cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

How to upgrade to Windows 10 with FDE in-place (E80.94)

How to upgrade to Windows 10 with FDE in-place

Hi Team,

OS: R80.20

Install on Machine: Enterprise Endpoint Security E80.90 Windows Clients

Enabled Blade :

1.Sandblast Agent Anti-Ransomware, behavioral guard and Forensics
2.Sandblast Agent Anti-Bot
3.Sandblast Agent Threat extraction and emulation
4.FullDisk Encryption

Emulation: On Cloud

FullDisk Encryption Status: Encrypted

BOOT MODE: UEFI

We are upgrading the version using SCCM.

We try the upgrade from windows 10 (64bit) version 1709 to 1809 but its fail.

I Follow the sk120667 (How to upgrade to Windows 10 1607 and above with FDE in-place).

We did the below Step.

STEP 1: First we check the current UEFI boot mode on Encrypted Machine by going to this location (%ProgramFiles(x86)%\CheckPoint\Endpoint Security\Full Disk Encryption) and run the command "fdecontrol.exe get-uefi-bootmode"
and we see the current boot mode is "BOOTMGFW" so on Next step

STEP 2: I change the boot mode to "BCDBOOT" by command "fdecontrol.exe set-uefi-bootmode bcdboot".

But Still, It Fails to upgrade.

Do You all think that by OFF the "Pre-Boot Environment for FDE" in policy is resolved the issue?

Its very time taking to test on the encrypted machine because on our case its take more than 18 hours to encrypted one Fresh machine.

Also, I have one query when we upgrade Windows via ISO-file then, after changing to "BCDBOOT" mode then we unable to run the below command. (CMD)
setup.exe /ConfigFile "%SystemDrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini"

Kindly help me out what the "exe.setup" stand like which location we run the above command and also about "SetupConfig.ini" file.

Thanks in Advance

0 Kudos
12 Replies

Re: How to upgrade to Windows 10 with FDE in-place (E80.90)

Make sure the entry in the boot order has "Check Point Full Disk Encryption Windows Boot Manager" first in the BIOS.  Also, when you run the "fdecontrol.exe set-uefi-bootmode bcdboot" command, make sure you reboot before doing the Win10 upgrade.  I would also upgrade to E80.94+ to upgrade to 1809.  The upgrades to the endpoint shouldn't reboot the endpoints anymore so thats a big plus.

0 Kudos

Re: How to upgrade to Windows 10 with FDE in-place (E80.90)

@Steve_Lander  and all Checkmates Team

New Update

Upgrade Windows 10 Pro version from 1803 to 1809

Endpoint Client installed : E80.94

Pre-boot is off in FD policy.

Boot Priority : 1st is Checkpoint Full Disk Encryption.

Boot : UEFI

Boot mode : BCDBOOT

Upgrade Procedure : Using SCCM.

We refer below sk120667.

STEP 1: First we check the current UEFI boot mode on Encrypted Machine by going to this location (%ProgramFiles(x86)%\CheckPoint\Endpoint Security\Full Disk Encryption) and run the command "fdecontrol.exe get-uefi-bootmode"
and we see the current boot mode is "BOOTMGFW" so on Next step

STEP 2: We change the boot mode to "BCDBOOT" by command "fdecontrol.exe set-uefi-bootmode bcdboot".

STEP 3: We change in FD policy and off the "Pre-Boot Environment for FDE" and tested by rebooting the machine.

As per @Steve_Lander  the E80.94 the upgrades to the endpoint shouldn't reboot the endpoints anymore.

But Still, It Fails to upgrade. When the machine is going to reboot then its stock in reboot.

When we forcefully of the machine and again power on then we see the older version windows 10 version 1803.

We off the secure boot and try to upgrade the machine then we unable to start the upgrade process as well but as previously we able to start the upgrade process and stuck after reboot.

Please help us to resolved the issue.

Added Screenshot for clarification.

