McAfee Endpoint Encryption for PC 7.x Windows OS Refresh ...

McAfee Endpoint Encryption for PC 7.x 

Windows OS Refresh Recommended Process Guide for Master 

Boot Record Systems Only 

April 30 th 2013 

Version: 1.0 

Page | 1

Notices 

Copyright 

Copyright © 2010 McAfee Inc, McAfee Data Protection. All rights reserved. 

This document contains proprietary information of McAfee Inc. and is subject to a license agreement or nondisclosure agreement. No part 

of this document may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into another language, in any 

form or by any means, without the prior written consent of McAfee. 

Trademarks 

This document may make reference to other software and hardware products by name. In most if not all cases, the companies that 

manufacture these other products claim these product names as trademarks. It is not the intention of McAfee Inc. to claim these names or 

trademarks as its own. 

Disclaimer 

The information contained in this document is subject to change without notice. 

MCAFEE INC. MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 

WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 

McAfee Inc. shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, 

performance, or use of this material. 

McAfee reserves the right to add, subtract or modify features or functionality, or modify the product, at its sole discretion, without notice. 

McAfee makes no commitment, implied or otherwise, to support any functionality or technology discussed or referenced in this document. 

Page | 2

Contents 

Introduction ............................................................................................................................................................................ 4 

Purpose and Scope ........................................................................................................................................................... 4 

Requirements.................................................................................................................................................................... 4 

Planning the Refresh Process .................................................................................................................................................. 5 

Overview of the McAfee Endpoint Encryption for PC Boot Process ................................................................................ 5 

Preparing the Operating System Images .......................................................................................................................... 6 

Preparing the Windows PE images (Boot Image) ............................................................................................................. 6 

Creating LockedFiles.reg ................................................................................................................................................... 7 

Preparing the Target Machine for OS refresh .................................................................................................................. 7 

Operating System Refresh Process Overview for PCs with Endpoint Encryption Active ................................................. 8 

EpeWinUpgradeTool Expanded ........................................................................................................................................ 9 

Creating the Task Sequence .................................................................................................................................................. 10 

Page | 3

Introduction 

The McAfee Endpoint Encryption for PC product provides full disk encryption for enterprises. 

Purpose and Scope 

The purpose of this document is to provide a recommended process for refreshing systems running windows operating systems in Master 

Boot Record (MBR) mode only, which are encrypted with McAfee Endpoint Encryption v7.x. 

The purpose of the process described in this document is to refresh the Windows operating system without the need of decrypting the disk 

and uninstalling McAfee Endpoint Encryption. OS Refresh is referred in this guide as the process whereby the disk hosting the operating 

system, is cleared and a new operating system installed by laying an image using a tool that works on file level and not on sector level. The 

process and utilities provided, address the common problems occurring, whilst maintaining the encrypted drive during OS refresh. 

Intended Audience 

The intended audience for this document are; IT administrators with a thorough knowledge and experience in re‐imaging via Microsoft 

System Center 2012 Service Pack 1 Configuration Manager (SCCM), Microsoft Deployment Toolkit (MDT) 2012 (Update1) and Endpoint 

Encryption for PC Version 7.x. Here are the main features and products that you will need to know: 

• McAfee Endpoint Encryption administration 

• Windows command line use 

• Microsoft Deployment Toolkit (MDT) 2012 (Update1) 

• Microsoft System Center 2012 Service Pack 1 Configuration Manager (SCCM) 

• Understanding of MBR and PC boot process 

• Windows Assessment and Deployment Kit (ADK) 

• Understanding of Windows Registry 

• Understanding of the use and purpose of Operating System Drivers 

Requirements 

The minimum requirements for the Server environment which hosts the System Center 2012 Configuration Manager are as follows: 

• Microsoft System Center 2012 Service Pack 1 Configuration Manager (SCCM) 

• Microsoft Deployment Toolkit 2012 Update 1 

• Windows Assessment and Deployment Kit (ADK) Version 4.0 

• User State Migration Tool 

• McAfee Endpoint Encryption for PC Version 7.x 

Any Images captured must be done via SCCM or MDT and by following Microsoft official guidelines. 

