File Share Encryption

Symantec has a lot of great documentation for creating WinPE boot media with the PGP drivers baked in for one-off situations.
Unfortunately those instructions don't speak to organizations with MDT and/or SCCM implementations since the boot media creation process is handled 'behind the scenes'.

This post aims to merge Symantec's existing instructions to leave you with MDT/SCCM boot media with PGP WDE drivers baked in.
But first....
 

Surely you read the scary disclaimer above.  I had to put it there for everyone's safety.  I do hope you understand.

However, throughout this process we'll have a safety net in the event something goes wrong.
So please be sure to complete your Safety Net Steps first before moving forward.

The instructions below:

• were completed on a Windows 8.1 laptop with MDT 2013 and the Windows ADK (8.1 Update) installed
• are geared towards x64 boot media
• involve PGP 10.3.0 Build 9060 version files pulled from a production Windws 7 x64 machine that has with PGP installed and the drive encrypted
• assume you have some technical knowledge and understanding of how these technologies work
   

Although you should be able to create x86 boot media, I don't [yet] have instructions for that.
In essence, it'll be the same thing as below, just substiute amd64 with x86 and use the files listed in the 32-bit section of this document here: http://www.symantec.com/docs/TECH214419

As time permits, I'll update this post for x86 MDT media and SCCM once I complete the implementation.

Although this is specifically for MDT, the process is similar (read: nearly identical, less file paths) for SCCM environments.

I welcome any feedback, construtive criticism, corrections, tips etc. on this process.

I may be releasing a simple script in the future to automate the Safety Net steps outlined below.

MDT amd64 (64-bit) Boot Media Instructions:

>>> Building the Safety Net! <<<

This is so important!

1. Make a backup of your existing boot media files in the Boot directory of your DeploymentShare:
   • The WIM file: Litetouch.wim
   • The ISO file: Litetouch.iso
   • The XML file: Litetouch.xml
      
2. Make a backup of the winpe.wim file in:
   "%Program Files(x86)%\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us"
    
3. Success: Safety Net Built!
   Please note - I tend to keep a few copies of files that I butcher modify, just in case something goes horribly wrong.
   That said, I recommend copying one to offline media (thumb drives or external HDD's) and a network share that's getting backed up.
    

Building the Staging Area

1. Create your staging directories:
   C:\pgp_temp
   C:\pgp_temp\winpe_amd64
   C:\pgp_temp\wde_files
    
2. Copy the winpe.wim in the path above to C:\pgp_temp\winpe_amd64
    
3. Copy pgppe.exe from "%Program Files%\PGP Corporation\PGP Desktop\WinPE" into C:\pgp_temp
    
4. Copy the following files from "%Program Files%\PGP Corporation\PGP Desktop\WinPE" into C:\pgp_temp\wde_files:
   PGPcl.dll
   PGPiconv.dll
   pgppe.exe
   PGPsdk.dll
   PGPsdk.sys
   PGPsdkNL.dll
   PGPsdkUI.dll
   pgpstart.exe
   PGPwd.dll
   PGPwde.exe
   PGPwded.sys
   PGPwdesdk.dll
    
5. Copy the following files from "%ProgramFiles(x86)%\PGP Corporation\PGP Desktop\" into C:\pgp_temp\wde_files:
   pgpbootg.bin
   pgpbootb.bin
   stage1
    
6. Copy the following files from %systemroot%\System32\ into C:\pgp_temp\wde_files: 
   shfolder.dll
    

Updating the WIM

1. Open an elevated command prompt and get into into C:\pgp_temp directory via the following command:

   cd /d C:\pgp_temp

   
    
2. Excute the following command:

   pgppe.exe /winpe C:\pgp_temp\winpe_amd64 C:\pgp_temp\wde_files

3. Ensure the process in Step 2 above completes successfully.
   If it doesn't - Stop right here and do not proceed.  This will need to be troubleshot further.
   If it does - Please continue to Step 4 below.
    
4. Copy the now updated winpe.wim in C:\pgp_temp\winpe_amd64 to "%Program Files(x86)%\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us"
    

Testing

1. Update your DeploymentShare (either via the Workbench of PowerShell)
   Ensure you are completely regenerating the boot media from scratch!
    
2. Test the boot media on a machine with a hard disk that's fully encrypted.
   I recommend writing the ISO to a USB thumbdrive using the Windows USB/DVD Download Tool or Rufus or your ISO to USB tool of preference.
    
3. When it boots, press F8 to open the command window.
   Warning - huge assumption: you've enabled this feature!
    
4. In our environment, encrypted machiens have a C & E drive but both are inaccessible.
   Using that as my guide, check to see if the C and/or E drives exist, and whether or not their accessible via this command:

   dir c:
   dir e:

   
   If the drives are locked, both commands above will return with something like:

   The volume does not contain a recognized file system.
   Please make sure that all required file system drivers are loaded and hat the volume is not corrupted.

   
   You can also try checking it via diskpart (run this command first):

   diskpart

   
   Then type these two commands wthin diskpart to see all disks and volumes:

   list disk
   list volume

   
   So for our environment, for both the C & E drives (volumes) the file system (Fs column in diskpart) is RAW.
    
5. Now that you know the drive is for sure locked, try executing the following command to unlock the drive:

   pgpwde --disk 0 --auth -p xxxxx

   Where xxxxx is the user's password, an administrator password or PGP token
    
6. If you get a response similar to the following, congratulations, the disk is now unlocked:

   Request sent to Authenticate disk was successful

   
   If you receive an error, that will need to be troubleshoot accordingly since its [more than likely] a pgpwde error not an MDT/SCCM or WinPE error.
    
7. Confirm the drive is unlocked by browsing it, or issuing the same commands in step 8.
    
8. Do whatever you need to do in MDT/SCCM