Topic:
The purpose of this document is to describe how to disable an eDrive during a Windows 7, 8 & 10 installation.
This document will be useful for an audience who wishes to use an eDrive as a regular (non-eDrive) drive in a Windows OS environment.
An eDrive is a self-encrypting drive (SED) which will support the following:•TCG Opal SSC Version 2.00
•TCG Opal SSC Single User Mode Feature Set
•IEEE 1667 TCG Storage Transport Silo
When doing a default Windows OS installation on an eDrive the following will occur:
1.Windows Setup detects that the primary drive is an eDrive.
2.Windows Setup Activates the Locking SP and puts all 16 ranges in Single User Mode using User Policy.
3.Windows Setup disables the SID Authority.
4.Windows Setup sets up four ranges in the Locking SP.
To avoid this, a custom Windows OS installation can be performed. This will require using a custom Windows OS answer File.
Answer File
The purpose of an answer file is to perform an unattended installation. This means that a installation can be done without a user being present, it will also have the functionality to be configured to add customizations to the default Windows installation.
The answer file which will be used is an XML file named "Autounattend.xml”. It can be written manually, or by using tools such as Windows System Image Manager (WSIM). This is publicly available as part of the Windows Assessment and Deployment Kit (ADK).
Microsoft Enhanced Storage Registry Keys
The registry key used to turn off eDrive features is "TCGSecurityActivationDisabled ". This value is modified using "DisableEncryptedDiskProvisioning” unattend setting in the answer file. Windows will then read the "DisableEncryptedDiskProvisioning” settings stored in the answer file and will set the value in the "TCGSecurityActivationDisabled” registry key.
Windows Disk Partitions
There are some necessary Windows partitions which must also be setup in the answer file.
Order | Size | Type | Format | Label |
1 | 300 | Primary | NTFS | Windows RE Tools |
2 | 100 | EFI | FAT32 | System |
3 | 128 | MSR | None | None |
4 | Extend | Primary | NTFS | Windows |
These partitions must be manually created when disabling eDrive features. These must be created so that Windows can install the OS image to the correct partition. It must also be specified to install to Disk 0 Partition 4 in the answer file.
Note: The install to location must be specified in the answer file, else the "DisableEncryptedDiskProvisioning” unattend setting will have no effect.
Performing a Custom Windows OS Installation
Required Materials
•PC with UEFI 2.3.1 BIOS installed (target PC).
•PC with Windows OS ADK installed (technician PC) – only needed if using WSIM to create answer file.
•Windows OS boot DVD.
•USB flash drive.
Installation Steps
1.On the technician PC, create an answer file named "Autounattend.xml”. This can be done in one of two ways:
•Using the code in the "Autounattend.xml” sample file in the appendix of this document. (Note that the Windows product key listed in this file is the Windows OS Edition Professional Retail Key. You may need to replace this product key if using a different version of Windows OS) OR
•Using Windows System Image Manager (WSIM):
•Insert the Windows OS boot DVD or mount its ISO file.
•Navigate to the "sources” folder.
•Copy the "install.wim” file onto your hard drive. (Not necessary but will reduce the amount of time it takes to create a catalog file.)
•Open Windows System Image Manager.
•Navigate to File -> Select Windows Image.
•Select the "install.wim” file on your hard drive.
•Select the "Windows OS Release Preview” image.
•Click "Yes” when asked if you want to create a catalog file. Creating a catalog file may take a few minutes.
•Use the "Windows Image” pane to select components and drag them into the appropriate configuration passes in the "Answer File” pane. Then edit the properties/settings of those components. The components and their respective configuration passes can be found in the "Autounattend.xml” sample file in the appendix of this document.
2.Save the answer file on the root directory of the USB flash drive.
3.Insert the Windows 8 boot DVD in the optical drive of the target PC.
4.Insert the USB flash drive into the target PC.
5.Make sure the primary hard drive on the target PC is a factory-fresh/reverted eDrive.
6.On the target PC, boot from DVD. Windows Setup will run from DVD and automatically detect the answer file on the USB flash drive and apply its settings to the appropriate configuration passes.
7.If you use the "Autounattend.xml” sample file from the appendix of this document as-is, there is no need for additional installation steps as the file is set up for an unattended install. If your answer file is different, you may need to attend to the installation.
TCGSecurityActivationDisabled
1.Start with a wiped drive
2.Boot the Win OS install DVD and stop at the "license terms” screen
3.Press shift-F10 to open a command prompt
4.Import the attached .reg file (rename from .txt)
5.Continue with Win OS setup, eDrive does not become enabled due to "TCGSecurityActivationDisabled” registry setting
Sample Autounattend.xml
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="windowsPE">
<component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SetupUILanguage>
<UILanguage>en-US</UILanguage>
</SetupUILanguage>
<InputLocale>en-US</InputLocale>
<SystemLocale>en-US</SystemLocale>
<UILanguage>en-US</UILanguage>
<UserLocale>en-US</UserLocale>
</component>
<component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<DiskConfiguration>
<DisableEncryptedDiskProvisioning>true</DisableEncryptedDiskProvisioning>
<Disk wcm:action="add">
<CreatePartitions>
<CreatePartition wcm:action="add">
<Order>1</Order>
<Size>300</Size>
<Type>Primary</Type>
</CreatePartition>
<CreatePartition wcm:action="add">
<Order>2</Order>
<Size>100</Size>
<Type>EFI</Type>
</CreatePartition>
<CreatePartition wcm:action="add">
<Order>3</Order>
<Size>128</Size>
<Type>MSR</Type>
</CreatePartition>
<CreatePartition wcm:action="add">
<Order>4</Order>
<Extend>true</Extend>
<Type>Primary</Type>
</CreatePartition>
</CreatePartitions>
<ModifyPartitions>
<ModifyPartition wcm:action="add">
<Order>1</Order>
<Format>NTFS</Format>
<Label>Windows RE tools</Label>
<PartitionID>1</PartitionID>
<TypeID>de94bba4-06d1-4d40-a16a-bfd50179d6ac</TypeID>
</ModifyPartition>
<ModifyPartition wcm:action="add">
<Order>2</Order>
<PartitionID>2</PartitionID>
<Label>System</Label>
<Format>FAT32</Format>
</ModifyPartition>
<ModifyPartition wcm:action="add">
<Order>3</Order>
<PartitionID>3</PartitionID>
</ModifyPartition>
<ModifyPartition wcm:action="add">
<Order>4</Order>
<PartitionID>4</PartitionID>
<Label>Windows</Label>
<Format>NTFS</Format>
</ModifyPartition>
</ModifyPartitions>
<DiskID>0</DiskID>
<WillWipeDisk>true</WillWipeDisk>
</Disk>
<WillShowUI>OnError</WillShowUI>
</DiskConfiguration>
<ImageInstall>
<OSImage>
<InstallTo>
<DiskID>0</DiskID>
<PartitionID>4</PartitionID>
</InstallTo>
</OSImage>
</ImageInstall>
<UserData>
<ProductKey>
<WillShowUI>OnError</WillShowUI>
<Key></Key>
</ProductKey>
<AcceptEula>true</AcceptEula>
</UserData>
</component>
</settings>
</unattend>