For more information please visit: http://technet.microsoft.com/en-us/library/dd744389(v=ws.10).aspx 

Page | 4

Planning the Refresh Process 

The following section here describes how to plan and prepare a refresh process for Windows operating systems. This includes describing 

the Endpoint Encryption boot process, preparation of images and requirements for the refresh process. 

Overview of the McAfee Endpoint Encryption for PC Boot Process 

The following diagram shows how a system with McAfee Endpoint Encryption active, boots via a Master Boot Record (MBR) boot process. 

McAfee Endpoint 

Encryption Master 

Boot Record (MBR) 


Encryption Bootcode 

(Safeboot.rsv) 


Encryption Pre-Boot File 

System (Safeboot.fs) 

The Endpoint Encryption MBR replaces the standard Master Boot Record (Sector 0 of the boot disk) during activation. The Endpoint 

Encryption MBR is referred to as the EPE MBR. The control is passed to the MBR following BIOS initialization and the code contained in the 

MBR is executed. This MBR contains a pointer to the first sector of a sector chain that hosts the BootCode (safeboot.rsv), which is executed 

straight after the MBR. It also contains a pointer to the first sector of a sector chain of the Endpoint Encryption file system (Safeboot.fs), 

which hosts the Windows OS original MBR that is executed after successful authentication. 

It is important that the two files Safeboot.rsv and Safeboot.fs and the EPE MBR are maintained on the disk and are never moved at a sector 

level. The files are sector chains and copying the file from one place to another does not work as they are not real files. They appear in this 

way inside the operating system to prevent it from being moved or overwritten. 

Any Windows OS refresh process has to make sure that the EPE MBR and the two Endpoint Encryption files are maintained without being 

moved. In the case of the EPE MBR this is easy as it is only contained within one sector so taking a backup and then restoring the file by 

writing back to sector 0 is sufficient. However, the two Endpoint 

Encryption files span across multiple sectors and the only way to preserve them is by using the Microsoft User 

Migration Tool (USMT) Hardlink feature. This new feature is used to preserve user files during upgrades without requiring taking copies to 

another media. So the same can be applied to the Endpoint Encryption files. 

When the USMT runs, it creates a second pointer to files inside a protected folder. Then, during refresh process, at the point that the disk is 

cleared, all files are deleted apart from the ones that have hard links created. 

Page | 5

Preparing the Operating System Images 

In order to refresh an operating system, an image has to prepared that will be laid over the encrypted disk. This can be done in a number of 

ways via SCCM or MDT. However any image that is captured, which results in a WIM file, must have the Endpoint Encryption Drivers and 

Registry Entries injected prior to the refresh process. This will allow the new system to access the disk when it tries to boot. To do this 

McAfee has provided the EpeWinUpgradeTool.exe for 32bit systems and the EpeWinUpgradeTool64.exe for 64bit systems. This tool can be 

run from a command line with Administrator rights to inject the EEPC drivers and registry amendments. 

Prior to running the tool extract the following files from the MfeEEPC32.msi (for 32bit systems) or the MfeEEPC64.msi (for 64bit systems); 

• MfeEpePC.sys 

• MfeEEAlg.sys 

• MfeEpeOpal.sys 

Place these files within a folder located in a convenient location. 

Example – C:\Drivers 

From a command line run the following command for x64 architecture; 

Example – EpeWinUpgradeTool64.exe –inject C:\drivers C:\OSWIMFILE.wim 

This will inject the EEPC drivers and make the necessary registry amendments in the target WIM file. Once complete, the WIM file can 

either be imported into the SCCM/MDT environment or have its contents re-distributed to the distribution points within SCCM/MDT. 

Preparing the Windows PE images (Boot Image) 

The Windows PE environment is used for installing or refreshing operating systems. The Endpoint Encryption driver has to be included 

within the Windows PE image so the encrypted drive can be accessed by the installer If you are planning to refresh for both 32‐bit and 64‐ 

bit, then you will require two PE images, one for 64‐bit and one for 32‐bit. To do this the procedure is the same as injecting the EEPC drivers 

and registry amendments into an Operating System WIM file. 

