Quantcast
Channel: Symantec Connect - Products
Viewing all articles
Browse latest Browse all 21433

Does not Boot: 'Bootguard' in Top Left Corner with Flashing Cursor

$
0
0
I need a solution

Recently a Lenovo X1 Carbon 2nd Generation (Haswell) was reimaged after having been encrypted.

Now, when the system boots, the text 'bootguard' appears in the top left corner of the screen with a flashing cursor, and the system doesn't boot further.
Meaning, there is no password prompt, no graphical interface - just the text 'bootguard' and that's it.

I was able to reproduce this on the following machines:

  • Lenovo T430s
  • Lenovo T450s
  • Lenovo X1 Carbon 3rd Generation (Broadwell).

I was able to fix the T430s by:

  1. Removing the SSD
  2. Slaving it to a Win 7 machine that had PGP installed
  3. I could browse the disk, see the data and read from and write to the disk
  4. Disk Management only showed one single partition and 1 volume
  5. I deleted the partition and creatied a new one
  6. Confirmed I could write to it
  7. Popped the disk back into the machine, and booted.
  8. No 'bootguard' text in the upper left hand corner; just a failed boot attempt because there was no OS.
  9. From there I could reimage without issue

While that's great, I can't easily remove the mSATA drives in the X1 Carbons, and even if I got it out, I don't have an mSATA to USB adapter.

There is no data on these disks that I need.  I just want to be able to reimage them without jumping through a bunch of hoops.

How can I completely blow away bootguard?
How to resolve without slaving the disk or decrypting?
How to avoid this problem?

Steps to reprodcuce:

  1. Use a fresh machine
  2. Install our Windows 7 Enterprise x64 SP1 image (via MDT/SCCM)
  3. Install PGP after the system completes the imaging process.
  4. User logs on, is associated with PGP, the encryption process begins
  5. After an hour or two the SSD is encrypted
  6. A restart confirms the disk is locked as the user must authenticate to boot.
  7. After successful authentication, it boots into Windows and SSO kicks in wonderfully.
  8. Restart the machine
  9. PXE boot / boot CD imaging media / boot USB imaging media (MDT/SCCM)
  10. Boots into WinPE fine, we select the install OS task sequence and the process beings
  11. Once the WIM has been laid down onto the disk, DISM applies the unattend.xml file
  12. WinPE issues reboot command to boot Windows, do hardware detection etc.
  13. System POSTs successfully (See the Lenovo ThinkPad logo etc.)
  14. bootguard text appears in top left corner with a flashing cursor
  15. Nothing happens after that, even when left over a weekend

Here's what little I know so far:

  • When this happens, there is only 1 disk, 1 volume and 1 partition.
  • I have tried 'clear'ing the disk via diskpart and creating new partitions via diskpart
  • I'm not seeing any hidden partitions in diskpart
  • Volume is not read-only (I can write to it in WinPE)
  • I can authenticate in WinPE
    pgpwde --auth --disk 0 -p mysillypassword
    Request sent to Authenticate disk was successful
     
  • I cannot uninstrument the disk (because its encrypted?):
    pgpwde --uninstrument --disk 0
    Operation unstrument disk failed:
    Error code -12220: Disk already managed
     
  • Disk status:
    pgpwde --status
    Disk 0 is instrumented by bootguard
       Current key is valid.
    Drive encrypted
       Total sectors 500115456 highwatermark: 500115454 reserved start sectors: 2
    Request sent to Disk status was successful
     
  • Disk enum:
    pgpwde --enum
    Total number of installed fixed/removable storage device (excluding floppy and CDROM): 2
    Managed disks:
       Disk Group whatever-guid
         Disk 0 has 1 online volumes:
           volume C:\ OSDisk is on partition 1 with offset 2048
    Unmanaged disks:
       Disk 1 has 1 online volumes:
         volume D:\ is on partition 1 with offset 2048
    Request sent to Enumerate disks was successful
1428010639

Viewing all articles
Browse latest Browse all 21433

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>