System Center Config Mang - Windows 7 Migration on Encrypted Hard Drives
Hello Everyone, We are in the middle of gearing up for Windows 7 migration. I am in the process of testing the TS that will be used for the migration. I am running into issues though. My company uses Check Point for hard drive encryption. I got the boot image to commuicate with the hard drive when it first reboots into it. I have the "State Migration Point" configured on the site server. I want to do the following and need to know if it is possible. - Capture user settings and data. (TS has to be started in OS) - Perform a full wipe on the drive. (Removed Checkpoint from the hard drive.) - Apply Win 7 image. - Restore user settings and data. Thanks in advance for your time.
May 16th, 2012 12:19pm

Sure. As long as you do the state capture in the current OS to an SMP then wipe the drive, this should work fine. What issues are you having?Jason | http://blog.configmgrftw.com | Twitter @JasonSandys
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2012 1:13pm

Hello Jason, I am having issues with getting the TS to full wipe the hard drive. I tried using a bat file that calls diskpart.exe /s ~dp0diskpart.txt and it fails to run. The build in tool for re-partitioning the hard drive doesn't full do it. The TS downloads the .wim file and it errors when applying the OS. I get the following error. The task sequence execution engine failed executing the action (Apply Operating System) in the group (Install Operating System) with the error code 2147942423 Action output: fre\sms\client\osdeployment\applyos\installimage.cpp,707) ApplyImage(), HRESULT=80070017 (e:\nts_sms_fre\sms\client\osdeployment\applyos\installimage.cpp,1416) Apply(), HRESULT=80070017 (e:\nts_sms_fre\sms\client\osdeployment\applyos\installimage.cpp,1456) installer.install(), HRESULT=80070017 (e:\nts_sms_fre\sms\client\osdeployment\applyos\installimage.cpp,1527) Closing image file C:\_SMSTaskSequence\Packages\LPS00035\Win7_x86_v13.wim Entering ReleaseSource() for C:\_SMSTaskSequence\Packages\LPS00035 reference count 1 for the source C:\_SMSTaskSequence\Packages\LPS00035 before releasing Released the resolved source C:\_SMSTaskSequence\Packages\LPS00035 InstallImage( g_InstallPackageID, g_ImageIndex, targetVolume, ImageType_OS, g_ConfigPackageID,g_ConfigFileName, bOEMMedia ), HRESULT=80070017 (e:\nts_sms_fre\sms\client\osdeployment\applyos\applyos.cpp,373) Installation of image 1 in package LPS00035 failed to complete.. Data error (cyclic redundancy check). (Error: 80070017; Source: Windows). The operating system reported error 2147942423: Data error (cyclic redundancy check). Here is a snippet of the TS. Let me know if you need more information.
May 16th, 2012 1:25pm

I'm assuming that task references a package. Thus, that package needs to be downloaded locally so that it can be run. Because the hard drive is encrypted though, it can't be downloaded and thus fails. Why aren't you just using the default format & parition task? Jason | http://blog.configmgrftw.com | Twitter @JasonSandys
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2012 1:28pm

It doesn't actually format it. Because the disk in use. Do you know a way to overide any restraints for the partition and format? If I can get the drive fully wiped I should have any issues. Thanks again.
May 16th, 2012 1:33pm

How about embedding your diskpart script in the boot image that way you can run diskpart from X:\ and reference the script from the location in X: also without referecning a package? Have you verified that you can drop to a command-prompt and successfully run diskpart while in PE?Jason | http://blog.configmgrftw.com | Twitter @JasonSandys
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2012 1:47pm

I have verified I can launch diskpart.exe within the command window while in the boot image. Do you have instructions on adding the script to my boot image? That is a new process for me. I have added drivers but never directories/files to a boot image. Thanks again for all your help.
May 16th, 2012 1:53pm

Okay so I got the script copied over and Trace32. They are in the System32 directory. How do I call them now from the TS.
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2012 2:31pm

The boot image always creates a virtual RAM drive as drive letter X:\ Thus, you can just call it like this x:\windows\system32\diskpart -s x:\windows\system32\myscript.txt using a Run command-line task. (I think diskpart is also in system32 but you should verify.)Jason | http://blog.configmgrftw.com | Twitter @JasonSandys
May 16th, 2012 3:10pm

For checkpoint encrypted drives you must run two task sequences. First in the full OS run a user state capture TS and be SURE to capture to the SMP. Next boot the computer to PE and perform a bare metal install. SCCM will automagically "see" that there's user data previously captured from that machines and put it back. John Marcum | http://myitforum.com/cs2/blogs/jmarcum/|
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2012 3:28pm

That's what I thought... I was following this thread so diligently to find out if I've been doing it wrong all this time...
May 16th, 2012 3:38pm

The part I can't figure out is how to notify the tech that the capture was a success because there's no way to backup the encrypted disk as part of the TS. If you blow it away and install a new OS then find out the capture went wrong you just lost all the data. BTW.... This is not an issue if you move away from CP to Bitlocker in Win 7. That's what we are trying to do. John Marcum | http://myitforum.com/cs2/blogs/jmarcum/|
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2012 6:42pm

Wouldn't USMT tell you if it failed capture? So what we have been doing is run a USMT only TS in XP, reboot, pxe boot and image. I've been looking at ways to force a PXE boot on reboot with some utilities that HP and dell provides, but haven't been successfull. i.e. on a Dell D630, the ForcePXEonNextBoot value is not available. We don't use OMCI. Offtopic: Are you aware of any comparisons between checkpoint and bitlocker?
May 17th, 2012 10:05am

I'm just always afraid of walking the tight rope without a net. I lost a users data once when I first started doing OSD and I still cringe when I think about it. The capture failed for some reason and the disk formated anyway. That was back on SMS 2003 and BDD 2007 though. I am not aware of any but our security team at first would not allow bitlocker but when I showed them MBAM they loosened up. John Marcum | http://myitforum.com/cs2/blogs/jmarcum/|
Free Windows Admin Tool Kit Click here and download it now
May 17th, 2012 11:45am

MBAM as in malwarebytes? I can't see how that relates to encryption?
May 17th, 2012 3:27pm

MBAM = Microsoft Bitlocker Administration and Monitoring: http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/mdop/mbam.aspxJason | http://blog.configmgrftw.com | Twitter @JasonSandys
Free Windows Admin Tool Kit Click here and download it now
May 17th, 2012 6:03pm

MBAM = Microsoft Bitlocker Administration and Monitoring: http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/mdop/mbam.aspxJason | http://blog.configmgrftw.com | Twitter @JasonSandys
May 17th, 2012 6:05pm

and here's how to do a Win7 to Win7 migration using BitLockered drives and an MBAM back-end http://www.windows-noob.com/forums/index.php?/topic/4811-introducing-the-bitlocker-frontend-hta Step by Step ConfigMgr 2007 Guides | Step by Step ConfigMgr 2012 Guides | I'm on Twitter > ncbrady
Free Windows Admin Tool Kit Click here and download it now
May 18th, 2012 5:36pm

and here's how to do a Win7 to Win7 migration using BitLockered drives and an MBAM back-end http://www.windows-noob.com/forums/index.php?/topic/4811-introducing-the-bitlocker-frontend-hta Step by Step ConfigMgr 2007 Guides | Step by Step ConfigMgr 2012 Guides | I'm on Twitter > ncbrady
May 18th, 2012 5:38pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics