EasyBCD with McAfee Endpoint Encryption

#1
Can EasyBCD be used with a drive that has been encrypted using McAfee Endpoint Encryption.

I have a laptop that has (had!) two bootable partitions of Windows 7 64bit. It worked fine until work decided that laptops had to have full disk encryption on them. Now I get the choice to boot the second partition but it then fails and I am sure it is down to the EE having changed the BCD.
What I would like to know, is can EasyBCD amend the current EE amended BCD to 1. allow the other partition to boot and 2. not shaft the work partition by causing EE to throw a wobbly because the BCD isn't the same as it changed it to be?

Many Thanks
 

mqudsi

Mostly Harmless
Staff member
#2
I honestly don't know.

Typically with full disk encryption, the BCD should call the bootloader for the decryption software which would then either manually load the OS or call the bootloader once more after decrypting.

Post your full BCD configuration details (EasyBCD | Detailed Mode) here and we'll see if they have anything of interest :smile:
 
#3
Here you go. Hope it is of some help.



Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=X:
description Windows Boot Manager
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default {0c51fc91-f9af-11de-bbab-d68c7bc9128f}
resumeobject {0c51fc90-f9af-11de-bbab-d68c7bc9128f}
displayorder {0c51fc95-f9af-11de-bbab-d68c7bc9128f}
{0c51fc91-f9af-11de-bbab-d68c7bc9128f}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 30
Windows Boot Loader
-------------------
identifier {0c51fc95-f9af-11de-bbab-d68c7bc9128f}
device partition=D:
path \Windows\system32\winload.exe
description Windows 7 Home Version
locale en-US
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {0c51fc96-f9af-11de-bbab-d68c7bc9128f}
recoveryenabled Yes
osdevice partition=D:
systemroot \Windows
resumeobject {0c51fc94-f9af-11de-bbab-d68c7bc9128f}
nx OptIn
Windows Boot Loader
-------------------
identifier {0c51fc91-f9af-11de-bbab-d68c7bc9128f}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7 Office (default)
locale en-US
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {0c51fc92-f9af-11de-bbab-d68c7bc9128f}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {0c51fc90-f9af-11de-bbab-d68c7bc9128f}
nx OptIn
 

mqudsi

Mostly Harmless
Staff member
#4
OK, what this tells me is that (as expected) McAfee most likely installs its decrypter to the bootloader, and only after it decrypts the hard drive does it launch the BCD and attempt to load Windows.

Unfortunately, your BCD looks to be all in order.
It doesn't look like McAfee messed around with the BCD.

What error do you get when you select the 2nd entry?
 
#5
When I get the option to select which OS to boot to, if I select the 'Home' partition I get:

Windows failed to start, a recent hardware or software change might be the cause.

Usual Repair using CD guff. ( my terms not Microsofts!)

Status. 0xc000000e

The boot selection failed because a required device is inaccessible.
 

mqudsi

Mostly Harmless
Staff member
#6
Try deleting and recreating the entry in EasyBCD. It may reassociate the entry with the partition, but I'm highly dubious it'll work - nothing to lose though!
 
#7
Ok,

Got a slightly different error this time.

saying that it is unable to load or find \Windows\System32\Winload.exe

Have had a look in that location and it is there....

Any ideas?
 

mqudsi

Mostly Harmless
Staff member
#8
Sounds like the partition wasn't decrypted.

Double-check your McAfee settings and see if there's an option there that specifies which partitions will be decrypted at boot time?

If you're on the market for an alternative tool, TrueCrypt is free and great. Using it myself at home & work :smile:
 
#9
That's just it, that partition was never encrypted in the first place. Endpoint Encryption only encrypted the drive on Disk 0. The OS on Disk 1 was never touched.

The Clients shows

C: Full
D: None



Strange one really.
 

mqudsi

Mostly Harmless
Staff member
#10
Can you repaste the detailed mode again, after the changes we did with EasyBCD?
 
#11
Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=X:
description Windows Boot Manager
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default {0c51fc91-f9af-11de-bbab-d68c7bc9128f}
resumeobject {0c51fc90-f9af-11de-bbab-d68c7bc9128f}
displayorder {0c51fc91-f9af-11de-bbab-d68c7bc9128f}
{0c51fc98-f9af-11de-bbab-d68c7bc9128f}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 30
Windows Boot Loader
-------------------
identifier {0c51fc91-f9af-11de-bbab-d68c7bc9128f}
device partition=C:
path \Windows\system32\winload.exe
description Windows 7 Office (default)
locale en-US
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {0c51fc92-f9af-11de-bbab-d68c7bc9128f}
recoveryenabled Yes
osdevice partition=C:
systemroot \Windows
resumeobject {0c51fc90-f9af-11de-bbab-d68c7bc9128f}
nx OptIn
Windows Boot Loader
-------------------
identifier {0c51fc98-f9af-11de-bbab-d68c7bc9128f}
device partition=D:
path \Windows\system32\winload.exe
description Microsoft 7 Home
locale en-US
osdevice partition=D:
systemroot \Windows
 
#12
As an addendum, had the Endpoint Encryption removed last night as a 'test' and the second OS was bootable again.

The EasyBCD Detailed Mode output after the event was exactly the same as the one posted above which was taken before decryption and removal.
 

mqudsi

Mostly Harmless
Staff member
#13
OK, there's one more thing we can test.. I have my hands tied at work right now, but I'll post back with an update soon. :smile:
 

JustinW

Super Moderator
Staff member
#14
Does McAfee's product allow for an entire drive encryption rahter than individual partitions? Give that a go...
 

mqudsi

Mostly Harmless
Staff member
#15
OK, sorry for the delay.

I've found the (most likely) cause of the problem. If, for some odd reason, the partition IDs differ between boot time and within Windows, setting the drive with EasyBCD (or any other tool) for that matter will not work.

Boot from your Windows 7 CD or from our recovery discs (Download Windows 7 System Recovery Discs The NeoSmart Files). Let it auto-repair the startup or follow the directions here: http://neosmart.net/wiki/display/EBCD/Recovering+the+Vista+Bootloader+from+the+DVD

That should do the trick.