3.1 Creating a Windows PE Emergency Recovery Disk

This section explains how to create a bootable Emergency Recovery Disk (ERD) using Microsoft Windows Preinstallation Environment (Windows PE). When it is booted, the ERD provides access to the Emergency Recovery application you can use to perform recovery operations on a device.

IMPORTANT:ZENworks Cool Solutions provides a Windows Powershell script that automates the creation of Windows PE ERDs. For details, see the Windows Powershell script to create a Windows PE emergency recovery disk for ZENworks Full Disk Encryption article.

3.1.1 Prerequisites

Before you can create a Windows PE ERD, you must complete the following on the device where you plan to create the ERD:

  • Install the Windows Automated Installation Kit (AIK) for Windows 7. Download the AIK from the following location:

  • Download the Emergency Recovery application for Windows PE:

    1. In ZENworks Control Center, click Home.

    2. Under Common Tasks (in the left navigation panel), click Download ZENworks Tools.

    3. Click Administrative Tools, then click Full Disk Encryption.

    4. Click ZFDE_WinPE_Plugin.zip to download the zip file.

    5. Extract the zip file to a directory on the device (for example, c:\winpe_plugin)

NOTE:You can use a Windows PE ERD, created using the Windows AIK, to recover any Windows OS device.

3.1.2 Creating a Windows PE ERD

  1. Open the Windows PE Deployment Tools command prompt:

    • Windows 7: Click Start > All Programs > Microsoft Windows AIK. Right-click Deployment Tools Command Prompt and select Run as administrator.

    The command prompt is displayed.

  2. In the Deployment Tools command prompt:

    1. Enter the following command to create the build directory for the Windows PE CD:

      copype <architecture> <destination>

      Use the following options:

      Option

      Details

      <architecture>

      Always use x86 for this setting. The x86 setting works for both 32-bit and 64-bit operating systems.

      <destination>

      The build directory to which the Windows PE files will be copied

      For example:

      copype x86 c:\winpe

      This example creates the following build directory structure:

      • c:\winpe: Contains the Windows PE bootstrap loader (ETFSBoot.com) and a Windows PE image file (winpe.wim) that has all of the files for a basic Windows PE CD.

      • c:\winpe\ISO: Contains the files needed to create the base Windows PE ISO image.

      • c:\winpe\mount: An empty folder that will be used to mount the Windows PE image file (winpe.wim) so that changes can be made to it.

    2. Enter the following command to mount the winpe.wim image in the c:\winpe\mount directory:

      imagex /mountrw c:\winpe\winpe.wim 1 c:\winpe\mount

      This command (and all commands in the next steps) assumes that you specified c:\winpe as your build directory when running the copype command. If you used another directory, substitute that directory in the commands.

    3. Create the following directory structure:

      c:\winpe\mount\program files\FinallySecure\eri

      You can create the directories at the Deployment Tools command prompt or in another tool such as Windows Explorer.

      The Emergency Recovery application, as well as the encryption drivers, are provided by SECUDE AG. The application, files, and directories have not been renamed. As you prepare and use the application, you will see directory names such as FinallySecure and registry keys such as fsesys.

    4. Copy the Emergency Recovery application files to the FinallySecure directory created in the previous step:

      xcopy c:\winpe_plugin\EN\files\*.* "c:\winpe\mount\program files\FinallySecure" /s /e

      These paths assume that you extracted the application files to the c:\winpe_plugin directory (see Prerequisites). If you used a different directory, copy the files from that directory.

    5. Copy the encryption drivers to the Windows PE system drivers directory:

      xcopy c:\winpe_plugin\EN\files\*.sys c:\winpe\mount\windows\system32\drivers /s /e /y
    6. Copy the Microsoft OLE User Interface Support file from the device’s system directory to the Windows PE system directory:

      xcopy c:\windows\system32\oledlg.dll c:\winpe\mount\windows\system32 /I /e /Y
  3. Open a standard command prompt and do the following:

    1. Enter the following command to load the FinallySecure registry hive:

      REG LOAD "HKLM\fsesys" c:\winpe\mount\windows\system32\config\system
    2. Add the following registry entries for the plug-in by typing each line at the command prompt and then pressing Enter.

      REG ADD HKLM\fsesys\ControlSet001\Services\NBFDENC /v DisplayName /t REG_SZ /d NBFDENC
      
      REG ADD HKLM\fsesys\ControlSet001\Services\NBFDENC /v ErrorControl /t REG_DWORD /d 0x1
      
      REG ADD HKLM\fsesys\ControlSet001\Services\NBFDENC /v Type /t REG_DWORD /d 0x1
      
      REG ADD HKLM\fsesys\ControlSet001\Services\NBFDENC /v Start /t REG_DWORD /d 0x0
      
      REG ADD HKLM\fsesys\ControlSet001\Services\NBFDENC /v Group /t REG_SZ /d "System Bus Extender"
      
      REG ADD HKLM\fsesys\ControlSet001\Services\NBFDENC /v Tag /t REG_DWORD /d 0x2
      
      REG ADD HKLM\fsesys\ControlSet001\Services\AES /v DisplayName /t REG_SZ /d AES
      
      REG ADD HKLM\fsesys\ControlSet001\Services\AES /v ErrorControl /t REG_DWORD /d 0x1
      
