Endpoint Encryption

 Uninstall SEE 11.2 from MBR machine

posted 10-12-2020 01:34 PM
Howdy folks,

I've been decrypting and removing SEE from machines. This has been going pretty well, I have a task sequence that starts the decryption and monitors it until the decryption finishes and then uninstalls. Unfortunately, if the machine is using MBR the drive will still be instrumented and refuse to uninstall the product.

I experimented, and didn't have much luck. I took a gamble that the drive was no longer encrypted, that I could try purging the mbr to release the pre-boot authentication. That was a really dumb idea. Is there a non-destructive way to get Endpoint Encryption off of an MBR machine? My inplace upgrades are failing and 1803 needs to go (I have about 600 laptops to upgrade).

On the uefi side of the house, the upgrades seem fine. I can set the autologon for the post setup, I split out the drivers for the actual OS upgrade. The MBR machines however seem to have a high fail rate, I'd love to convert them or even do a wipe and reload. Unfortunately we're not in a position for a wipe and reload, and converting while the encryption is still on the machine seems very not-possible.
Broadcom Employee

I would recommend trying another --decrypt command using eedAdminCli.exe, if executed on a decrypted disk it will (re)try to remove the MBR and restore the former MBR.  SEE should do this automatically on both MBR and UEFI disks so it's possible something is preventing it from writing to the MBR.  This can sometimes be caused by BIOS antivirus settings (to prevent boot sector viruses) so check the BIOS on the MBR machines to see if any of the settings seem to fit that category.  eedadmincli.exe --status will show you what state the software thinks the disk is in, you might want to post the results of that if you still can't get the MBR machines to remove the SEE MBR.

If you are doing decryption just to do the Windows 10 upgrade and are re-installing once upgraded, you might consider doing an in-place upgrade with the disk remaining encrypted. More information on this process is available here: https://knowledge.broadcom.com/external/article?legacyId=HOWTO125875

I'll give another --decrypt a try, most of what I experienced was less than encouraging.

I have successfully upgraded several thousand machines without decrypting, however these 1803 MBR machines are sitting at 100% failure rate. Could it be something weird with the machine or how it was setup, maybe, there's always that possibility. I didn't create that image, and we'll eventually be wiping and reloading them. The EOL for 1803 will hit before I can get the roadblocks cleared for them to use our main production image.

Our security folks chose not to renew our SEE Licensing, so ultimately removal is in the cards. The issues with upgrading these particular machines have expedited the concern.