Zero Touch – McAfee to Bitlocker (Wipe and Load)

OVERVIEW

I was asked to complete a Task that I thought wasn’t possible, my client wanted to do an upgrade of a Windows 7 machine that was encrypted with McAfee to a Windows 10 machine that was encrypted with BitLocker. 

No problem, until I was told the requirements.

  1. Has to be Zero Touch
  2. Decryption of the machine, then removing McAfee was not an option, there couldn’t be a long period of time that the machine wasn’t encrypted.

In-Place Upgrade was not an option as we can not change from McAfee to BitLocker with encrypting first, then encrypting with BitLocker, which would not meet the requirements from the client.

So I found a great article and process from Mike Terrill, Unloading a Disk Filter Driver in WinPE, which described a process that I would allow me to remove McAfee encryption inside of WinPE, which would let me wipe the drives and move forward with a Bare Metal build.

PROCESS

1. Preparing the Windows PE images (Boot image)  – From McAfee PDF

The Windows PE environment is used for installing or refreshing operating systems. The McAfee Drive Encryption driver has to be included within the Windows PE image so the encrypted drive can be accessed by the installer. If you are planning to refresh for both 32‐bit and 64‐bit systems, then you will require two independent PE images, one for 64‐bit and one for 32‐bit respectively. To do this the procedure is the same as injecting the McAfee Drive Encryption drivers and registry amendments into an Operating System WIM file.

Prior to running the EpeWinUpgrade Tool extract the following files from the MfeEEPC32.msi (for 32bit systems) or the MfeEEPC64.msi (for 64bit systems).

Note: The drivers are the same for both the Operating System injection and the Boot Image injection:

▪ MfeEpePC.sys
▪ Mfeccde.sys
▪ MfeEpeOpal.sys

Place these files within a folder located in a convenient location.

Example – C:\Drivers

From a command line run the following command for x64 architecture:

Example – EpeWinUpgradeTool64.exe –inject C:\drivers C:\BOOTWIMFILE.wim

This will inject the McAfee Drive Encryption drivers and make the necessary registry amendments in the target WIM file. Once complete the WIM file can either be imported into the SCCM/MDT environment or have its contents re‐distributed to the distribution points within SCCM/MDT.

It is also required to place a copy of the EpeWinUpgradeTool into the boot image. If the image is 32‐bit use the EpeWinUpgradeTool.exe if the image is 64‐bit use the EpeWinUpgradeTool64.exe.

2. Update your Task Sequence to Temporarily Unlock McAfee Encryption

PrepareMBRDrive

Update your Task Sequence to include the options to temporary unlock McAfee Encryption in WinPE.  For MBR systems you will need to run a set of commands in Windows prior to rebooting to WinPE, for GPT systems this is not required.

Create Steps to Copy the required Registry files and the EpeWinUpgradeTool64.exe tool to the root of the C Drive.  I create a package that contained the required files and used the following steps to copy the files to the correct location:

Task Sequence Group: Prepare MBR Drive

PrepareMBRDriveGroup

Task Sequence Group: Copy EEP Files to C (MBR)

CopyEEPFilesToC

  • Copy Reg Files to C (MBR)

    CopyRegFileToC
    Commandline: cmd.exe /c xcopy “”lockedfiles.reg” c:\
  • Copy WinUpgrade Tool to C

    CopyWinUPgradeToolToC
    Commandline: cmd.exe /c xcopy “EpeWinUpgradeToo64.exe” c:\

Task Sequence Group: Prepare Drive (MBR)

PrepareDriveMBR

  • Shutdown McAfee EEPC Service
    ShutdownEEPCServiceCommandline: SC Stop “McAfee Endpoint Encryption Agent”
  • Save EEPC MFBSaveEEPCMBRCommandline: c:\EpeWinUpgradeTool64.exe -SaveMBR C:\EpeMBR.dat
  • Unlock the MBRUnlockEPEFilesCommandline: c:\EpeWinUpgradeTool64.exe -setfilelocks unlock
  • Unhide Safeboot FilesUnhideEPEFIlesCommandline: Attrib -r -s -h c:\safeboot.*
  • Force-Restore MBRRestoreEPEMBRCommandline: c:\EpeWinUpgradeTool64.exe -forceMBR c:\EpeMBR.dat

Task Sequence Group: Restart Computer

  • Restart Computer

    RestartInPE

3. Remove McAfee Encryption in WinPE

InstallOS

Task Sequence Group: Install Operating System

Task Sequence Group: Update WinPE

  • Copy Devcon x64 and Scripts to WinPE
CopyDevConAndScriptsToWimPE
Commandline: xcopy *.* x:\windows\system32 /Q /Y /R

Task Sequence Group: McAfee Removal

Task Sequence Group: Take Disk Offline

  • Diskpart Offline
DiskPartOffline
Commandline: xcopy *.* x:\windows\system32 /Q /Y /R

Contents of takeonffline.txt

takeofflinetext

Task Sequence Group: Remove McAfee Filter

  • Remove McAfee DiskFilter
RemoveMcAfeeFilter
Commandline: x:\windows\system32\devcon.exe classfilter diskdrive upper !MfeEpePc
  • Restart IDE Drives
RestartIDEDrives
Commandline: x:\windows\system32\devcon.exe restart ide\*

 

 

  • Restart SCSI Drives
RestartSCSIDrives
Commandline: x:\windows\system32\devcon.exe restart scsi\*

Task Sequence Group: Take Disk Online

  • Diskpart Online
DiskPartOnline
Commandline: These are the Default Settings, adjust to meet your environment

Contents of takeonline.txt

takeonlinetext

Task Sequence Group: Partition Disk

  • Partition Disk 0 – BIOS
PartitionMBR
These are the Default Settings, adjust to meet your environment
  • Partition Disk 0 – UEFI
PartitionUEFI
These are the Default Settings, adjust to meet your environment

Task Sequence Step: Pre-provision BitLocker

PreprovisionBitlocker
These are the Default Settings, adjust to meet your environment

Task Sequence Group: Apply Image and Settings

Add your steps of applying your Windows Image and all of the settings, configurations, applications, etc.

Task Sequence Step: Enable BitLocker

EnableBitlocker
These are the Default Settings, adjust to meet your environment

FULL TASK SEQUENCE

1

DOWNLOADS

Download Sample Task Sequence

REFERENCES

Mike Terrill | McAfee Documentation

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s