Integrating McAfee EEPC 5 with WinPE 4 and DaRT 8

We use McAfee Endpoint Encryption 5 and have the standard SafeTech and WinTech CDs for our technicians to use. Most of these are either built with BartPE, but there are a lot of sites and blogs with various information about how to get it working with a standard WinPE 3 disk (Simon Hunt's blog being the predominant one).

With the deprecation of WAIK and the introduction of ADK and WinPE 4, I figured it was time to see if I could inject the EEPC components into WinPE 4, and if that worked, DaRT 8. The advantages are obvious... a single disk with all the appropriate tools on it capable of dealing with Drive Decryption (and yes, I know we could do this with DaRT 8 if we were using BitLocker without the extra work).

WinPE 4 is really easy to work with thanks to the PowerShell extensions for it. If you have access to DaRT, the UI actually provides the option to save the creation steps out as a PowerShell script.

An example:

Import-Module "Dism"
Copy-Item E:\sources\boot.wim C:\temp -Force
Mount-WindowsImage -ImagePath C:\temp\boot.wim -Path C:\mnt -Index 2
### Custom steps
Dismount-WindowsImage -Path C:\mnt -Save

With access to DaRT8, the custom steps to add DaRT Tools are very minor:

$config = New-DartConfiguration -AddAllTools
$config | Set-DartImage -Path C:\mnt

There are obviously different options for DaRT's configuration.  Just play with different selections in the UI, save to PowerShell and you can see the results.  The other major commands for customizing WinPE or the DaRT Image are Add-WindowsPackage and Add-WindowsDriver.

In order to add EEPC components during creation of the image, just add the following steps before using Dismount-WindowsImage:

New-Item "$TempMountPath\Windows\System32\SafeBoot" -Type Directory
New-Item "$TempMountPath\Program Files (x86)\McAfee" -Type Directory
Copy-Item "$CustomFilesPath\Support Files\Program Files (x86)\*" "$TempMountPath\Program Files (x86)" -Force -Recurse
Copy-Item "$CustomFilesPath\Support Files\Windows\*" "$TempMountPath\Windows" -Force -Recurse
REG LOAD HKLM\SafeBoot "$TempMountPath\Windows\System32\config\system"
REG IMPORT "$CustomFilesPath\Support Files\registry changes.reg" 2> $null
REG UNLOAD HKLM\SafeBoot

This was based on Simon Hunt's directions for including EEPC in BartPE or WinPE 3.  Here is a list of the files in my $CustomFilesPath folders:

• Support Files\
• Program Files\
• McAfee\
• SbAlgs\
• SbAlg.a64
• SbAlg.dll
• SbAlg.dlm
• SbAlg.sys
• SbReaders\
• SbReaderPcsc.dll
• SbTokens\
• SbTokenPwd.dll
• SbTokenPwd.dlm
• SbComms.dll
• SbDbMgr.dll
• SbErrors.xml
• SbUiLib.dll
• SbWinTech.exe
• SbXferDb.dll
• Windows\
• Fonts\
• cour.ttf
• courbd.ttf
• courbi.ttf
• coure.fon
• couri.ttf
• System32\
• Drivers\
• SafeBoot.sys
• SbAlg.sys
• tcpipreg.sys
• Safeboot\
• sbtag
• TxtSetup.OEM

Some of these came from Simon's ZIP and the rest came from my install of EEPC, EEPC Admin, or the SafeTech/WinTech ISOs, so use what you have to fill in the structure.

Unfortunately, this only works in the x86 versions of WinPE 4 or DaRT8 because there appears to be no x64 version of EEPC.  Additionally, I was unable to use winpeshl.ini or WinREConfig.xml to control things within WinPE 4/DaRT8 like in previous versions.  I'm sure I'm doing something wrong, but I was unable to get the custom changes to either file to truly take affect (like "AlwaysAuthenticate" or "NonAdminToolsOnly").  I know changes made to winpeshl.ini were being read in, but trying to launch WinTech directly didn't work for me.  I launched it by browsing the Recovery drive and finding it under X:\Program Files\McAfee\WinTech.exe (right where I put it).

It's not perfect, but it worked for me, is repeatable with PowerShell, and doesn't require the software actually installed on the machine building the WinPE / DaRT discs.  Hope it helps someone else. : )

-DCtheGeek