I am trying to split the apply WinPE and reboot to WinPE as 2 different parts in my task sequnce. The reason for this is because i need to run a cmd line before it boots into WinPE. The cmd actually makes changes to the applied WinPE. Is this possible and how.

Curious as to what you are doing to the boot image after it is delivered? Why not just modify the boot image itself? Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys

Not sure if you are familiar with Safeboot, McAfee product now used for ecryption. I am trying t set the Safebootmbr instead of the bootmbr, so it boots using safebootmbr. There is a utility that McAfee has that does this. Now since each computer has its own key and it is wrapped around the safebootmbr i cannot modify the boot image itself. Or i can but would have to do this for 16000+ machines. :)

I don't know if it is possible. I have seen many other people post and not be sucessfull. I think generally they laid down the entire image as normal and then installed SAfeboot application and did some setting from there. WE did PGP whole disk and you can't automate it from SCCM. The admin had to enter data and it just was made to be pushed with SCCM.http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com

I've also looked in a migration scenario where End Point Encryption is involved. During our tests we couldn't install Windows 7 without formatting the hard disk prior the Windows 7 installation. We also couldn't stage WinPE when starting the installation from the Run Advertised Programs menu. What is it that you want to do disable the security in order to stage WinPe when running the Tasksequence from Run Advertised Programs? Just out of curiosity what tool from McAfee do you use?

Basically what i am trying to do is bypass the decryption portion of safeboot. McAfee has the instrucionts on how to do this but their task is split into 2, apply Winpe, Restore Safeboot MBR, by runnng this utility with these parameters (SbWinUpgrade.exe -SetMbr:c:\SafebootMbr.dat), then after this step it goes to the next task which is reboot to WinPE without applying the WinPE again. Here is their info: The OS refresh process using MDT presented in this document can be adapted to use SCCM instead. The task sequences in SCCM are very similar to MDT and the same tools to edit WIM files can be used. However, there can be issues as SCCM has a different approach on applying windows PE and preparing disks for installation. The following problems have to be resolved in order to integrate the solution into SCCM: 1. Disk Cleanup SCCM includes a step the prepares the disk by partitioning and formatting the partitions. This step has to be modified so its compatible with hardlinks. i.e. the disk should just be cleaned by deleting all folders but the one used to keep user migration state. (MININT or OSD etc..) 2. Restoring Safeboot MBR before first Restart After applying Windows PE the task sequence should contain a step that restores the Safeboot MBR. However, SCCM applies windows PE and restarts the system on the same step. To overcome this problem there are many approaches: a. Modify the task sequence VBScript of SCCM to run the commands for applying PE and restarting the system in the same order as MDT. MDT's scripts can be used as a reference. b. Set the restart timeout for the system to a large number of seconds. Create an executable that monitors the task sequence log file and when it detects that Windows PE have been applied it restores the Safeboot MBR and restarts the system. c. Wrap the executable command that restores the Safeboot MBR in a batch file that does the following: i. Creates a new process and runs the following ii. Restore Safeboot MBR iii. Sleep 10ms iv. go to ii. The batch file should be started just before calling the command to apply Windows PE. Since Restart to WinPE task does both applys the WinPe and reboots at the end and it is all wrapped up in the smsboot.exe i need to know which script handles this so that i can make a call for the Restore of SafebootMBR inbetween Apply WnPE and reboot.

Are you trying to re-install the machine by having the encryption intact and install the OS from the SCCM cache? Do you have a problem not knowing if the tasksequence run in the running OS or in WinPE? You can check this by using tasksequence variable _SMSTSInWinPE and use it as a condition to only restart into WinPE if this value is equals False

i am not reinstalling the machine but upgading it from WinXP to Win7. I know exactly where task sequnce is runnng i just need to find how the WinPE and reboot are wrapped in smsboot.exe?

I suggest contacting CSS as what you are doing is unsupported -- they may have a solution for you. I doubt it though as your difficulties stem directly from the use of a third-party product which really means you should contact them for support.Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys

We do know it is not supported but we need this implemented as we have 16000 laptops to deploy Win7. I wa actually able to fakeout the task sequnce witha vbs script and was able to get th working. If anyone needs help regarding modification once WinPe is layed down post it hee and i will reply with solution.

This would be a great blog post to review and learn from even for those not doing it.Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys

AdisH80....I'm curious about the "fakout" you mention above. Can you elaborate on your solution? We have a similar need, and the workarounds we have considered are "kludgy" at best.

