DDPE 8.12 + Windows 10 + Hyper-V = Bad time?

Question

We got four new XPS 15s in for testing and I gave one, then a second, to a guy on our server team. He managed to brick two of the four XPSes when trying to enable Hyper-V. After the fact I found this article that references WIndows 8.1 plus Hyper-V plus DDPE is unsupported and may crash the system. https://www.dell.com/support/article/us/en/rc958177/sln294086/running-hyper-v-on-a-windows-81-machine-with-dell-data-protection-encryption-installed?lang=en  Is Hyper-V still unsupported in WIndows 10 with DDPE enabled? I found an article advising to white list three Hyper-V related sources on Server 2012 R2, but would that also work for Win10? Also, I have tried reimaging these two bricked units with our own Win10 image, with the Dell OEM Restore image, and with a Win10 USB installer drive and all methods fail on 'applying UEFI partition'. We don't care about the data on the SSD so is there a way to get these machines working again without replacing the SSDs? Thanks! Jason

Dell-StephenO · Answer

Hi Jason,

That's indeed an interesting problem DDPE + Win10 + Hyper-V should all co-exist together. I am actually running our 8.12.0.26 release on my W10 workstation and use Hyper-V daily.

Depending on the server version you are running there might be some exclusions we need to add for the SDE protection. Below is a list of the current default SDE polices the 9.8 server ships with.

F#:\

-^%ENV:SYSTEMDRIVE%\System Volume Information

-^%ENV:SYSTEMROOT%\;dll.exe.sys.ocx.man.cat.manifest.policy

-^%ENV:SYSTEMROOT%\System32

-^%ENV:SYSTEMROOT%\SysWow64

-^%ENV:SYSTEMROOT%\WinSxS

-^%ENV:SYSTEMROOT%\Fonts

-^3@%ENV:SYSTEMROOT%\SYSTEM32\cmd.exe;exe

-^3@%ENV:SYSTEMROOT%\SYSTEM32\autochk.exe;exe

-^3@%ENV:SYSTEMROOT%\SYSTEM32\winresume.exe;exe

-^F#:\bootmgr

-^F#:\boot

-^3F#:\EFI\

It's possible that if the \EFI\ exclusion was not in place there is a MS Update that will mount the hidden system partition and that will get encrypted. Once that happens having the windows setup that matches the installed version of W10 that was on the machine and using the repair computer option to do a startup repair. Details on that procedure can be found in the KB linked below if needed.

If you're not sure about the version of Windows 10 that was previously on the machine it might be best to remove all partitions during the windows setup and having it build a completely new layout.

www.dell.com/.../dell-data-protection-encryption-dell-encryption-protected-devices-fail-to-boot-with-operating-system-loader-failed-signature-verification

Best Regards,

alex_kravcenko · Answer

Hi Steve, Have you ever tried disabling Hyper-V in Windows 10 with DDPE 8.12.0.26 applied to a system?

Dell-StephenO · Answer

Hey Alex,

I have not. What are you seeing? It's possible the machine might need a SDE recovery after that role is removed because of how it treats the OS when the role is installed.

www.dell.com/.../how-to-perform-a-sde-recovery-for-dell-data-protection-encryption-dell-encryption-or-credant-managed-endpoint

Let me know what you're seeing if the SDE recovery doesn't work and I can provide some better info.

Best Regards,

Dell Data Security

Was this post helpful?