search cancel

Windows PE Recovery Tools for Symantec Endpoint Encryption

book

Article ID: 161041

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

In scenarios where recovery may be needed on encrypted drives, using a WinPE disk with the SEE encryption driver embedded is the preferred method.

This article will go over the steps needed to create a WinPE image to be able to do further troubleshooting of systems encrypted with Symantec Endpoint Encryption, including Recovery.

Important Note: When using Symantec Endpoint Encryption to create this WinPE iso, install the "Drive Encryption Only" installation package.  Leave out the SEE Removable Media Encryption package with the installer so that only the Drive Encryption packages will be included.  This will ensure the proper WinPE iso is created. 

Resolution

Best Practices for creating Microsoft Windows Preinstallation Environment ISO for recovery

When an encrypted system fails to boot to the Windows operating system, recovery of data becomes the primary goal. Creating a customized Windows Preinstallation Environment (Windows PE) CD or UFD (USB flash drive) provides a bootable recovery tool that can be used for recovery purposes.

TIP: Before attempting to fix the system, first attempt to authenticate the disk, and copy any needed data off.  Attempting to modify the disk could cause irreversible damage to the filesystem so proceed with caution.  If the data on the encrypted disk is important, we recommend first making a sector-by-sector, or 1:1 clone of the disk and work off of the copy.  Attempt to copy the data off of the disk, rather than decrypt the drive as the first step.  When in doubt, contact Symantec Encryption Support for further guidance.

You can use a customized Windows PE CD or UFD in the following ways:

  • To restore the previous master boot record (MBR) of the client computer, after you have restored the computer from a volume backup.
  • To recover the pre-OS screen of the client computer when a user fails to authenticate at pre-OS or the pre-OS screen is unavailable.
  • To decrypt an encrypted disk using the client administrator authentication, use "Help Desk Recovery" (for connected clients), or "Advanced Help Desk Recovery" (for never-connected clients).

Best Practices

As a best practice, you must create the customized Windows PE for recovery immediately after installing the client software. A customized Windows PE CD or UFD is the only way to recover your data when you cannot start your operating system. The best practice is to create a Windows PE CD or UFD immediately after the recovery tools have been created. A Windows PE CD or UFD stores the recovery tools away from your system and proves to be an important resource for disaster recovery.

To learn how to create a customized Windows PE CD or UFD, refer to the following Symantec Endpoint Encryption: Technical Note for Recovering Encrypted Disks Using Windows Preinstallation Environment document versions:

  • SEE version 11.4.0
  • Version 11.3.0
  • Version 11.2.0
  • Version 11.1.0

Update June 10, 2019: SEE WinPE steps for Version 11.3.0 (See attached PDF).

Symantec Endpoint Encryption Drive Encryption Administrator Command Line does not generate a detailed log report of errors that occur during a Windows Preinstallation Environment operation. To enable Drive Encryption Administrator Command Line to generate detailed log reports, you must include the EEMALoggerDll.dll file to your Windows Preinstallation Environment. The EEMALoggerDll.dll file is available at the Symantec Endpoint Encryption Management Agent installation directory.

Stating with Symantec Endpoint Encryption 11.4, all information that was typically provided in the PDF attachments, will now be provided in the steps below.

 

*Section 1 of 3: General Information for WinPE with Symantec Endpoint Encryption 11.4
*Section 2 of 3: Creating a Windows PE image
*Section 3 of 3: Using a customized Windows PE CD or UFD for recovery

 

Section 1 of 3: General Information for WinPE with Symantec Endpoint Encryption 11.4

Overview
The Microsoft Windows Preinstallation Environment (PE) is widely used by IT professionals in Windows environments for installation tasks, deployment, maintenance, troubleshooting, diagnosis, recovery, and so on.

When an encrypted disk fails to start the Windows operating system, recovery of data becomes the primary goal. Creating a customized Windows PE CD or UFD (USB Flash Drive) provides a bootable recovery tool that can be used for rescue purposes

To create a bootable Windows PE CD or UFD, you must do the following:
*Pre-install the Symantec Endpoint Encryption Drive Encryption driver for decrypting the
hard disk.

*Pre-install the Symantec Endpoint Encryption Drive Encryption tools for authentication

The steps below provides instructions for creating and using both 32-bit and 64-bit Windows Preinstallation Environment.


Supported Versions of Windows PE
*Windows 11: Windows PE for Windows 11 (Windows PE version 10.1)

*Windows 10: Windows PE for Windows 10

*Windows Server 2012 R2 (Standard and Datacenter Editions x64 bit): Windows PE version 5.0)

*Windows Server 2016 (Standard and Datacenter Editions x64 bit): Windows PE version 10.0)

*Windows Server 2019 (Standard and Datacenter Editions x64 bit): Windows PE version 10.0)

How to Obtain Windows PE
To use Windows PE, you must obtain and install the Windows Assessment and Development

Kit (Windows ADK for Windows PE 4.0, 5.0, 5.1, and 10.0) from the following location:
https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install


Section 2 of 3: Creating a Windows PE image

Prerequisite

Before you create the Windows PE image, you must install Windows Assessment and Deployment Kit (ADK) for your Windows operating system.
Symantec recommends Windows ADK for Windows 10 or later.