Been exteremely busy and was unable to post. So this all depends what you need to do but what i did was i wrote a vbs script that calls another vbs script to perform the task with option of timing out when you need it to execute. The first sript will exit out successfully and will continue with the next step in the task sequence. The other script is called and is running with timoutvalue i specified and then it executes the desired cmd.

I fully understand what you are trying to do here. I am raising a support call with MS. What I am doing in the meantime is cancelling the TS. As the TS has completed and is pending a reboot, when the reboot is raised I do the following, which clears the message and cancel the reboot. I then handle the reboot from a service at an appropiate time and the TS continues unaware of this post reboot. private void KillProcesses() { RunCMD( "Resetting the TS Manager service to noaction", "sc", "failure smstsmgr reset= 86400 actions= ///" , 0); KillProcess( Process.GetProcessesByName("TSManager")); /* Must kill this first */ KillProcess( Process.GetProcessesByName("TsProgressUI" )); } private void KillProcess(Process [] KillMe) { foreach (Process uiProcess in KillMe) { LogIt( ".................Killing process: " + uiProcess.ProcessName); uiProcess.Kill(); } }

Can you post the scripts you used? We are doing the same upgrade process. I would like to split the Apply WinPE process into two steps (Apply then Restart) in the same manner as MDT 2010, it seems like it would be cleaner that the other option suggested by McAffee. At this point - working more important than "nice" process.

Dabell, It is a service that controls the process. As part of the TS I install a service that watches for the smsts.log, which signifies the TS has completed and is pending a reboot. I then cancel the reboot by killing the TSmanager and UI (note: this only works if a user is logged on so only use an optional advert) and then restore the safeboot MBR, load the PE image (which the TS has prestaged) using imageX (which I dynamically install if needed), inject the relevant safeboot version into the PE image (if you only have one safeboot version or do not mind having mutilple PE images then you may preinject safeboot into the image), unload the updated PE image and reboot to it. This is a little crude at the moment, but is working. You also need ImageX, the safeboot registry keys and sys files if choosing to inject at runtime. I am only using a 32bit PE image regardless of existing OS or target OS. using System; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Diagnostics; using System.ServiceProcess; using System.Text; using System.IO; using Microsoft.Win32; using System.Threading; using System.Runtime.InteropServices; namespace SBORRestart { public partial class sborrestart : ServiceBase { private static string LogFile = "c:\\YourLoglocation\\RestartMonitor.log"; private string ccmLogPath = "C:\\_SMSTaskSequence\\Logs\\smsts.log"; private Boolean bDone = false; private Boolean bReboot = true; private string sbLoc = "C:\\Temp\\Safeboot"; private string WinDir = "C:\\Windows\\System32"; private string SbVersion = ""; private string SbV = ""; private string sOST = "x86"; private string SbFileVersion = "\\DetectedVersion.txt"; public sborrestart() { InitializeComponent(); } protected override void OnStart(string[] args) { if (File.Exists(ccmLogPath)) { File.Delete(ccmLogPath); } /* Delete old log */ Thread RunTh = new Thread(new ThreadStart(this.RunProcess)); RunTh.Start(); LogIt("Started"); SystemEvents.SessionEnding += new SessionEndingEventHandler(SystemEvents_SessionEnding); } protected override void OnStop() { bDone = true; bReboot = false; } private void RunProcess() { LogIt("Waiting for " + ccmLogPath); do { System.Threading.Thread.Sleep(50); /* We have a number of seconds to restore the MBR */ if (File.Exists(ccmLogPath)) /* A filesystemWatcher does not seem to work on this file */ { /* The log does not appear until the reboot message is raised */ KillProcesses(); GetSbversion(); RunCMD("Running MBR Restore",sbLoc + "\\V" + SbV + "\\" + sOST + "\\SbWinUpgrade.exe","-SetMbr:" + sbLoc + "\\SafebootMbr.dat",-1); RunCMD("Copy the wimmount driver", "xcopy", sbLoc + "\\imagex\\wimmount.sys " + WinDir + "\\drivers\\*.* /q/i/y",-1); /* The file may exist and be open */ RunCMD("Update registry for wimmount", "reg.exe", "import " + sbLoc + "\\imagex\\wimmount.reg", 0); RunCMD("Mount the cached win pe", sbLoc + "\\imagex\\imagex.exe", "/MountRW c:\\_SMSTaskSequence\\WinPE\\Sources\\boot.wim 1 " + sbLoc + "\\Mount", 0); RunCMD("Copy the 32bit Safeboot drivers","xcopy",sbLoc + "\\" + SbVersion + "\\*.sys " + sbLoc + "\\mount\\Windows\\System32\\drivers\\*.* /q/i/y",0); RunCMD("Load the WinPE registry","reg.exe","load HKLM\\SBHive " + sbLoc + "\\mount\\Windows\\System32\\config\\SYSTEM",0); RunCMD("Update1 registry", "reg.exe", "import " + sbLoc + "\\" + SbVersion + "\\Class.reg", 0); RunCMD("Update2 registry", "reg.exe", "import " + sbLoc + "\\" + SbVersion + "\\SafeBoot.reg", 0); RunCMD("Update3 registry", "reg.exe", "import " + sbLoc + "\\" + SbVersion + "\\SBAlg.reg", 0); RunCMD("Unload PE regisrty","reg.exe","unload HKLM\\SBHive",0); RunCMD("Unload WinPE mount", sbLoc + "\\imagex\\imagex.exe", "/UnMount /commit " + sbLoc + "\\Mount", 0); bDone = true; } } while (bDone.Equals(false)); LogIt("Complete"); if (bReboot) { RunCMD("Initiate the reboot", "shutdown", "-r -f -t 01", -1); } } private void LogIt(string message) { try { FileStream fs = new FileStream(LogFile, FileMode.Append, FileAccess.Write, FileShare.None); StreamWriter sFile = new StreamWriter(fs); sFile.WriteLine(DateTime.Now + " " + message); sFile.Flush(); sFile.Close(); } catch (Exception) { } } private void RunCMD(string sMSG , string sCMD, string sArgs,int iExpectedRC) { try { int iRC; LogIt(sMSG + ": " + sCMD + " " + sArgs); Process RunCommand = new Process(); RunCommand.StartInfo.FileName = sCMD; RunCommand.StartInfo.Arguments = sArgs; RunCommand.StartInfo.UseShellExecute = true; RunCommand.Start(); RunCommand.WaitForExit(); iRC = RunCommand.ExitCode; LogIt("Exit code: " + iRC); if (iExpectedRC >= 0) { if (iExpectedRC != iRC) { /* Repoint to the existing OS boot sector to try and save the day */ LogIt("Previous step failed, will cancel reboot: " + iRC); bReboot = false; } } } catch (Exception) { } } private void SystemEvents_SessionEnding(object sender, SessionEndingEventArgs e) { if (e.Reason == SessionEndReasons.SystemShutdown) { if (bDone.Equals(false)) { LogIt("Detected Incorrect Shutdown. Will attempt to cancel it."); e.Cancel = true; } } } private void GetSbversion() { if (System.IO.File.Exists(sbLoc + SbFileVersion)) { string[] aLines = System.IO.File.ReadAllLines(sbLoc + SbFileVersion); if (aLines.Length > 0) { SbVersion = aLines[0]; SbV = SbVersion.Substring(0, 1); /* We will be running in 32bit PE regardless */ LogIt("32bit Safe boot version found: \"" + SbVersion + "\""); } else {LogIt("Safe boot file did not contain any data."); } } else { LogIt("Safe boot file containing version did not exist. SBMBRRead should have created this"); } /* We are running in 32bit mode so be careful about how we determine OS */ string sOS = System.Environment.GetEnvironmentVariable("PROCESSOR_ARCHITECTURE", EnvironmentVariableTarget.Machine); LogIt("Os Architecture: " + sOS); if (sOS != sOST) { sOST = "x64"; } LogIt("Os Architecture found: " + sOS + " OST Set to: " + sOST); } private void KillProcesses() { RunCMD("Resetting the TS Manager service to noaction", "sc", "failure smstsmgr reset= 86400 actions= ///", 0); KillProcess(Process.GetProcessesByName("TSManager")); /* Must kill this first */ KillProcess(Process.GetProcessesByName("TsProgressUI")); } private void KillProcess(Process[] KillMe) { foreach (Process uiProcess in KillMe) { LogIt(".................Killing process: " + uiProcess.ProcessName); uiProcess.Kill(); } } } }

