5 Replies Latest reply on Dec 10, 2010 3:25 AM by phoffmann

    LANDesk 9 and McAfee Endpoint Encryption (SafeBoot)


      Hello all,


      We're currently in the process of running a Proof of Concept with LANDesk 9 and we've hit a major stumbling block.


      We use the McAfee Endpoint Encryption product (formerly known as Safeboot) to encrypt our hard disks.  The problem we have is deploying an OS to a machine with an encrypted hard disk.


      When we schedule an OS deployment task, the machine will reboot and immediately show an “Operating System not found” error.


      To be clear – we are still able to manually put the machine into a PXE boot, and we can successfully re-image the machine using LANDesk.  It is purely when we schedule a task within LANDesk and let the agent reboot the machine that the process fails.


      Has anyone any experience of using McAfee disk encryption and LANDesk together?  My guess is that LANDesk and Safeboot are both fighting over the MBR of the hard disk… and they both lose!

        • 1. Re: LANDesk 9 and McAfee Endpoint Encryption (SafeBoot)

          Doessafeboot create it's own partition to boot off? If so, is the correct partition being set as active during the imaging process?

          • 2. Re: LANDesk 9 and McAfee Endpoint Encryption (SafeBoot)

            Hi Jack,


            Thanks for your reply.  We have no problems imaging over the top of Safeboot if we manually do a PXE boot and re-image using the PXE menu.


            The issue is with Agent-based deployments -- when the devices reboot we get the dreaded "Operating system not found" error and the machine is no-longer bootable.

            • 3. Re: LANDesk 9 and McAfee Endpoint Encryption (SafeBoot)
              phoffmann SupportEmployee

              It sounds like you're using OSD (and thus - vBoot) to do this -- would I be correct in that?


              The thing about vBoot is this:


              1 - We copy down a Windows PE image.

              2 - We create a (temporary) partition and expand the image into that partition (this is essentially "Windows PE on your HD").

              3 - We tell the MBR "please go forth and boot from here next boot", so as to load WinPE.


              4 - We Reboot.


              Now the problems can be several.


              1 - McAfee Endpoint Encryption is causing a problem with the MBR (in that it assumes this is an attack or so).

              2 - Your hard drives already have 4 partition entries (which is the hard limit, an MBR cannot cope with more), and thus we run into an open knife.


              The question here is how much McAfee's software does (as such things CAN quite often be overzealous in their intents to protect a system).




              The reason PXE-booting works fine is because you don't involve the MBR at all - you just boot over the network. The hard-disk doesn't even get involved.


              - Paul Hoffmann

              LANDesk EMEA Technical Lead.

              1 of 1 people found this helpful
              • 4. Re: LANDesk 9 and McAfee Endpoint Encryption (SafeBoot)

                Thanks for your helpful answer, Paul!


                Yes, I'm using OSD.  I'd not thought about the temporary partition that vBoot creates -- that gives us another area to look at, as well as the MBR.  Thanks.


                As I mentioned, we're just in the LANDesk 9 proof-of-concept stage, so I'm using OSD for simplicity of testing.  Eventually I'll be moving to Provisioning.  So I think from what you're saying -- Provisioning won't create a temporary PXE partition and modify the MBR?  Is that correct?


                thanks again!

                • 5. Re: LANDesk 9 and McAfee Endpoint Encryption (SafeBoot)
                  phoffmann SupportEmployee

                  Oh, you can get OSD to work fine.


                  The reason we push down the Windows PE image is just because it's a lot more efficient to do so whilst you have all the lovely capabilities of a full OS. Copying down the image whilst you're on a "bare bones OS" (if one can even call it that) such as PXE, your performance is rather more ... lackluster.


                  You *CAN* modify your scripts to pretty much tell your devices to "boot into PXE managed boot please", that's simple enough (if you're interested). This only works for OSD though.


                  I can dig up the relevant info (it's not a lot, it's about 1-2 lines, just more a matter of finding it again), but since you're talking about intending to use Provisioning, I won't bother just yet.


                  NOTE -- Provisioning and OSD are SIMILAR, but they work QUITE differently. Don't make the (all too easy) mistake to assume that they're identical / the same thing with slightly different flavours. It'd be fairer to say that they're radically different but just APPEAR similar .




                  For provisioning - the answer is "it depends" - namely it depends on what your devices start out with.


                  If they're already full Windows devices, and you choose the default "Reboot into WinPE Vboot" option in provisioning, then (as the name suggests) we again use a virtual boot partition approach (again, for the reasons named above).


                  Provisioning can't be "tricked" into a boot like OSD can.




                  It may help if you describe your scenario / what you are starting out from and what you are intent oin acheiveing in the end, and we can see if we can cook up something to suit that need.


                  - Paul Hoffmann

                  LANDesk EMEA Technical Lead