Recently a Lenovo X1 Carbon 2nd Generation (Haswell) was reimaged after having been encrypted.
Now, when the system boots, the text 'bootguard' appears in the top left corner of the screen with a flashing cursor, and the system doesn't boot further.
Meaning, there is no password prompt, no graphical interface - just the text 'bootguard' and that's it.
I was able to reproduce this on the following machines:
- Lenovo T430s
- Lenovo T450s
- Lenovo X1 Carbon 3rd Generation (Broadwell).
I was able to fix the T430s by:
- Removing the SSD
- Slaving it to a Win 7 machine that had PGP installed
- I could browse the disk, see the data and read from and write to the disk
- Disk Management only showed one single partition and 1 volume
- I deleted the partition and creatied a new one
- Confirmed I could write to it
- Popped the disk back into the machine, and booted.
- No 'bootguard' text in the upper left hand corner; just a failed boot attempt because there was no OS.
- From there I could reimage without issue
While that's great, I can't easily remove the mSATA drives in the X1 Carbons, and even if I got it out, I don't have an mSATA to USB adapter.
There is no data on these disks that I need. I just want to be able to reimage them without jumping through a bunch of hoops.
How can I completely blow away bootguard?
How to resolve without slaving the disk or decrypting?
How to avoid this problem?
Steps to reprodcuce:
- Use a fresh machine
- Install our Windows 7 Enterprise x64 SP1 image (via MDT/SCCM)
- Install PGP after the system completes the imaging process.
- User logs on, is associated with PGP, the encryption process begins
- After an hour or two the SSD is encrypted
- A restart confirms the disk is locked as the user must authenticate to boot.
- After successful authentication, it boots into Windows and SSO kicks in wonderfully.
- Restart the machine
- PXE boot / boot CD imaging media / boot USB imaging media (MDT/SCCM)
- Boots into WinPE fine, we select the install OS task sequence and the process beings
- Once the WIM has been laid down onto the disk, DISM applies the unattend.xml file
- WinPE issues reboot command to boot Windows, do hardware detection etc.
- System POSTs successfully (See the Lenovo ThinkPad logo etc.)
- bootguard text appears in top left corner with a flashing cursor
- Nothing happens after that, even when left over a weekend
Here's what little I know so far:
- When this happens, there is only 1 disk, 1 volume and 1 partition.
- I have tried 'clear'ing the disk via diskpart and creating new partitions via diskpart
- I'm not seeing any hidden partitions in diskpart
- Volume is not read-only (I can write to it in WinPE)
- I can authenticate in WinPE
pgpwde --auth --disk 0 -p mysillypassword
Request sent to Authenticate disk was successful
- I cannot uninstrument the disk (because its encrypted?):
pgpwde --uninstrument --disk 0
Operation unstrument disk failed:
Error code -12220: Disk already managed
- Disk status:
pgpwde --status
Disk 0 is instrumented by bootguard
Current key is valid.
Drive encrypted
Total sectors 500115456 highwatermark: 500115454 reserved start sectors: 2
Request sent to Disk status was successful
- Disk enum:
pgpwde --enum
Total number of installed fixed/removable storage device (excluding floppy and CDROM): 2
Managed disks:
Disk Group whatever-guid
Disk 0 has 1 online volumes:
volume C:\ OSDisk is on partition 1 with offset 2048
Unmanaged disks:
Disk 1 has 1 online volumes:
volume D:\ is on partition 1 with offset 2048
Request sent to Enumerate disks was successful