Thanks for the info, I am testing with a VBS version, however the processes are not terminating. For testing, I just have a TS that runs with a reboot to WinPE. I have a vbs that launches the one below, running the script manually does not stop the processes either - any suggestions? Thanks, Darcy strComputer = "." Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set objfso = CreateObject("Scripting.FileSystemObject") Set objShell = WScript.CreateObject("WScript.Shell") testfile="C:\\_SMSTaskSequence\\Logs\\smsts.log" x=0 Do while x <> 1 if objfso.FileExists(testfile) then x = 1 end if wscript.sleep 20 loop 'reboot ready to start, kill TSManager 'change service configuration on failure strcommand = "sc failure smstsmgr reset= 86400 actions= ///0" objshell.run strcommand strProcessKill = "'TSManager.exe'" Set colProcess = objWMIService.ExecQuery ("Select * from Win32_Process Where Name = " & strProcessKill ) For Each objProcess in colProcess objProcess.Terminate() Next strProcessKill = "'TSProgressUI.exe'" Set colProcess = objWMIService.ExecQuery ("Select * from Win32_Process Where Name = " & strProcessKill ) For Each objProcess in colProcess objProcess.Terminate() Next

Thanks AdisH80. It sounds like you are doing what that one McAfee suggest document suggests. I was hoping for something a little more elegant. Anyway, I ended up just adding a TS Step right before restart step that starts a compiled 2 line autoit script. The script waits until it finds the "System Restart" window which is generated at the very end of the Restart Computer step. Once my exe finds the window, it sets the MBR. It seems to work fine.

For those needing more background, this is the process/tool being used: https://community.mcafee.com/community/business/data/blog/2011/10/03/problem-solved-upgrade-client-operating-system-without-have-to-decrypt-and-re-encrypt/

I'm having an issue with the "Restore EPE MBR" step under "PostInstall" (McAfee's directions are for MDT and don't explicitly show a SCCM TS). AdisH80 where are you putting that step? The "Setup Windows and ConfigMgr" step/associated reboot is causing me some problems. I either get "EpePC has been corrupted" or "\windows\system32\winload.exe is missing" depending whether I do the restore before or after "setup windows".

This is the part that it gets tricky if you are using a zero touch. Are you using zero touch or light touch? If you are uzing zero touch then you need to Store the MBR then Restore it. You are basically perserving it through each reboot. So you store it then restore it make sure you are storing it to a right locaton x: or c:. Also this will not work if you do not have hardlinking in place.

This is the part that it gets tricky if you are using a zero touch. Are you using zero touch or light touch? If you are uzing zero touch then you need to Store the MBR then Restore it. You are basically perserving it through each reboot. So you store it then restore it make sure you are storing it to a right locaton x: or c:. Also this will not work if you do not have hardlinking in place. This is ZTI with hardlinking. I store it at "X:\EpeMbr.dat" before the "Apply OS Image" step. Do I need to do it again after that or restore it to a different drive (currently X:)?

You have to store it before you Apply the image and after as well.

FWIW..... I'm using ZTI (SCCM) and doing offline USMT with hardlinks. I'm storing the mbr under c:\_SMSTaskSequence and seems to be fine there

Ok, still stuck here. Getting BSOD with "unmountable_boot_volume", "stop 0x000000ED" after the "Setup Windows and ConfigMgr" setup. Shorten TS: - Set EPE MBR (C:\_SMSTaskSequence\EpeMbr.dat, script runs it every 10ms while WinPE applying) - Restart to WinPE - Save EPEMbr (to X:\EpeMbr.dat) - Apply OS Image / Drivers - Set EBE MBR (to X:\EpeMbr.dat) - Setup Windows and Configr (which reboots PC) ***fails after this. SCCM log says it completes "Setup Windows" with exit code 0 and performs systems reboot. Win7 splash screen loads, then BSOD*** - Set EPE MBR (to X:\EpeMbr.dat. Not run per logs. Should this be D:\_SMSTaskSequence anyway?) - Reboot then do the "State Restore" section

Looks like you might be mising the drivers in the wim for win7, or the wim is corrupted.

Looks like you might be mising the drivers in the wim for win7, or the wim is corrupted. The OS WIM is working in another TS. In the Boot WIM, I have injected the EE driver (copied from a machine that's encrypted) and made the registry changes. Since it gets all the way to the ConfigMgr step, it seems those WIMs are good. Tried emailing McAfee support, but of course got no response...

The OS is working on anther TS since it does not require the safeboot drivers. you need to inject the drivers to both WINPE and WIN7 wim. Also check if you have the correct drivers installed for the specific notebook.