Prior to running the EpeWinUpgradeTool extract the following files from the MfeEEPC32.msi (for 32bit systems) or the MfeEEPC64.msi (for 

64bit systems) (the drivers are the same for both the Operating System injection and the Boot Image injection); 

• MfeEpePC.sys 

• MfeEEAlg.sys 

• MfeEpeOpal.sys 

Place these files within a folder located in a convenient location. 

Example – C:\Drivers 

From a command line run the following command for x64 architecture; 

Example – EpeWinUpgradeTool64.exe –inject C:\drivers C:\BOOTWIMFILE.wim 

This will inject the EEPC drivers and make the necessary registry amendments in the target WIM file. Once complete the WIM file can either 

be imported into the SCCM/MDT environment or have its contents re-distributed to the distribution points within SCCM/MDT. 

It is also required to place a copy of the EpeWinUpgradeTool into the boot image. If the image is 32bit use the EpeWinUpgradeTool.exe if 

the image is 64bit use the EpeWinUpgradeTool64.exe. 

Page | 6

Creating LockedFiles.reg 

To prevent the Epe Files being moved at a sector level once the Task Sequence is complete the following registry entry will need to be 

created and called lockedfiles.reg. Make sure the location of the SafeBoot.fs and SafeBoot.rsv in the registry file match that actual locations 

on disk. 

Windows Registry Editor Version 5.00 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MfeEpePc\LockedFiles] 

"0"="C:\\SafeBoot.fs" 

"1"="C:\\SafeBoot.rsv" 

Preparing the User State Migration Tool (USMT) 

The user state migration tool has a number of components but the XML required to be modified is MigUser.xml. The following additions 

will need to be made to make sure that all required EpeFiles are not moved at a sector level 

 

Component to migrate all mcafee Endpoint encryption files 

 

 

 

 

C:\[SafeBoot.fs] 

C:\[Safeboot.rsv] 

 

 

 

 

 

 

Component to migrate all mcafee Endpoint encryption registry files 

 

 

 

 

C:\[lockedfiles.reg] 

 

 

 

 

 

Preparing the Target Machine for OS refresh 

The target machines will require both the EpeWinUpgradeTool and the lockedfiles.reg to be stored locally on the PC in the root of C:\ prior 

to the task sequence being initiated. 

Page | 7

Operating System Refresh Process Overview for PCs with Endpoint Encryption 

Active 

The main requirements for a refresh process on a system with Endpoint Encryption for PC active, is to preserve the boot order of the 

system as well as the data files used by Endpoint Encryption. This can accomplished using the EpeWinUpgradeTool.exe and 

EpeWinUpgradeTool64.exe tools that provide several arguments to aid the process. An overview of what is required can be broken up 

into the three basic areas. 

1st Stage ‐ Booting on current Windows OS 

1. Shutdown McAfee Endpoint Encryption Agent service 

2. Capture and store the EPE MBR 

3. Make sure that the Endpoint Encryption files are part of the XML USMT definitions and insert a step so USMT hardlinks and 

preserves the required Endpoint Encryption files. 

4. Unlock Endpoint Encryption files 

5. Unhide Endpoint Encryption files 

6. Restore EPE MBR just before the system restarts as final step 

2nd Stage ‐ Booting on Windows PE 

1. Store Endpoint Encryption MBR as first step in the process 

2. Restore Endpoint Encryption MBR. 

3rd Stage ‐ Booting on new Windows OS 

1. Make sure that USMT runs the load state tool to restore Endpoint Encryption files. 

2. Amend Registry with LockedFiles.reg 

3. Hide Endpoint Encryption files. 

Page | 8

EpeWinUpgradeTool Expanded 

A utility was developed to allow administrators to carry out the necessary steps during the OS refresh process. As previously mention in this 

guide the utility is called EpeWinUpgradeTool.exe (x86) and there is also an x64 version called EpeWinUpgradeTool64.exe. The 

utility can be run at the command line with Administrator rights and offers the following options: 

NOTE: The refresh tools are attached to: https://kc.mcafee.com/corporate/index?page=content&id=KB78376 

-SaveMbr 

Stores the EPE MBR to a file specified by filename. 

-SetMbr 

Restores the EPE MBR from a file specified by filename. 

