Highlighted
decker12
Silver

Disable DDP Security Pre Boot Auth when underlying Windows is Broken

Jump to solution

I want to remove the Dell Data Protection Security Tools PBA UEFI version 321.

I turn on the laptop, and the DDP Pre Boot Authentication screen appears. I use the password to get past it, and then I immediately get "All bootable devices failed" error. Basically, looks like Windows is hosed up and I need to reinstall it, which I'm fine with.

The problem is, if I try to boot to a Windows USB Dell Recovery key, Windows 10 won't see the hard drive because of the PBA, so I can't install Windows without unlocking the drive first. I don't have the option to unlock the drive in the Recovery key.

So I need to disable PBA, but I can't boot into it's broken Windows installation in order to run the program to disable it.

What do I do?

Labels (2)
Tags (2)
0 Kudos
6 Replies

Re: Disable DDP Security Pre Boot Auth when underlying Windows is Broken

Jump to solution

Hi Decker12

Self-Encrypting drives with their controller-based Pre-Boot Authentication environments can make re-imaging a device a bit difficult.

We have a guide that walks through the recovery process here:

http://www.dell.com/support/manuals/us/en/19/dell-data-protection-encryption/recoveryguide/self-encr...

This document mentions a WinPE environment that is pre-built. you can get the latest version as of 2.26.2018 here:

http://www.dell.com/support/home/us/en/19/drivers/driversdetails?driverId=MVY4X

Let us know if this does not get you moving forward! 

Dale


L4 Support


Dell Data Security


Need immediate help with a Dell Data Security issu? Please call Dell Data Security Support @ +1.877.459.7304 Ext. 4310039

0 Kudos
decker12
Silver

Re: Disable DDP Security Pre Boot Auth when underlying Windows is Broken

Jump to solution

Thanks, I had to download the ZIp file, then burn the AMD64 ISO file to a CD. After an hour of screwing around, I couldn't get it working at all off of a USB drive, so I had to do it the old fashioned way and use a CD. I recommend others do the same, just use a CD of the ISO instead of trying to setup some sort of bootable USB and struggling to get that to work with the UEFI BIOS.

Once I booted to the CD, the recovery process was fast, although you do need the .DAT file you hopefully saved when you installed Dell Data Protection SED encryption. Don't know why it needs the .DAT file when you already have the password to unlock the drive.. just another reason to get rid of the Dell PBA junk and use something different like Bitlocker.

Be sure to select the Remove PBA option instead of just a one-time unlock!

 

0 Kudos

Re: Disable DDP Security Pre Boot Auth when underlying Windows is Broken

Jump to solution

Hi Decker12,

thank you for confirming that the process was able to remove the PBA from your device.

the Dell SED Manager solution has a remotely managed piece that normally would save these .dat files within a secure database. The Locally managed Security Tools application handles the key management by backing this up to a USB device or a network location during the installation and setup of the application. This is a bit less secure than intended, but having the key in a packaged format does retain a little of the security stance that was originally aimed for. 

BitLocker is a great solution for several use-cases. Its ability to have a recovery password that is usable to bypass a failure does allow for a much easier locally-managed recovery. 

Dell is working towards an easier recovery experience for those leveraging our locally-managed Pre-Boot Authentication environment int he future. I'll pass your comments and the issues you had back to our development and Product Management teams to see what we can do to help make the Dell Data Security products better.

Dale


L4 Support


Dell Data Security


Need immediate help with a Dell Data Security issu? Please call Dell Data Security Support @ +1.877.459.7304 Ext. 4310039

0 Kudos
decker12
Silver

Re: Disable DDP Security Pre Boot Auth when underlying Windows is Broken

Jump to solution

I think it would go a long way to provide some easy to understand documentation about setting up DDP with and without a centralized server. For years, I literally had to figure out every single step of DDP implementation by myself. Then the products would change, or they'd just changed names, or two products would combine into one, and I'd have to figure it out all over again when a new laptop arrived that somehow wasn't compatible with the process I figured out earlier.

