Lost 300 endpoints. Restoration possible?


  • Good afternoon,

    Unfortunately, we lost our previously built and working beautifully TOEM server (vm) in a ransomware attack before it was able to be backed up. It had about 300-400 endpoints in it at the time. I’ve since built a new TOEM server and deployed the new toec client on about 700 computers successfully. Is there any way to get those old endpoints back without connecting to each computer and either resetting toec client or uninstalling the old toec client and reinstalling the new one? I can still access these computers via teamviewer… I thought it might be possible by way of obtaining the unique id (if it’s stored on the machine) and adding another com server with that new Id. Am I way off base? Thanks in advance for your help! By the way, i have no access to the old server just the clients.


  • Sorry to hear that, also sorry but it's not possible. Communication is signed by the Toems CA and intermediate, which are now different on the new server. The old clients will never communicate with the new server because they don't trust it, by design, so rogue servers can't control your endpoints.

    If you have any way to run scripts on those 300 machines, you could reset toec with:

    Toec.exe --resetFull
    

    Then you would need to provide the new provision key and ca thumbprint with:

    Toec.exe --resetKey [SERVER_KEY] [CA_THUMBPRINT]
    

    Finally, update the com server if it changed

    Toec.exe --comServers [COM_SERVERS]
    

    All that basically just amounts to reinstalling it.


  • I actually have access to run a script to those machines from another endpoint management program.. where would I find all these values and to add to the script like the provision key and ca and for com server just put the com server url? Thanks so much I will prepare a script when I hear back from you then give this a try.


  • Admin Settings->Toec->Client MSI Arguments


  • @theopenem_admin and last question… these would have to be three separate scripts one at a time or just one script? Thanks again!


  • One is fine. I would probably stop the toec service before and start it at the end.


  • I’ll be deploying the script through fog. I wonder if it might just be easier to run a command to uninstall toec would that be toec.exe - - uninstall and then run redeploy the new toec client?


  • @theopenem_admin I ran these commands and the resets seem to go through however after rebooting I get an error in the log that states it cannot find certificate authority with thumbprint ….. and then the thumbprint I entered. I omit the posts in your command correct and just use the actual thumbprint? Thanks again for all your help.


  • Did you run this on all of them or just a test? It seems those commands cleared out the needed cert. You would need manually push out the Toems CA to these computers. It's probably easier just to reinstall Toec.


  • @theopenem_admin thank you for your response. Just one of them. Would you happen to have a command to uninstall toec or would I have to grab software identifier from the registry?


  • You would need to grab it from the registry. You should just be able to install over top of it though. Can't remember if the same version will reinstall on itself, but if you upgrade to the latest version it should allow you to just install it again.


  • @theopenem_admin oh excellent I’ll try to install it right over top of the existing toec client. Fingers crossed it will refresh the connection to the new server. Thanks again.