-SetFileLocks 

It locks or unlocks the EPE files. Use "Lock" or "Unlock" for command 

-Inject 

Injects EEPC drivers into a WIM Image 

-MountWim 

Mount Image in a specified Directory 

-UnmountWim [Save] 

Unmount the Image. Update Image if “Save” 

-ForceMBR 

Restore MBR from file continuously 

Page | 9

Creating the Task Sequence 

1. Using the Create MDT Task Sequence option from within the SCCM we are now going to create the initial task sequence that will 

be used to refresh the Operation System. 

2. Using the Task Sequence Wizard select the Task Sequence Template “Client Task Sequence”. 

3. Name the Task Sequence and add comments if required. 

Page | 10

4. Enter required details for joining a network 

5. It is required that an image is captured and prepared based on the steps in this document prior to this point so there is no need to 

capture an image. 

Page | 11

6. Select the correct architecture Boot image, again this should have been prepared as detailed in this document 

7. Select the required Microsoft Deployment Toolkit Package. 

Page | 12

8. Specify the Operating System that will be used in the refresh process. This will need to have been prepared using the steps 

detailed previously in this document. 

9. Select the deployment method that is required. 

Page | 13

10. Select the required Configuration Manager Client Package 

11. Specify the USMT package, making sure the package contains the amendments for the MigUser.xml stated previously in this 

document. 

Page | 14

12. Select the correct settings package required for the client machine 

13. Select the required Sysprep package settings. 

Page | 15

14. Check the overall summary and complete the remaining steps until completion. 

15. On completion of the task sequence wizard all mentions to FORMATING and PARTITIONING will need to be removed or disabled, 

this does not prevent a refresh of the operating system but instead will only allow the OS partition to be wiped and upgraded. 

16. The Task Sequence will now need to be edited to include specific EEPC tasks. The first steps that will need to be added to the 

current task sequence under the branch State Capture. From the diagram below the branch EpeCapture has been added which 

includes the following steps 

a. Shutdown EEPC Service. This step is a command line option and requires the following string to be added to the 

“Command Line” field. 

SC Stop “McAfee Endpoint Encryption Agent” 

b. Save EEPC MBR. This step is a command line option and requires the following string to be added to the “Command 

Line” field. 

EpeWinUpgradeTool.exe –SaveMBR C:\EpeMBR.dat 

c. Unlock EPE Files. This step is a command line option and requires the following string to be added to the “Command 


EpeWinUpgradeTool.exe –setfilelocks unlock 

d. Unhide EPE Files. This step is a command line option and requires the following string to be added to the “Command 


Attrib –r –s –h c:\safeboot.* 

e. Restore EPE MBR. This step is a command line option and requires the following string to be added to the “Command 

Line” field. The forceMBR switch will spawn a new EpeWinUpgradeTool process that will keep replacing the Epe MBR at 

select intervals so that is not replaced by the standard Windows MBR during the task sequence process. 

EpeWinUpgradeTool.exe –forceMBR C:\EpeMBR.dat 

Page | 16

17. The next amendment to the Task Sequence is during the WinPE stage with the following changes, as seen in the diagram below 

a. Save EEPC MBR. This step is a command line option and requires the following string to be added to the “Command 


EpeWinUpgradeTool.exe –SaveMBR X:\EpeMBR.dat 

b. Restore EPE MBR. This step is a command line option and requires the following string to be added to the “Command 


EpeWinUpgradeTool.exe –forceMBR X:\EpeMBR.dat 

Page | 17

18. Next is to amend the newly refreshed Operating Systems registry and to hide the Epe Files that were previously unhidden. Add the 

following steps to the location shown in the diagram. Until the refreshed machine has been rebooted, do not run any clean up 

tasks such as Windows Defrag as the Epe Files will still be in an unlocked state. 

a. Registry Entry for Locked Files. This step is a command line option and requires the following string to be added to the 

“Command Line” field. 

Regedit /s lockedfiles.reg 

b. Hide EPE Files. This step is a command line option and requires the following string to be added to the “Command Line” 

field. 

Attrib +r +s +h c:\safeboot.* 

19. The last edit to be made is the removal of any tasks relating the disabling or enabling of BitLocker. 

Page | 18

McAfee Endpoint Encryption for PC 7.x Windows OS Refresh ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?