – C:\Drivers
From a command line run the following command for x64 architecture:
Example – EpeWinUpgradeTool64.exe –inject C:\drivers C:\BOOTWIMFILE.wim
This will inject the McAfee Drive Encryption drivers and make the necessary registry amendments in the target
WIM file. Once complete the WIM file can either be imported into the SCCM/MDT environment or have its
contents re‐distributed to the distribution points within SCCM/MDT.
It is also required to place a copy of the EpeWinUpgradeTool into the boot image. If the image is 32‐bit use the
EpeWinUpgradeTool.exe if the image is 64‐bit use the EpeWinUpgradeTool64.exe.
Creating LockedFiles.reg To prevent the McAfee Drive Encryption files from being moved at a sector level once the Task Sequence is
complete the following registry entry will need to be created and called lockedfiles.reg. Make sure the location of
the SafeBoot.fs and SafeBoot.rsv in the registry file match the actual locations on disk.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MfeEpePc\LockedFiles]
"0"="C:\\SafeBoot.fs"
"1"="C:\\SafeBoot.rsv
5
Preparing the User State Migration Tool (USMT) The user state migration tool has a number of components but the XML required to be modified is MigUser.xml.
The following additions will need to be made to make sure that all required McAfee Drive Encryption Files are not
moved at a sector level:
<component type="Documents" context="System"> <displayName>Component to migrate all McAfee Drive Encryption files</displayName>
<role role="Data">
<rules> <include> <objectSet> <pattern type="File"> C:\[SafeBoot.fs]</pattern> <pattern type="File"> C:\[Safeboot.rsv]</pattern> </objectSet> </include> </rules> </role> </component> <component type="Documents" context="System">
<displayName>Component to migrate all McAfee Drive Encryption registry files </displayName> <role role="Data">
<rules> <include> <objectSet> <pattern type="File"> C:\[lockedfiles.reg] </pattern> </objectSet> </include>
</rules>
</role>
</component>
Preparing the Target Machine for OS refresh The target machines will require both the EpeWinUpgrade tool and the file lockedfiles.reg to be stored locally on
the PC in the root of C:\ prior to the Task Sequence being initiated.
OS Refresh process overview for PC’s with McAfee Drive Encryption active The main requirements for a refresh process on a system with McAfee Drive Encryption active, is to preserve the
boot order of the system as well as the data files used by McAfee Drive Encryption. This can accomplished using
the EpeWinUpgradeTool.exe and EpeWinUpgradeTool64.exe tools that provide several arguments to aid during the
process. An overview of what is required can be broken up into the three basic phases.
1st Stage ‐ Booting on current Windows OS
▪ Shutdown McAfee Drive Encryption Agent service
▪ Capture and store the McAfee Drive Encryption MBR (EPEMBR)
▪ Make sure that the McAfee Drive Encryption files are part of the USMT XML definitions and insert a step so
USMT hardlinks and preserves the required McAfee Drive Encryption files
▪ Unlock McAfee Drive Encryption files
▪ Unhide McAfee Drive Encryption files
▪ Restore EPEMBR just before the system restarts as final step
2nd Stage ‐ Booting on Windows PE
▪ Store McAfee Drive Encryption MBR (EPEMBR) as first step in the process
▪ Restore McAfee Drive Encryption MBR (EPEMBR)
6
3rd Stage ‐ Booting on new Windows OS
▪ Make sure that USMT runs the load state tool to restore McAfee Drive Encryption files
▪ Amend registry with LockedFiles.reg
▪ Hide McAfee Drive Encryption files
EpeWinUpgradeTool Expanded A utility was developed to allow administrators to carry out the necessary steps during the OS refresh process. As
previously mention in this guide the utility is called EpeWinUpgradeTool.exe (32‐ bit) and
EpeWinUpgradeTool64.exe (64‐ bit). The utility can be run at the command line with administrative rights and
offers the following options:
