Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chinmaya_Naik
Advisor

How to upgrade to Windows 10 with FDE in-place (E80.94)

How to upgrade to Windows 10 with FDE in-place

Hi Team,

OS: R80.20

Install on Machine: Enterprise Endpoint Security E80.90 Windows Clients

Enabled Blade :

1.Sandblast Agent Anti-Ransomware, behavioral guard and Forensics
2.Sandblast Agent Anti-Bot
3.Sandblast Agent Threat extraction and emulation
4.FullDisk Encryption

Emulation: On Cloud

FullDisk Encryption Status: Encrypted

BOOT MODE: UEFI

We are upgrading the version using SCCM.

We try the upgrade from windows 10 (64bit) version 1709 to 1809 but its fail.

I Follow the sk120667 (How to upgrade to Windows 10 1607 and above with FDE in-place).

We did the below Step.

STEP 1: First we check the current UEFI boot mode on Encrypted Machine by going to this location (%ProgramFiles(x86)%\CheckPoint\Endpoint Security\Full Disk Encryption) and run the command "fdecontrol.exe get-uefi-bootmode"
and we see the current boot mode is "BOOTMGFW" so on Next step

STEP 2: I change the boot mode to "BCDBOOT" by command "fdecontrol.exe set-uefi-bootmode bcdboot".

But Still, It Fails to upgrade.

Do You all think that by OFF the "Pre-Boot Environment for FDE" in policy is resolved the issue?

Its very time taking to test on the encrypted machine because on our case its take more than 18 hours to encrypted one Fresh machine.

Also, I have one query when we upgrade Windows via ISO-file then, after changing to "BCDBOOT" mode then we unable to run the below command. (CMD)
setup.exe /ConfigFile "%SystemDrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini"

Kindly help me out what the "exe.setup" stand like which location we run the above command and also about "SetupConfig.ini" file.

Thanks in Advance

0 Kudos
25 Replies
Steve_Lander
Collaborator

Make sure the entry in the boot order has "Check Point Full Disk Encryption Windows Boot Manager" first in the BIOS.  Also, when you run the "fdecontrol.exe set-uefi-bootmode bcdboot" command, make sure you reboot before doing the Win10 upgrade.  I would also upgrade to E80.94+ to upgrade to 1809.  The upgrades to the endpoint shouldn't reboot the endpoints anymore so thats a big plus.

0 Kudos
Chinmaya_Naik
Advisor

@Steve_Lander  and all Checkmates Team

New Update

Upgrade Windows 10 Pro version from 1803 to 1809

Endpoint Client installed : E80.94

Pre-boot is off in FD policy.

Boot Priority : 1st is Checkpoint Full Disk Encryption.

Boot : UEFI

Boot mode : BCDBOOT

Upgrade Procedure : Using SCCM.

We refer below sk120667.

STEP 1: First we check the current UEFI boot mode on Encrypted Machine by going to this location (%ProgramFiles(x86)%\CheckPoint\Endpoint Security\Full Disk Encryption) and run the command "fdecontrol.exe get-uefi-bootmode"
and we see the current boot mode is "BOOTMGFW" so on Next step

STEP 2: We change the boot mode to "BCDBOOT" by command "fdecontrol.exe set-uefi-bootmode bcdboot".

STEP 3: We change in FD policy and off the "Pre-Boot Environment for FDE" and tested by rebooting the machine.

As per @Steve_Lander  the E80.94 the upgrades to the endpoint shouldn't reboot the endpoints anymore.

But Still, It Fails to upgrade. When the machine is going to reboot then its stock in reboot.

When we forcefully of the machine and again power on then we see the older version windows 10 version 1803.

We off the secure boot and try to upgrade the machine then we unable to start the upgrade process as well but as previously we able to start the upgrade process and stuck after reboot.

Please help us to resolved the issue.

Added Screenshot for clarification.

1.jpg2.jpg3.jpg4.jpg

@Chinmaya_Naik 

 

 

0 Kudos
Steve_Lander
Collaborator

What is your BIOS version at?  Upgrade to the latest BIOS version and drivers then try again. 

If that still doesn't work, I'm out of options for you to try.  If no one else has any tips your best bet would be to open up a ticket with TAC for this issue.

https://www.dell.com/support/home/us/en/04/product-support/product/latitude-14-5490-laptop/drivers

Version: 1.7.0 ,1.7.0 Older versions 

 

Release Date: 23 Jan 2019

0 Kudos
Maksym_Sofer
Employee Alumnus
Employee Alumnus

Upgrade supposed to be done with newer version via Windows upgrade package normal deployment.

You do not need to use ISO.

Could you clarify what do you mean by "stuck in reboot"?

Once windows update installed and you reboot the machine do you get into preboot?

Do you see the windows recovery screen?

In most cases - please open to us service request as logs analysis is required to understand the reason of the issue.