      REG ADD HKLM\fsesys\ControlSet001\Services\AES /v Type /t REG_DWORD /d 0x1
      
      REG ADD HKLM\fsesys\ControlSet001\Services\AES /v Start /t REG_DWORD /d 0x0
      
      REG ADD HKLM\fsesys\ControlSet001\Services\AES /v Group /t REG_SZ /d "Primary Disk"
      
      REG ADD HKLM\fsesys\ControlSet001\Services\DES /v DisplayName /t REG_SZ /d DES
      
      REG ADD HKLM\fsesys\ControlSet001\Services\DES /v ErrorControl /t REG_DWORD /d 0x1
      
      REG ADD HKLM\fsesys\ControlSet001\Services\DES /v Type /t REG_DWORD /d 0x1
      
      REG ADD HKLM\fsesys\ControlSet001\Services\DES /v Start /t REG_DWORD /d 0x0
      
      REG ADD HKLM\fsesys\ControlSet001\Services\DES /v Group /t REG_SZ /d "Primary Disk"
      
      REG ADD HKLM\fsesys\ControlSet001\Services\DESX /v DisplayName /t REG_SZ /d DESX
      
      REG ADD HKLM\fsesys\ControlSet001\Services\DESX /v ErrorControl /t REG_DWORD /d 0x1
      
      REG ADD HKLM\fsesys\ControlSet001\Services\DESX /v Type /t REG_DWORD /d 0x1
      
      REG ADD HKLM\fsesys\ControlSet001\Services\DESX /v Start /t REG_DWORD /d 0x0
      
      REG ADD HKLM\fsesys\ControlSet001\Services\DESX /v Group /t REG_SZ /d "Primary Disk"
      
      REG ADD HKLM\fsesys\ControlSet001\Services\BLOWFISH /v DisplayName /t REG_SZ /d BLOWFISH
      
      REG ADD HKLM\fsesys\ControlSet001\Services\BLOWFISH /v ErrorControl /t REG_DWORD /d 0x1
      
      REG ADD HKLM\fsesys\ControlSet001\Services\BLOWFISH /v Type /t REG_DWORD /d 0x1
      
      REG ADD HKLM\fsesys\ControlSet001\Services\BLOWFISH /v Start /t REG_DWORD /d 0x0
      
      REG ADD HKLM\fsesys\ControlSet001\Services\BLOWFISH /v Group /t REG_SZ /d "Primary Disk"
      
      REG ADD "HKLM\fsesys\ControlSet001\Control\Class\{71A27CDD-812A-11D0-BEC7-08002BE2092F}" /v LowerFilters /t REG_MULTI_SZ /d nbfdenc\0fvevol /f
      
      REG ADD "HKLM\fsesys\ControlSet001\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}" /v UpperFilters /t REG_MULTI_SZ /d PartMgr\0nbfdenc /f
    3. Enter the following command to unload the FinallySecure registry hive:

      REG Unload "HKLM\fsesys"
  4. (Optional) Copy ERI files to the following directory:

    c:\winpe\mount\program files\FinallySecure\ERI

    In order to recover a device, the Emergency Recovery application must have access to the device’s ERI file.

    If you are creating the ERD to recover a specific device, you might want to add the ERI file to the ERD so that everything required to recover the device is on the ERD. If you are creating a generic ERD for use with any device, you might want to wait until a recovery situation arises with a device and then add the device’s ERI file to a USB device that can be distributed with the ERD.

    For information about accessing ERI files, see Retrieving ERI Files and Passwords.

  5. Configure the Emergency Recovery application to autostart in the desired language:

    1. In a text editor (run as Administrator), open the c:\winpe\mount\windows\system32\startnet.cmd file.

    2. Under wpeinit add the following line:

      "X:\Program Files\FinallySecure\pe_erd_w32.exe"
    3. (Optional) Add the following lines to change the input language and keyboard layout from the default (EN-US):

      wpeutil SetKeyboardLayout <keyboard layout ID>
      wpeutil SetUserLocale <language name>-<language name>

      For a list of <keyboard layout ID> values, see the Microsoft Go Global Development Center. The <language-name> values are in standard international language code format (en-US, de-DE, es-ES, and so forth). For example, a German keyboard layout and locale would be:

      wpeutil SetKeyboardLayout 0407:0000407
      wpeutil SetUserLocale de-DE
    4. Verify that the final changes are similar to the following:

      wpeinit
      "X:\Program Files\FinallySecure\pe_erd_w32.exe"
      wpeutil SetKeyboardLayout 0407:0000407
      wpeutil SetUserLocale de-DE
    5. Save the changes.

  6. At the Deployment Tools command prompt:

    1. Enter the following command to unmount the image and commit the changes to the original image file (winpe.wim):

      imagex /unmount /commit c:\winpe\mount
    2. Enter the following command to replace the image in the ISO directory with the newly updated image file (winpe.wim):

      copy c:\winpe\winpe.wim c:\winpe\iso\sources\boot.wim
    3. Enter the following command to create the ISO image file:

      oscdimg -n -h -bc:\winpe\etfsboot.com c:\winpe\iso c:\winpe\winpe.iso
  7. Burn the winpe.iso image to a DVD.

    or

    Use the winpe.iso image to create a bootable USB device. See Creating a Windows PE Emergency Recovery USB Drive.

The ERD is ready to use.