I am stuck one issue. after rebooting into WinPE, While applying the operating system it is restarting Machine and then applying the operating system. so i am lossing macfee Endpoint encryption boot info and i am getting missing operating system. I am trying to do refresh using Mcafee tool without decrypt and encrypt. We use X64 bit OS and X64 Bit Winpe i tried with X86 also the same problem

0 I am stuck one issue. after rebooting into WinPE, While applying the operating system it is restarting Machine and then applying the operating system. so i am lossing macfee Endpoint encryption boot info and i am getting missing operating system. I am trying to do refresh using Mcafee tool without decrypt and encrypt. We use X64 bit OS and X64 Bit Winpe i tried with X86 also the same problem

i'm stuck on this too - Is it not possible to split up the whole "restart to winPE" step or edit it while this is happening? The solutions here don't make much sense to me... could we get more clarrification on that?

AdisH80 is this the option you used? c. Wrap the executable command that restores the Safeboot MBR in a batch file that does the following: i. Creates a new process and runs the following ii. Restore Safeboot MBR iii. Sleep 10ms iv. go to ii. Would you be available to chat about this - or share your script? You script - where dose it restore the mbr to? X drive?

No i have used a vbs that sleeps and executes after certain period of time.

since you are trying to do exactly what i'm trying to do - is there any chance you could share you info? maybe your task sequence, and your vbs file? there is something i'm really not getting with those insturctions from mcafee. Why do we have to restore the mbr to c drive if the drive hasn't been touched at this point during a zero touch - sccm re-image. The drive and mbr are intact until after the "apply os" step right?

I found so many typos with McAfee's documentation and it is very hard to get through the whole thing. It took me 4 weeks to get the whole process working and you are only at the first key point and there are 3. You need to go to McAFee and ask them for the process their documentation is not precise. What you need to do is have to scripts one in task sequence that calls another. The called vbs will sleep and execute the restore safeboot mbr after WinPe wim is layed down. You just have to time it correctly otherwise you end up with missing operating system. After you pass this point that is when it starts to get tricky. I do consulting, you can contact me anytime.

Do you have an email contact? I don't a way to PM you from here. my contact info john.burke@bellaliant.ca Perhaps we could take this offline.

Here is my e-mail baxuz80@gmail.com.

sent a few emails and they don't seem to be going through . soon as I boot into winpe i get no operating system found error. I have a task sequence line that calls a vbs that calls another vbs. That runs every 10ms and runs the setmbr c:\safeboot.dat why isn't this working? I call this right before my "restart to winpe" step in the sccm task sequence. On Error Resume next Dim WshShell,forever,storeMBR Set WshShell = WScript.CreateObject("Wscript.Shell") forever = 1 storeMBR = "SbWinUpgrade.exe -setMbr:c:\SafebootMbr.dat" Do While forever = 1 wshshell.Run storeMBR,,True wscript.sleep 10 Loop

restore it to c:\?\

i've been attemptnig to restore it even if i put a 5 minute countdown on the restart to winpe step - and run the sbwinupgrade.exe -setmbr manually it just keeps saying that the mbr is safeboot adn cannot be saved as the original mbr

Hey, I was reading every line in this post for a couple of times while i struggled this myself, i would like to post my solution with version 6.1.3 of mcafee endpoint protection (current ersion), i went with option "C" from the documentation, to the point: the script (to make the script run in parallel i use "cmd.exe /c start <script.vbs>", without "start" makes the TS wait for script to finish): set wshShell = WScript.CreateObject ("WSCript.shell") Set objFSO = CreateObject("Scripting.FileSystemObject") forever = 1 RestoreMBR = "cmd /c C:\EEPC_Utility\EpeWinUpgradeTool.exe -SetMbr c:\EpeMbr.dat >> c:\EpeMbr.log" Do While forever = 1 wshshell.Run RestoreMBR,1,true wscript.sleep 2000 Loop Thanks to the participators of this thread, and Good Luck to anyone else trying this.

Thanks AdisH80. It sounds like you are doing what that one McAfee suggest document suggests. I was hoping for something a little more elegant. Anyway, I ended up just adding a TS Step right before restart step that starts a compiled 2 line autoit script. The script waits until it finds the "System Restart" window which is generated at the very end of the Restart Computer step. Once my exe finds the window, it sets the MBR. It seems to work fine. Do you have the AutoIt code available to share? I am running into this same stopgap and it would be greatly appreciated.