McAfee Endpoint Encryption 7.0 – Fatal Error: [0xEE0E0001]

Ran into a fun issue last week. We have a fleet of laptops we needed to encrypt. Most of the mare made up of Dell Latitude e6420 and e6430 WITHOUT OPAL drives. We had several users call and state that their computers would not boot after the encryption process. They would get a error: “Fatal Error: [0xEE0E0001]” It was not on all of them, just some of them.

After doing some searching around we found a KB article on McAfee’s site that was sorta, related. But the solution is a bit, well, extreme. This also happens to be a story of why you hire GOOD desktop engineers and not some hack. One of my Desktop Engineers, Chris Templar, decided that that solution was just no good so he dug in and rolled up his sleeves and he came up with the solution I’m going to outline.

The problem was happening because the default BIOS setting in the “SATA Operation” section was set by default to “RAID On”. All the machines having this issue had this set. Machines that were working fine were set to “AHCI”

IMG_0028

The bigger issue is that we had already encrypted it so just changing it won’t work. Here’s how to fix it.

1. Don’t make any changes to the BIOS setting yet. Use the EETECH disk to an emergency boot on the system (if you need help with this let me know and I can write a post about how to use the EETECH boot disk)

2. Change the following registry items. Each has a DWORD called “Start” it will have a value of “3”. Change it to “0”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pciide
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msahci
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iaStorV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iaStor
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\atapi

3. Restart the PC, enter the BIOS and change the SATA Operation setting from “RAID On” to “AHCI”

4. Boot Windows, wait for new hardware drivers to install and restart when asked.

5. Machine should boot the pre boot environment and work as normal.

NOTE: In some cases we had to decrypt the drive (using EETECH) after making the changes above. We were then able to successfully re-encrypt it. We did not have to do a full wipe.

McAfee’s KB that inspired our solution/fix.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s