One cool thing if you are using the SMP…..You need not do anything special to restore the data when doing two separate TS's. CM will see it's a bare metal on the same hardware that has data in the SMP and put it back. I didn't like using the SMP so I used a UDI wizard to point to the share where the data was stored. Either way works but it's 2 TS's.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Merenda, Kenneth Sent: Tuesday, April 22, 2014 12:43 PM To: mssms@lists.myitforum.com Subject: RE: [mssms] Wipe the PGP MBR in a task sequence Daniel – How do you get it to reboot to PXE? If I could do that, I’d be set. The TS can’t download the boot image because it would be stored on the encrypted drive, but if the TS could reboot and then load the boot image over PXE, that would be perfect. -Kenneth From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Daniel Ratliff Sent: Tuesday, April 22, 2014 12:30 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] Wipe the PGP MBR in a task sequence Also note, just because its not a single task sequence does not mean it cant be ‘kicked off and walk away’. We do our ZTI migrations with a backup TS that adds the machine to a collection, reboots to PXE, and runs a 2nd task sequence. All one click. Daniel Ratliff From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Marcum, John Sent: Tuesday, April 22, 2014 1:25 PM To: 'mssms@lists.myitforum.com' Subject: RE: [mssms] Wipe the PGP MBR in a task sequence It's basically impossible to do a refresh of a machine with third party encryption in a single task. Managers "want" all sorts of things, some of them just can't be done. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Merenda, Kenneth Sent: Tuesday, April 22, 2014 10:51 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] Wipe the PGP MBR in a task sequence My manager wants it all done in a single TS, where the technicians can kick it off and walk away. -Kenneth From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of christopher.catl...@us.sogeti.com<mailto:christopher.catl...@us.sogeti.com> Sent: Tuesday, April 22, 2014 10:43 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: Re: [mssms] Wipe the PGP MBR in a task sequence Can you initiate the userstate store while in windows? Then just usb boot the machine and nuke the disk (without loading the pgp drivers). You would have to add a variable or two to the TS, so it would run as a refresh, and would know where the userstate was stored to. 3rd party encryption tools make imaging “exciting”. 😊 Sent from Windows Mail From: Merenda, Kenneth<mailto:kenneth.mere...@fmcti.com> Sent: Tuesday, April 22, 2014 11:37 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myITforum.com> I have an in-place refresh task sequence with USMT for upgrading XP to win7. Our XP clients are all encrypted with Symantec Encryption Desktop (formerly PGP) v10.3. Symantec provides instruction for adding the PGP drivers to the WinPE image, and that works. My task sequence is initiated via USB boot media, and loads into that modified boot image. A prestart command on the boot image (pgpwde --auth --disk 0 --p “passphrase”) unlocks the encrypted drive. The task sequence begins by capturing the user state to a SMP, then runs the disk format and partition step. Everything that I just described works, except for the disk format and partition step. While that step does complete without error, it does not get rid of the PGP MBR. The next time the task sequence restarts the computer, it loads into the PGP bootguard rather than into the WinPE image. I’ve tried a command line step to manually run diskpart clean, and while that step also completes, it still doesn’t touch the PGP MBR. After days of troubleshooting, I’ve identified that once the pgpwde –auth command unlocks the drive, the PGP filter drivers block access to the MBR, but they do so in a way that still allows tools like diskpart to complete without any error. The only Symantec-supported method to get around this is to fully decrypt the drive –a process that can take hours or days. I think the only solution is a 3rd party substitute for diskpart, like pldd or FAU DD. I can’t seem to find one, however, that works in WinPE x64 and works against PGP. Pldd is not supported in 64-bit PE (which I must use), and FAU DD doesn’t seem to function properly in WinPE. The diskpart clean command actually works fine if I use it before issuing the PGP –auth command, but obviously I have to issue the PGP command first so I can capture the user data and have somewhere to store the SMSTS packages. I can’t reboot after capturing the user data because I can’t modify the MBR to get it to boot to the WinPE image instead of PGP. Any ideas on how to blow away the MBR? Any known 3rd party tools that work inside 64-bit WinPE? Thanks in advance, -Kenneth Merenda ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information. ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer.