 

In short - in the described scenario upgrade supposed to be seemless

 

0 Kudos
Chinmaya_Naik
Advisor

@Maksym_Sofer 

We raise a case with TAC. We already shared the logs.

R&D is working on that. 

 We try both using SCCM and also using Windows upgrade package.

Do you see the windows recovery screen? ANS :NO

Once windows update installed and you reboot the machine do you get into preboot? ANS:NO we already bypass using FD preboot rule and also as we use E8.94 so its not come BUT we able see FD boot manager on left corner.

Could you clarify what do you mean by "stuck in reboot"? ANS: After processed 100 % then system is going to reboot then after some time suddenly we see the time zone option and after selecting the time zone then system is showing black screen with processing icon (Round dot) and it stuck.

@Chinmaya_Naik 

 

 

0 Kudos
B_T
Explorer

Hi, Are there any updates to this issue? I am having the same issue with upgrades from 1709 to 1809.
0 Kudos
Chinmaya_Naik
Advisor

            Machine OS

         Current Version

       Upgrade Version

     Upgrade Method

Endpoint Client Package

Status

Windows 10 Pro

1709

1803

Using SCCM

E80.96 with Preboot Disable

FAIL

Windows 10 Pro

1709

1809

Using Windows Upgrade Offline Package

E80.96 with Preboot Enable

FAIL

Windows 10 Pro

1709

1803

Using Windows update (Online)

E80.94

FAIL

0 Kudos
Chinmaya_Naik
Advisor

Please some one sharing me the configuration with best practices.

We have only one drive "C Drive" which is encrypted. 

Below are the error that we got.

FD PolicyFD PolicyFD Policy DetailsFD Policy Details

After Reboot2.png

0 Kudos
Maksym_Sofer
Employee Alumnus
Employee Alumnus

Sadly I do not see "Error".

You can check in event viewer either Application log \ Event Log \ Or even Windows Update.

Possibly there written root cause of this upgrade.

And CPinfo could tell us something about these upgrades.

 

Basics suggestions:

Disable Fast Startup in windows.

Disable Fastboot in BIOS

Upgrade BIOS to the latest version.

Switch to BCDBOOT and reboot the system at least once.

0 Kudos
Steve_Lander
Collaborator

What is that Windows Partition (95mb) you have thats not encrypted for?  That may be why its not upgrading.

 

We only have 1 entry in FDE, which is the C:\ drive.

 

 

0 Kudos
Chinmaya_Naik
Advisor

Thanks for the update @Steve Thanks for the help
But why it showing additional partition which is not encrypted.

Unluckily we close this case with exception of FD.
0 Kudos
seandrethegiant
Explorer

Was this issue ever resolved?  I'd love to know how you fixed it. 

0 Kudos
Riverascourtesy
Explorer

Hello, thanks for your insight!

 

Do we know if this is still a requirement? I was able to upgrade from windows 1709-1903 without configuring the bcdboot. I made sure to install 81.30 checkpoint prior. I didn’t not have any issues. 

I did make sure to use the /driverinstall variable pointing to the checkpoint driver in the cmd parameters for windows 10uograde.

0 Kudos
Riverascourtesy
Explorer

Did you get this issue resolved? 

I was able to perform a successful in place upgrade using SCCM upgrade package. CP 81.10 was installed prior to the upgrade. 

0 Kudos
Chinmaya_Naik
Advisor

Hi Team,

I again replicate the process with a new PC with E81.40 client package.

But Again the issue remains same. Encrypted done successfully but we unbale to upgrade to the latest Windows 10 build.

Disable Fast Startup in windows = DONE

Machine A = Windows 10 build 1083

Machine B= Windows 10 build 1809

We upgrade to windows 10 build 1903

Switch to BCDBOOT not required because we use legacy BIOS.

IMG_20191015_190002.jpgIMG_20191015_185355.jpgIMG_20191015_190020.jpg

 

Change the FastBoot to Minimal.

IMG_20191016_155623.jpg

IMG_20191016_160535.jpgIMG_20191016_170248.jpg

BIOS Update Done Successfully.

 

IMG_20191016_181339.jpgIMG_20191016_181955.jpg

 

ERROR:-

IMG_20191017_120120.jpg

Regards

@Chinmaya_Naik 

 

0 Kudos
Maksym_Sofer
Employee Alumnus
Employee Alumnus

Try to set Fastboot of BIOS to Thorough

 

 

0 Kudos
Riverascourtesy
Explorer

I would make sure to have CP versions 81.30 installed prior. Also, are you using /reflectdriver parameter command in task sequence?

 

I ask about the bcdboot as I’ve upgraded a system with uefi and did not make that change 

0 Kudos
seandrethegiant
Explorer

The BCDBoot registry key was the issue we struggled with.  If Its not set to BCDboot for UEFI then the checkpoint partition wont show in Bios as a boot partition.  That Checkpoint boot partition has to be the first boot option in BIOS or windows wont upgrade. 