For more information on installing the Windows ADK, see the topic, “Installing the Windows ADK” available on msdn.microsoft.com

At the time of this writing, use the following link:
https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install

 

Note: You must use the deployment tools command prompt as an administrator when creating the Windows PE image.


To create the Windows PE image

Step 1: To open the deployment tools command prompt with the correct path variables, select Start > Windows Kits > Windows ADK.

Step 2: Do one of the following:
*To create an image for a 32-bit Windows environment, run the following command:

copype.cmd x86 C:\winpe

*To create an image for a 64-bit Windows environment, run the following command:

copype.cmd amd64 C:\winpe

This command creates the Windows PE image at C:\winpe

 

Customizing the Windows PE image

Ensure that you have copied the Windows PE image into the Windows folder, c:\winpe, and it is ready for customization.

To copy the Windows PE image into the Windows folder c:\winpe, run the following command:

xcopy c:\winpe\media\sources\boot.wim c:\winpe\winpe.wim


Note: Follow the instructions that are provided in the Windows Preinstallation Environment User’s Guide to prepare a drive or folder for customization.
The Windows Preinstallation Environment User’s Guide is included with the Windows Assessment and Deployment Kit (ADK).


Installing the Symantec Endpoint Encryption Drive Encryption tools
To install the Symantec Endpoint Encryption Drive Encryption tools run through the following steps:

Step 1: From a computer running Drive Encryption, copy the following files and transfer them to the c:\eede folder on a computer installed with Windows ADK

C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption\*
*   %SYSTEMROOT%\system32\drivers\eed*.sys
*   %SYSTEMROOT%\system32\shfolder.dll
*   %SYSTEMROOT%\System32\msvcp140.dll
*   %SYSTEMROOT%\System32\vcruntime140.dll
*   %SYSTEMROOT%\System32\vcruntime140_1.dll
*   %SYSTEMROOT%\system32\drivers\PGPce.*

Note: '%SYSTEMROOT%\System32\vcruntime140_1.dll' is applicable only for 64 bit OS.

The PGPce files are available only on Windows systems running Symantec Endpoint Encryption 11.1.0 or later.


Step 2: Make the winpe folder your current working directory using the following command:
cd c:\winpe 

Step 3: Download the eede.zip folder attached to this Symantec Knowledge Base article on the bottom of this article.


Step 4: Extract (or unzip) files from the compressed folder eede.zip into the c:\winpe directory and run the following command:

eedpe.bat winpe.wim c:\eede

Step 5: Copy the file c:\winpe\winpe.wim to c:\winpe\media\sources\boot.wim and overwrite the old boot.wim file. To copy, run the following command:

xcopy /y c:\winpe\winpe.wim c:\winpe\media\sources\boot.wim


Step 6: Close the command prompt.

 

Creating a bootable ISO file and CD or USB flash drive

The next step is to turn the customized Windows PE image into a bootable .iso file and CD or USB flash drive.

To create a bootable .iso file or CD run through the following steps:

Step 1: On the ADK installed computer, open the Deployment and Imaging Tools Environment command prompt.
To open the deployment tools command prompt, search for Deployment, right-click Deployment and Imaging Tools Environment, and then select Run as administrator.

Step 2: As an administrator, run the following command:

MakeWinPEMedia /ISO C:\WinPE C:\WinPE\WinPE.iso

Step 3: Use the CD-record software to burn the CD image file of winpe.iso.

 

To create a bootable USB flash drive

Open the Deployment and Imaging Tools Environment command prompt as an administrator and run the following command:

MakeWinPEMedia /UFD C:\WinPE F:

Note: The command above assumes that F: is the USB flash drive you will be using to create the WinPE disk.

For more information on creating a WinPE bootable USB flash drive, see the article "WinPE: Create USB Bootable drive" available on technet.microsoft.com.
At the time of this writing, the following article could be used:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive?view=windows-11

 

Section 3 of 3: Using a customized Windows PE CD or UFD for recovery

This section includes 10 different scenarios to be able to use a WinPE image for recovery in various ways.
Review each of the below to determine which option may be best for you. 

It's always best to attempt to unlock a disk and copy data off before attempting any other scenario.