1.jpg2.jpg3.jpg4.jpg

@Chinmaya_Naik 

 

 

0 Kudos

Re: How to upgrade to Windows 10 with FDE in-place (E80.90)

What is your BIOS version at?  Upgrade to the latest BIOS version and drivers then try again. 

If that still doesn't work, I'm out of options for you to try.  If no one else has any tips your best bet would be to open up a ticket with TAC for this issue.

https://www.dell.com/support/home/us/en/04/product-support/product/latitude-14-5490-laptop/drivers

Version: 1.7.0 ,1.7.0 Older versions 

 

Release Date: 23 Jan 2019

0 Kudos
Employee+
Employee+

Re: How to upgrade to Windows 10 with FDE in-place (E80.90)

Upgrade supposed to be done with newer version via Windows upgrade package normal deployment.

You do not need to use ISO.

Could you clarify what do you mean by "stuck in reboot"?

Once windows update installed and you reboot the machine do you get into preboot?

Do you see the windows recovery screen?

In most cases - please open to us service request as logs analysis is required to understand the reason of the issue.

 

In short - in the described scenario upgrade supposed to be seemless

 

0 Kudos

Re: How to upgrade to Windows 10 with FDE in-place (E80.90)

@Maksym_Sofer 

We raise a case with TAC. We already shared the logs.

R&D is working on that. 

 We try both using SCCM and also using Windows upgrade package.

Do you see the windows recovery screen? ANS :NO

Once windows update installed and you reboot the machine do you get into preboot? ANS:NO we already bypass using FD preboot rule and also as we use E8.94 so its not come BUT we able see FD boot manager on left corner.

Could you clarify what do you mean by "stuck in reboot"? ANS: After processed 100 % then system is going to reboot then after some time suddenly we see the time zone option and after selecting the time zone then system is showing black screen with processing icon (Round dot) and it stuck.

@Chinmaya_Naik 

 

 

0 Kudos
B_T
Ivory

Re: How to upgrade to Windows 10 with FDE in-place (E80.90)

Hi, Are there any updates to this issue? I am having the same issue with upgrades from 1709 to 1809.
0 Kudos

Re: How to upgrade to Windows 10 with FDE in-place (E80.90)

            Machine OS

         Current Version

       Upgrade Version

     Upgrade Method

Endpoint Client Package

Status

Windows 10 Pro

1709

1803

Using SCCM

E80.96 with Preboot Disable

FAIL

Windows 10 Pro

1709

1809

Using Windows Upgrade Offline Package

E80.96 with Preboot Enable

FAIL

Windows 10 Pro

1709

1803

Using Windows update (Online)

E80.94

FAIL

0 Kudos

Re: How to upgrade to Windows 10 with FDE in-place (E80.90)

Please some one sharing me the configuration with best practices.

We have only one drive "C Drive" which is encrypted. 

Below are the error that we got.

1.pngFD PolicyIMG_20190425_121046.jpgFD Policy Details

After Reboot2.png

0 Kudos
Employee+
Employee+

Re: How to upgrade to Windows 10 with FDE in-place (E80.90)

Sadly I do not see "Error".

You can check in event viewer either Application log \ Event Log \ Or even Windows Update.

Possibly there written root cause of this upgrade.

And CPinfo could tell us something about these upgrades.

 

Basics suggestions:

Disable Fast Startup in windows.

Disable Fastboot in BIOS

Upgrade BIOS to the latest version.

Switch to BCDBOOT and reboot the system at least once.

0 Kudos

Re: How to upgrade to Windows 10 with FDE in-place (E80.90)

What is that Windows Partition (95mb) you have thats not encrypted for?  That may be why its not upgrading.

 

We only have 1 entry in FDE, which is the C:\ drive.

 

 

0 Kudos

Re: How to upgrade to Windows 10 with FDE in-place (E80.90)

Thanks for the update @Steve Thanks for the help
But why it showing additional partition which is not encrypted.

Unluckily we close this case with exception of FD.
0 Kudos

Re: How to upgrade to Windows 10 with FDE in-place (E80.90)

Was this issue ever resolved?  I'd love to know how you fixed it. 

0 Kudos