Its not an issue on legacy machines but Checkpoint doesnt change the setting by default, you have to do it yourself on each machine. 

 

0 Kudos
Chinmaya_Naik
Advisor

Hi Team,

We are able to upgrade the windows 10 build to the latest build 1903. (sk120667)

The below step needs to follow.

STEP_01: Make the Pendrive bootable with Windows 10 build 1903 ISO.

STEP_02: Browse the Pendrive location via CMD with Administrator permission and run the below command.

setup.exe /ConfigFile "%SystemDrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini"

Setup will start and able to upgrade with latest version.

Still, I try 3 times and able to upgrade every time successfully.

BUT the question is that why it is not happening using the Windows media creation tool or using the SSCM server ?

Because any customer at any organization they did not going to follow the above procedure because it's a manual process to insert Pendrive on each machine and then run the upgrade.

I already try to upgrade windows using with clients starting from E80.90 to E81.40 but still face the same issue. 

I request the checkpoint R & D team to make this thing possible because windows build upgrade is an important feature for an Organization.

 

Regards

@Chinmaya_Naik 

0 Kudos
acewolf
Explorer

Has anyone engaged checkpoint support on this?  I'm facing this issue as well.  I've tried all the different suggestions, except for the Pendrive one.  Mostly because this would not be a viable option for us.  Users all over the place, impossible to visit every laptop...

0 Kudos
J_B
Contributor

We're in the process of testing a Windows 10 upgrade with the new E82.40 client.  There are many fixes in this client to do with the Installer process and references to the Windows upgrade process.

Will report back to see if it fixes the issue for us.

 

 

0 Kudos
acewolf
Explorer

Late yesterday evening, I was successful.  Some more configuring and testing to do, but as someone else said, adding this into the install string made it work.  /ConfigFile "%SystemDrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini"

So I ran this manually on the machine needing the upgrade, copying the win 10 ISO to the local machine and mounting it, and then running this command.  

"D:\setup.exe" /auto upgrade /DynamicUpdate disable /ShowOOBE none /quiet /noreboot /compat IgnoreWarning /BitLocker TryKeepActive /ConfigFile "%SystemDrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini"

Waited for processes to finish, rebooted and the update processes as expected upon reboot.   

After the reboot, checkpoint did complain that it repaired things and needed another reboot, but it came back up just fine.   

I did change the bcdboot mode as well, as others mentioned not sure if that was needed...  

 

We use desktop central for software/patching deployments so I'll be manually deploying the upgrade with that, not sccm.  

I feel confident that since I was able to get it to work manually with the above command I should be able to automate it with desktop central.   

 

I should mention we are using checkpoint client 82.30. 

 

I'll try to post back here if I run into more issues, or am successful and have any other ah-ha moments.  

0 Kudos
FloydG
Participant

Dear Community,

I just got a question regarding 1809 -> 1909 upgrade method.
It works just well in our environment. Changing bootmode to BCDBOOT and run the setup.exe with parameter.
Upgrade is successful.

But should I change bootmode back to BOOTMGFW?

Thats the information I dont find on the knowledge base article and threads.

Thank you in advance.

0 Kudos
Andrew_Scott
Participant

For anyone having trouble with this, you need to check the contents of the SetupConfig.ini file for a typo.

A good percentage of our systems had an extra \ before Driver in ReflectDrivers path which caused it to fail. I contacted support but they weren't able to figure out why it was only on some systems or how to fix it on the management point side.

I ended up making a configuration baseline in SCCM to check and repair the entry once every 15 minutes. Check Point will re-break the file every day or two if you fix it and don't check it again.

Incorrect path:
ReflectDrivers="C:\Program Files (x86)\CheckPoint\Endpoint Security\Full Disk Encryption\\Driver"

Correct path:
ReflectDrivers="C:\Program Files (x86)\CheckPoint\Endpoint Security\Full Disk Encryption\Driver"

JG45
Explorer

Hey Andrew...I think you found the jackpot here. I have been going crazy for about 5 weeks trying to figure this issue out and after looking at a number of random user's setupconfig.ini file, every one of them had the typo you mention in it. I don't know if the source of this type was from our old client or the new one we just installed (E84.71), but what is weird with us is that we have had some successes with Windows in-place upgrades with a SCCM task sequence that has the task variable to call the setupconfig.ini and the few users whose upgrades were successful also had the typo in their setupconfig.ini file so at this point I am even more baffled than before. I do wonder if some combination of BIOS, HP fast boot, secure boot, or some other UEFI settings plays a role here. At any rate, Checkpoint has been pretty much useless in their support on this topic and your post absolutely seems the most plausible reply I've seen so far and I'm about to test it out. Appreciate your info. Cheers

0 Kudos