This required countless re-imaging of systems and several completely bricked self encrypting drives that through no fault of my own, just somehow became misconfigured. I scoured the internet and Dell's support sites looking for implementation documentation without success. We're under 100 employees and didn't need some massive enterprise level $150k security suite... we simply wanted to encrypt our SED's and it was a disaster.

My reseller has the exact same complaints and flat out told me I was going down a vortex that few people have successfully navigated. They flat out recommended I find another security suite. 

DDP doesn't even compare to Bitlocker and Apple's FileVault from an ease of use and sysadmin AND end-user friendly standpoint. I am absolutely thrilled to leave DDP behind us now that we have upgraded to Windows 10 and can use Bitlocker. Yes, I understand the difference between what DDP offered with PBA and what Bitlocker offers from a security standpoint, but I'll gladly take the comparatively low risks associated with Bitlocker to never have to deal with Dell security products again. Dell has replaced something like 5 SSDs that DDP has bricked after the user did absolutely nothing wrong with PBA. 

I am still peeved at the sheer amount of hours I spent trying to figure out DDP. Even the nightmare mismatch of names still drives me crazy - DDP | Encryption, DDP | Security Tools, Dell Encryption, DDP | Access, DDP | Enterprise, the list goes on and on. I mean good lord, all or none or some of these need all or none or other ones, and some are renames of existing products, some require enterprise servers, some requite SSDs, some require fingerprint readers, some don't. It's a mess and unless I pay some consultant to figure it out for me, it's ridiculous to figure out on my own.

Ditto with finger print readers and Control Vault. I actually *never* got them working properly on any of my Latitude systems. They didn't work out of the box, they were flaky, and we simply don't order laptops with them anymore.

0 Kudos

Re: Disable DDP Security Pre Boot Auth when underlying Windows is Broken

Jump to solution

Hi decker12,

I fully understand where your frustration and concern comes from. Reading through our marketing material, as well as our KB articles, it is extremely difficult to know where to start.

My team is currently working internally to make this better. We have had a lot of movement within our products over the past several years in an effort to bring the "Best of Breed" to you, and our other customers. During these changes, we have not made it easy to follow what is currently the product that we suggest and how to best implement for a given security problem or solution that is attempting to be implemented. 

Based on a few meetings, we will be updating several KB articles specifically around the Dell Data Security solutions to outline the product suite, what the latest product is, and to better outline our End of Life/End of Support process to ensure that you are as up to date as possible and have the answers to know how to best and most importantly, easily, protect your data. 

Dale


L4 Support


Dell Data Security


Need immediate help with a Dell Data Security issu? Please call Dell Data Security Support @ +1.877.459.7304 Ext. 4310039

0 Kudos
decker12
Silver

Re: Disable DDP Security Pre Boot Auth when underlying Windows is Broken

Jump to solution

Thanks for your attention to it, even though we're not planning on using it anymore, it definitely needs a re-work for customers that do want to use it.

As a sysadmin for a small company, I would have loved to have some sort of easy to find product or driver from the Dell website that simply allowed me to enable my SED.

Make it as easy as Bitlocker or Filevault2. Make it some driver or control panel icon that also seamlessly installs and updates Controlvault and the Controlvault firmware, enables the SED and PBA, and gives me an easy to use code or file that I save somewhere else in case my drive gets locked. Since we re-image and reinstall Windows often, don't hide this one-stop-installer or bury it somewhere in the Dell download area, keep it right with the other drivers for the service tag. Don't label it something confusing and nebulous like "Dell Data Protection Suite Encryption Drive | Command Pre Boot Lock Screen (Personal Edition)".

Make it as consistent and easy to use as the current Dell Command Update software, and don't change the look and feel of the PBA between versions or if I'm using UEFI Secure boot. If my system was configured with a fingerprint reader, make all those drivers and software for using it available right there with the Intel HD Graphics display driver. Please, treat me like an **bleep** and spoon feed me the items I need instead of making me have to dig for them and try out every possible combination.

If I want the high end Enterprise level centralized protection product, I'll contact Dell to get that figured out and pay for the consulting.

Anyway, thanks again for keeping my thoughts about the products in mind.

 

0 Kudos