Scenario 1: Recovering an encrypted disk using the administrator command line
Scenario 2: Unlocking an encrypted disk using the client administrator credentials
Scenario 3: Recovering the preboot screen
Scenario 4: Restoring the old MBR
Scenario 5: Decrypting an encrypted disk using the client administrator credentials
Scenario 6: Decrypting an encrypted disk using the Help Desk Recovery commands
Scenario 7: To decrypt an encrypted disk using Advanced Help Desk Recovery
Scenario 8: Recovering an encrypted disk using the Symantec Disk Recovery Utility
Scenario 9: Decrypting an encrypted disk using the client administrator authentication
Scenario 10: Decrypting an encrypted disk using Help Desk Recovery

 

Recovering an encrypted disk
You can use the customized Windows PE CD or UFD to recover the encrypted disk in one of the following ways:

*Using the Symantec Endpoint Encryption Drive Encryption administrator command line
*Using the Symantec Disk Recovery Utility

Note: Ensure that you provide an uninterrupted power supply to your computer when decryption is in progress

Scenario 1: Recovering an encrypted disk using the administrator command line
When you start your system in a Windows PE environment using the customized Windows PE CD or UFD, the Symantec Endpoint Encryption Drive Encryption administrator command prompt appears.

You can use the administrator command line to do the following:

*Unlock an encrypted disk using the client administrator authentication.
*Recover the preboot screen of the client computer when a user fails to authenticate at preboot or the preboot screen is unavailable.
*Restore the previous master boot record (MBR) of the client computer after restoring from a volume backup.
*Decrypt an encrypted disk using the client administrator authentication.
*Decrypt an encrypted disk using Help Desk Recovery (for managed clients) or Advanced
*Help Desk Recovery (for unmanaged clients).

Tip: For more information, see the Symantec Endpoint Encryption Drive Encryption Administrator Command Line Guide.

 

Scenario 2: Unlocking an encrypted disk using the client administrator credentials
If you do not want to decrypt an encrypted disk, you can use client administrator credentials to unlock it.
After the disk is unlocked, you can copy its data to a different disk.

To unlock an encrypted disk using the client administrator credentials, run through the following steps:

Step 1: Start the system in Windows PE environment using the customized Windows CD or UFD.

Step 2: To unlock an encrypted disk, run the following command at the administrator command prompt:

eedAdminCli --auth --disk <number> --au <AdminUserName>


Where, <number> is the disk number on the system, <AdminUserName> is the user name of the client administrator.

For example,

eedAdminCli --auth --disk 0 --au clientadmin1

This will prompt you for the password.

 

Scenario 3: Recovering the preboot screen

Step 1: Start the system in Windows PE environment using the customized Windows CD or UFD.
Step 2: At the administrator command prompt, run the following command:

eedAdminCli --recover


Scenario 4: Restoring the old MBR
Caution: Restoring the old MBR overwrites the current MBR, and could render the disk un-recoverable. Exercise caution while deciding to use this recovery option.

Step 1: Start the system in Windows PE environment using the customized Windows CD or UFD.
Step 2: At the administrator command prompt, run the following command:

eedAdminCli --fixmbr


The command replaces the current MBR with the old MBR. 

 

Scenario 5: Decrypting an encrypted disk using the client administrator credentials

If there are multiple disks to decrypt, you should decrypt all of the secondary disks first, and then decrypt the primary disk.

Note: Ensure that you provide an uninterrupted power supply to your computer when decryption is in progress.

To decrypt an encrypted disk using the client administrator credentials, run through the following steps:

Step 1: Start the system in Windows PE environment using the customized Windows CD or UFD.

Step 2: To decrypt an encrypted disk, run the following command at the administrator command prompt:

eedAdminCli --decrypt --disk <number> --au <AdminUserName>


Where, <number> is the disk number on the system, <AdminUserName> is the user name of the client administrator.

For example:

eedAdminCli --decrypt --disk 0 --au clientadmin1

This will prompt for the passphrase.

Step 3: To check the progress of decryption, run the following command at the administrator command prompt periodically:

eedAdminCli --status --disk <number>



Where, <number> is the disk number on the system. For example,

eedAdminCli --status --disk 0 

 

 

Scenario 6: Decrypting an encrypted disk using the Help Desk Recovery commands

If there are multiple disks to decrypt, you should decrypt all of the secondary disks first, and then decrypt the primary disk.
Note: Ensure that you provide an uninterrupted power supply to your computer when decryption is in progress.

To decrypt an encrypted disk using Help Desk Recovery, run through the following steps:

Step 1: Call your help desk administrator.

Step 2: Start the system in Windows PE environment using the customized Windows CD or UFD

Step 3: To view the name and sequence number of the computer, run the following command at the administrator command prompt:

eedAdminCli --helpdesk-recovery

 

Step 4: Read out the displayed computer name and sequence number to the help desk administrator.

Step 5: Note down the response key of the computer that the help desk administrator provides.

