Issue with Checkpoint Encryption on Refresh (Wipe & Load) Scenarios - “Unable to read task sequence configuration disk.”

[Stephensr]

Morning All, any ideas on this one would be greatly appreciated.

 

I am deploying our captured image using one task sequence that caters for the Bare metal and Refresh (now Wipe & Load I believe) scenarios, this has worked fined until we perform a Wipe & Load on the Checkpoint Encrypted laptops in the fleet.

 

These laptops have all partitions encrypted leaving no un-encrypted estate on them. You may already see where I am going with this….

 

The task sequence is being advertised to the user who runs the TS from within Windows enabling the capture of USMT data to the SMP. Once the USMT Capture is complete the system is rebooted to the PE boot image in order to run diskpart and apply the image etc…. This is where the TS fails. The Task Sequence config files have been staged to the c:\_SMSTaskSequence directory which is of course Encrypted within PE, we then receive the “Unable to read task sequence configuration disk.”

 

I have seen a number posts elsewhere that mention using a “Hook” that runs a diskpart script upon the restart to clean and re-partition the disk before TS begins to process. I am a little unsure how this would work as the config files will have been “blown away” by the diskpart script and surely the TS will fail again with same error, can any confirm my suspicions?

 

I have also seen some articles that mention changing the location of the Staging config files from c:\_SMSTaskSequence to x:\_SMSTaskSequence . Again I’m a bit unsure about this as I didn’t think X: was accessible prior to loading the PE boot image.

 

I hope this makes sense.

 

I look forward to hearing any suggestions..

 

Kind Regards,

 

Rich.

[bjohn]

Thanks for the reply.

 

No, I'm not re-sizing the partitions.

With hardlinking, I don't think it "cleans/formats/fdisks" the drive, but rather deletes all folders except for _SMSTaskSeqence.

I think what I need to do is somehow remove the MBR?

 

Any other ideas are welcome.

Thanks

[MikeSavasta]

Hi BJohn,

 

I'm experiencing the same issue as you with Checkpoint. I'm using Systems Center 2012 SP1 with MDT 2012 update 1 integrated to do a ZTI Refresh deployment. I"m doing XP to Windows 7. I was able to get the Checkpoint filter drivers inject into my boot media so everything in the ZTI runs fine up until it reboots after doing the "Setup Windows and Config Mgr . It goes to start booting but then BSOD's with Error 0x0000ED. I believe the problem is because the drive is not getting formatted it's still holding it's encryption so when the new Windows 7 image starts to boot up it fails because the drive is encrypted and it can't read the disk. Does anyone have a way to format the hard drive during a refresh scenario? I have been searching the internet and blogs for a few days and have not found any resolution yet. I do not want to break this down into two task sequence. I simply need my Default Client Task Sequence to Format and Partition the disk during a Refresh scenario that is launched from within Windows by the end user. Any help would be appreciated. Thanks

[Rixh]

I used a solution that worked for me while refreshing Windows XP to Windows 7 computers with Checkpoint FDE.

And I´ve also been googled and binged like hell for solving the same problem so I figured our solution could mayby help someone more. =)

 

Requirements:

SCCM....

WinPE with Checkpoint filterdriver installed and enabled

Windows Integrated Logon is disabled

 

1. User initiates the Refresh task sequence from within OS.

2. While the TS is in Windows XP have the TS to run this command: fsutil hardlink create c:\_SMSTaskSequence\PROT_INS.SYS c:\PROT_INS.SYS

(This protects the PROT_INS.SYS from deletion during late wipe)

3. Have the TS to boot to WinPE with the filterdriver.

4. Apply OS

5. Apply the Checkpoint filterdriver and service in Windows 7 before first boot into Windows.

6. Run the rest of the TS

7. At the end of the TS to run this command:fsutil hardlink create c:\PROT_INS.SYS c:\_SMSTaskSequence\PROT_INS.SYS

(This moves back the file pointer to the original location)

8. Install Checkpoint FDE client application.

 

 

Hope it works... // Rixh

 

 

[llamas]

Rixh,

The steps you have work well for a in place upgrade except, I am having trouble with #8. Was there anything you did to get PointSec to install again?

 

[edit] found the fix, when re installing PointSec you need to supply the msi with the disable_pba_install=1 msi property[/edit]

[brandroid]

I used a solution that worked for me while refreshing Windows XP to Windows 7 computers with Checkpoint FDE.

And I´ve also been googled and binged like hell for solving the same problem so I figured our solution could mayby help someone more. =)

 

Requirements:

SCCM....

WinPE with Checkpoint filterdriver installed and enabled

Windows Integrated Logon is disabled

 

1. User initiates the Refresh task sequence from within OS.

2. While the TS is in Windows XP have the TS to run this command: fsutil hardlink create c:\_SMSTaskSequence\PROT_INS.SYS c:\PROT_INS.SYS

(This protects the PROT_INS.SYS from deletion during late wipe)

3. Have the TS to boot to WinPE with the filterdriver.

4. Apply OS

5. Apply the Checkpoint filterdriver and service in Windows 7 before first boot into Windows.

6. Run the rest of the TS

7. At the end of the TS to run this command:fsutil hardlink create c:\PROT_INS.SYS c:\_SMSTaskSequence\PROT_INS.SYS

(This moves back the file pointer to the original location)

8. Install Checkpoint FDE client application.

 

 

Hope it works... // Rixh

 

 

I am able to complete steps 1-7 successfully. I can't however install the checkpoint client. The msi logs indicate that Checkpoint won't install because the driver is already running. The lines in the msi log are:

 

MSI (s) (58!38) [08:42:22:051]: Product: Check Point Endpoint Security -- Error 27107.Driver already running, maybe an old installation exists. The FDE driver is already installed and running.

 

Error 27107.Driver already running, maybe an old installation exists. The FDE driver is already installed and running.

 

MSI (s) (58!38) [08:42:22:051]: Product: Check Point Endpoint Security -- Error 27568.Full Disk Encryption verify pre-install requirements failed

[brandroid]

Bump.. I'm using FDE 80.40 and using the steps outlined above I'm unable to complete STEP # 8. I can do everything except when I go to reinstall the I get an error in the logs:

 

MSI (s) (58!38) [08:42:22:051]: Product: Check Point Endpoint Security -- Error 27107.Driver already running, maybe an old installation exists. The FDE driver is already installed and running.

Error 27107.Driver already running, maybe an old installation exists. The FDE driver is already installed and running.

MSI (s) (58!38) [08:42:22:051]: Product: Check Point Endpoint Security -- Error 27568.Full Disk Encryption verify pre-install requirements failed

[tyriax]

I know my chances are slim reviving this old thread however was just looking for some help with step 5 of Rixh's guide "Apply the Checkpoint filterdriver and service in Windows 7 before first boot into Windows"

 

I'm not sure how to go about doing that would anyone be able to elaborate on this step?

 

Thanks in advance

[bradypus]

I know my chances are slim reviving this old thread however was just looking for some help with step 5 of Rixh's guide "Apply the Checkpoint filterdriver and service in Windows 7 before first boot into Windows"

 

I'm not sure how to go about doing that would anyone be able to elaborate on this step?

 

Thanks in advance

Hey tyriax,

 

I am currently dealing w/ checkpoint fde for our Win7 to Win10 refreshes. I'll be sure to reply back here when/if I figure something out.

 

By the way, checkpoint has a script for in-place upgrades from Win 7 to Win 10. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk106433&partition=General&product=FDE

 

 

Obviously not for wipe n loads but I think it might be useful in figuring something out as the script seems to add the filter drivers to WinPE/install media