Windows Recovery Environment (WinRE) is unable to access the disk on SafeGuard Clients with Full Disk Encryption

  • ID de l'article 117092
  • Mis à jour : 06 mars 2014

After installation of SafeGuard Enterprise/Easy/Disk Encryption version 5.x/6.x and the following full disk encryption of the boot volume/partition that holds the Operating System, when using the Windows Recovery Environment (WinRE), the automatted recovery process tries to locate the Operating System instance for recovery purpose but fails.
Due to the fact that the WinRE does not have the SafeGuard Filterdriver Subsystem installed, it cannot access the encrypted harddisk (fails to locate the Operating System instance) and cannot update the Boot Configuration Data (BCD) Store with the correct entries, leaving a partly modified BCD store behind.

At the next reboot, the client machine fails to boot with one the following error messages:

  • File: \Boot\BCD Status: 0xc000000f Info: an error occurred while attempting to read the boot configuration data
  • File: \Boot\BCD Status: 0xc0000098. The Windows Boot Configuration data file does not contain a valid OS Entry

This article explains how to prepare a clients WinRE environment so that it can be used on a SafeGuard Enterprise/Easy/Disk Encryption 5.x/6.x client, even if the boot volume/partition has been full disk encrypted.

Please note: In case you need to recover a machine that is currently in a state where one of the above mentioned BCD errors will be displayed at every boot, please see KBA 112846 - "SafeGuard Enterprise Client fails to boot, Windows error: Recovery from "File: \Boot\BCD Status: 0xc000000f" or File: Boot\BCD status 0xc0000098" !

Limitations: The process does only apply to SafeGuard versions < 6.10. As of SafeGuard Enterprise 6.10, the Windows Recovery Environment image is automatically patched during the installation / upgrade of the SafeGuard Client.

Known to apply to the following Sophos product(s) and version(s)

Sophos SafeGuard Disk Encryption
Sophos Disk Encryption
SafeGuard Easy
SafeGuard Device Encryption

Operating systems
Windows 7, x86/x64

What To Do

  • Download Microsoft Windows AIK from Microsoft.com, install it on an administrative machine and locate imagex.exe (default location on x86 system: C:\Program Files\Windows AIK\Tools\x86)
  • Download AddSGN2WinRE_ext.zip and extract the files to a temporary location.
  1. On a SafeGuard Client where the SafeGuard filter driver subsystem should be integrated into the Windows Recovery Environment, copy the extracted files (AddSGN2WinPE2.cmd + AddSGN2WinRE.vbs) plus imagex.exe to the clients SafeGuard Base Encryption directory (example: C:\Program Files (x86)\Sophos\SafeGuard Enterprise\BaseEncryption). Replace any of the files if prompted.
  2. Execute the AddSGN2WinRE.vbs script with administrative privileges.

A command prompt will open and an automated process will integrate the SafeGuard filter driver subsystem into the existing Windows Recovery Environment. The command prompt will close automatically after the process has finished.

A basic logging mechanism has been implemented, so the results of the action can be verified from the Clients registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Utimaco\SafeGuard Enterprise\

    • SGN2WinRE_Inj_ResID contains a DWORD result code (example: 0=OK, 1=Error)
    • SGN2WinRE_Inj_ResLN contains a REG_SZ value with extended logging Information (example: "WinRE successfully patched", "MountFailed" ..)

The Windows Recovery Environment can now also be used on SafeGuard Clients with full disk encrypted boot drives.

Known issues:

The script only works on machines that come with a WinRE environment located in C:\Recovery\{GUID}\. Should the WinRE be located elswere, the script needs to be modified manually. To do so, edit the second last line in the AddSGN2WinRE.vbs file to represent the path of the WinRE.wim file. Example:

Original " C:\Recovery\" & GUID & "\Winre.wim"
Modified: " C:\Folder\Winre.wim"


Notes: 
As of SafeGuard Enterprise 6.10, the Windows Recovery Environment image is automatically patched during the installation / upgrade of the SafeGuard Client.

 
Si vous avez besoin de plus d'informations ou d'instructions, veuillez contacter le support technique.

Évaluez cet article

Très mauvais Excellent

Commentaires