Step 6: To use the response key and decrypt, run the following command at the administrator command prompt:

eedAdminCli --decrypt --disk <number> --response-key <response-key>

Where, <response-key> is the response key that the help desk administrator provides and <number> is the disk number on the system.


Scenario 7: To decrypt an encrypted disk using Advanced Help Desk Recovery
Step 1: Call your help desk administrator.

Step 2: Start the system in Windows PE environment using the customized Windows CD or UFD

Step 3: To view the name, sequence number, and challenge key of the computer, run the following command at the administrator command prompt:

eedAdminCli --helpdesk-recovery --verbose


Step 4:
Read out the displayed computer name, sequence number, and challenge key to your help desk administrator.

Step 5: Note down the response key of the computer that the help desk administrator provides.

Step 6: To use the response key and decrypt, run the following command at the administrator command prompt:

eedAdminCli --decrypt --disk <number> --response-key <response-key>


Where, <response-key> is the response key that the help desk administrator provides and <number> is the disk number on the system

 

Scenario 8: Recovering an encrypted disk using the Symantec Disk Recovery Utility

Symantec Disk Recovery Utility provides an interface for you to enter your credentials for authentication, select the disk that you want to decrypt, and track the progress of decryption.
The utility decrypts the entire disk and does not decrypt a partition.

Note: Ensure that you provide an uninterrupted power supply to your computer when decryption is in progress.

To open the Symantec Disk Recovery Utility run through the following steps:

Step 1: Start the system in Windows PE environment using the customized Windows CD or UFD.

Step 2: At the administrator command prompt, type eedRecoveryGUI.exe, and press Enter.

Step 3: In the Symantec Disk Recovery Utility welcome screen, click Next. 

Step 4: From the Choose a physical drive to process list, select the encrypted disk that you want to recover, and then click Next.

This list displays only the disks that are encrypted. The list does not show any unencrypted disks, external disks, or removable drives. 

Step 5: Select one of the options for authentication. Your options are:
*   Client Admin - You can use the authentication credentials of the client administrator.

*   Help Desk Recovery - You can use the response key that the help desk administrator provides to decrypt the encrypted disk.

 

Scenario 9: Decrypting an encrypted disk using the client administrator authentication

Note: Ensure that you provide an uninterrupted power supply to your computer when decryption is in progress.

To decrypt an encrypted disk using the client administrator authentication, run through the following steps:

Step 1: In the Symantec Disk Recovery Utility dialog box, select the Client Admin option.

Step 2: Do the following:
*Type the user name of the client administrator in the Username box.
*Type the password of the client administrator in the Password box.

Step 3: Click Next.

Step 4: Read the message about the uninterrupted power supply, and then click OK.
The utility displays a progress bar to indicate the progress of decryption

Step 5: After the decryption of the disk is complete, in the confirmation dialog box, click OK.

 

Scenario 10: Decrypting an encrypted disk using Help Desk Recovery

Note: Ensure that you provide an uninterrupted power supply to your computer when decryption is in progress.

To decrypt an encrypted disk using Help Desk Recovery run through the following steps:

Step 1: In the Symantec Disk Recovery Utility dialog box, select the Help Desk Recovery option.

Step 2: Call the help desk administrator for authentication

Step 3: Provide the following information from the Symantec Disk Recovery Utility dialog box to your help desk:

*   Computer - The domain and the name of the computer.
*   Sequence No. - A four-digit number that is used to synchronize a client with the server.

Step 4: If the help desk administrator fails to retrieve your computer information and requests you to use the Advanced Help Desk Recovery, then press F5.
The Symantec Disk Recovery Utility dialog box displays the Challenge Key. Provide the challenge key to your administrator

Step 5: Note down the response key that the help desk administrator provides

Step 6: Type the response key in the Response Key box, and then click Next.

Step 7: Read the message about uninterrupted power supply, and then click OK.
The utility displays a progress bar to indicate the progress of decryption.

Step 8: After the decryption of the disk is complete, in the confirmation dialog box, click OK

 

Additional Information

194755 - Systems fail to boot after installing Endpoint Encryption Removable Media Encryption with Virtualization-Based Security enabled (Device Guard\HVCI)

162486 - Systems unable to boot properly after Encrypting disk with Symantec Drive Encryption when BIOS set to RAID On

179265 - How to automatically upgrade Windows 10 systems encrypted with Symantec Endpoint Encryption 11

213890 - Deploy or Upgrade Windows 10 automatically using SCCM on systems encrypted with Symantec Endpoint Encryption

179262 - How to automatically upgrade Windows 10 systems encrypted with Symantec Encryption Desktop 10.4.2.x and 10.5.x

 

Attachments

1611246064246__eede.zip get_app
symcEE_11.3.0_WinPE_TechNote.pdf get_app
symcEE_11.2.0_WinPE_TechNote.pdf get_app
symcEE_11.1.0_WinPE_TechNote.pdf get_app