-SaveMbr <filename> Stores the EPEMBR to a file specified by filename
-SetMbr <filename> Restores the EPEMBR from a file specified by filename
-SetFileLocks <Lock:Unlock> Locks or unlocks the McAfee Drive Encryption files. Use "Lock" or
"Unlock" for command
-Inject <Drivers Dir> <Image> Injects McAfee Drive Encryption drivers into a WIM
Image
-MountWim <Image> <Mount Path> Mount Image in a specified Directory
-UnmountWim <Mount Path> [Save] Unmount the image. Update image if “Save”
-ForceMBR <Filename> Restore MBR from file continuously
7
Creating the Task Sequence 1) On SCCM console goto Software Library > Operating System > Task Sequence
2) Right click and select Create Task sequence
3) Select Install an existing image package
8
4) Task sequence information > boot image = the boot image with MDE drivers injected
5) On Install Windows
a) Image = the new OS image with MDE drivers injected
b) Partition and format the target computer before installing the operating system = off
c) Configure task sequence for use with BitLocker, as shown below
9
6) On Install configuration management client, use the default
7) On Configure state migration:
a) Select a USMT package, the default one from Windows ADK 5 or above is ok
b) Select Save user settings and files locally, also enable Capture locally by using link instead of by
copying files
10
8) Complete the wizard
9) In the Software Library workspace, click Task Sequences, right-click on the task equence just created, and
then click Edit
10) Add these steps within Capture State:
a) click on add > new group
i) name = Backup EEPC MBR
ii) Go to options > add condition:
▪ variable = _SMSTSBootUEFI
▪ condition = not equal
▪ value = true
b) Click on Add > general > Run Command Line
i) name = Shutdown MDE services
ii) Commandline = net Stop "McAfee Endpoint Encryption Agent"
c) Go to Options > enable Contine on error
i) Click on Add > general > Run Command Line
ii) name = Save EEPC MBR
iii) command line = \EpeWinUpgradeTool64.exe -SaveMbr C:\EpeMBR.dat
d) Click on Add > general > Run Command Line
i) name = Unlock EPE Files
ii) command line = \EpeWinUpgradeTool64.exe -SetFileLocks Unlock
e) Click on Add > general > Run Command Line
i) name = Unhide EPE files
ii) command line = attrib +r +s +h c:\safeboot.*
f) Click on Add > general > Run Command Line
i) name = Restore EEPC MBR
ii) command line = \EpeWinUpgradeTool64.exe -ForceMbr C:\EpeMBR.dat
g) Click on Capture User Files and Settings (the one under Capture Files and Settings > Capture User Files
and Settings)
i) Select Customize how user profile are captured
ii) Click on Files
iii) add MigUser.xml
11
iv) Enable verbose logging = on
v) Contunue if some files cannot be captured = off
vi) Capture locally by using link instead of by copying files = on
11) Add these steps within Install Operation system
a) Click on Restart in Windows PE > add > new group
i) name = Backup EEPC MBR
ii) Go to options > add condition:
▪ variable = _SMSTSBootUEFI
▪ condition = not equal
▪ value = true
b) Click on Add > general > Run Command Line
i) name = Unlock EPE Files
ii) command line = \EpeWinUpgradeTool64.exe -SetFileLocks Unlock
c) Click on Add > general > Run Command Line
i) name = Save EEPC MBR
ii) command line = \EpeWinUpgradeTool64.exe -SaveMbr x:\EpeMBR.dat
d) Click on Add > general > Run Command Line
i) name = Restore EEPC MBR
ii) command line = \EpeWinUpgradeTool64.exe -ForceMbr x:\EpeMBR.dat
e) Click on Apply Operating System > add > new group
12
i) name = Restrore MDE PBFS
ii) Go to options > add condition:
▪ variable = _SMSTSBootUEFI
▪ condition = not equal
▪ value = true
f) Click on Add > user state > restore user state
i) name = Restore User Files and Settings
ii) User state migration tool = use the same tool
iii) Continue if some files cannot be restored = off
iv) Enable verbose logging = ok
Copyright © 2018 McAfee, LLC
McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other
marks and brands may be claimed as the property of others.
14