Monday, April 20, 2009

Pointsec for PC: Watch out when creating installation profiles based on update profiles.

I got a call from someone the other day asking about a strange Pointsec problem he was having.  He had created an installation profile and put it in the installation folder with his installer MSI file.  But when he would run the installer, he would get a very generic error that just said "Profile Error."  He asked me if I could take a look at his installation profile and see if I could find anything out of the ordinary.


One thing that struck me as being out of the ordinary is that he had based the installation profile off an update profile.  Usually, I see installation profiles based off the local settings or another install profile.  I see update profile based off install profiles, but never before have I seen an install profile based off of an update profile.  


So I opened up his installation profile in my administration console and poked around for a bit.  I was making sure that administrator accounts were in there and that there was a valid path for updates and recovery files, etc.  Since it was based on an update profile, it is possible that some information was left out.  Then I clicked OK to exit the profile editor and see if any errors come up.  I was given the error message "Volume protection not defined."  This is different from the error message I usually get on an installation profile which reads "Volume protection not based on local."


OK, so how does this volume protection thing work?  When I typically build an installation profile I base it on my local machines settings.  And usually, my local machine has one hard drive and one partition.  So if the volume protection in my installation profile was based on local then every computer that installed using this profile would get protection on only one partition.  What if we run this on a computer with two partitions?  The second partition would get no protection.  So the default when you create an installation profile based on local settings is to set the volume protection to encrypt and protect all volumes on the machine, not just the ones that you have on your reference computer.  When you save your installation profile you are told that the volume protection was not based on the local machine, and I tell most people to ignore that message because it's actually a good thing.  But that isn't the message that we're getting here.  This machine is telling us that no volume protection has been set at all.


To understand why, you have to know about the limitations of update profiles.  An update profile can change ALMOST any setting on a Pointsec installation except for the encryption algorithm used to protect the volumes, and which volumes have been encrypted.  These settings cannot be changed after the installation and so they are not present in an update profile.  


Since those settings are not present in an update profile, any installation profile based on an update profile is going to be missing these settings as well.  I told him to go back to the installation profile, click on Systems Settings, Install, and double-click Select Volume Protection.  Then he can select the encryption algorithm he wants to use and specify which volumes he wants protected.  A day later I got an email telling me that making that change fixed the installation profile and he was able to use it to install Pointsec on client machines.

1 comment:

carl said...

never create an install profile based on an update profile. have one master install profile, base all update profiles on this one only