@Steve_Lander  and all Checkmates Team

New Update

Upgrade Windows 10 Pro version from 1803 to 1809

Endpoint Client installed : E80.94

Pre-boot is off in FD policy.

Boot Priority : 1st is Checkpoint Full Disk Encryption.

Boot : UEFI

Boot mode : BCDBOOT

Upgrade Procedure : Using SCCM.

We refer below sk120667.

STEP 1: First we check the current UEFI boot mode on Encrypted Machine by going to this location (%ProgramFiles(x86)%\CheckPoint\Endpoint Security\Full Disk Encryption) and run the command "fdecontrol.exe get-uefi-bootmode"
and we see the current boot mode is "BOOTMGFW" so on Next step

STEP 2: We change the boot mode to "BCDBOOT" by command "fdecontrol.exe set-uefi-bootmode bcdboot".

STEP 3: We change in FD policy and off the "Pre-Boot Environment for FDE" and tested by rebooting the machine.

As per @Steve_Lander  the E80.94 the upgrades to the endpoint shouldn't reboot the endpoints anymore.

But Still, It Fails to upgrade. When the machine is going to reboot then its stock in reboot.

When we forcefully of the machine and again power on then we see the older version windows 10 version 1803.

We off the secure boot and try to upgrade the machine then we unable to start the upgrade process as well but as previously we able to start the upgrade process and stuck after reboot.

Please help us to resolved the issue.

Added Screenshot for clarification.

@Chinmaya_Naik 

What is your BIOS version at?  Upgrade to the latest BIOS version and drivers then try again. 

If that still doesn't work, I'm out of options for you to try.  If no one else has any tips your best bet would be to open up a ticket with TAC for this issue.

https://www.dell.com/support/home/us/en/04/product-support/product/latitude-14-5490-laptop/drivers

Version: 1.7.0 ,1.7.0 Older versions 

Release Date: 23 Jan 2019

Upgrade supposed to be done with newer version via Windows upgrade package normal deployment.

You do not need to use ISO.

Could you clarify what do you mean by "stuck in reboot"?

Once windows update installed and you reboot the machine do you get into preboot?

Do you see the windows recovery screen?

In most cases - please open to us service request as logs analysis is required to understand the reason of the issue.

In short - in the described scenario upgrade supposed to be seemless

@Maksym_Sofer 

We raise a case with TAC. We already shared the logs.

R&D is working on that. 

 We try both using SCCM and also using Windows upgrade package.

Do you see the windows recovery screen? ANS :NO

Once windows update installed and you reboot the machine do you get into preboot? ANS:NO we already bypass using FD preboot rule and also as we use E8.94 so its not come BUT we able see FD boot manager on left corner.

Could you clarify what do you mean by "stuck in reboot"? ANS: After processed 100 % then system is going to reboot then after some time suddenly we see the time zone option and after selecting the time zone then system is showing black screen with processing icon (Round dot) and it stuck.

@Chinmaya_Naik 

Please some one sharing me the configuration with best practices.

We have only one drive "C Drive" which is encrypted. 

Below are the error that we got.

FD PolicyFD Policy Details

After Reboot

Sadly I do not see "Error".

You can check in event viewer either Application log \ Event Log \ Or even Windows Update.

Possibly there written root cause of this upgrade.

And CPinfo could tell us something about these upgrades.

Basics suggestions:

Disable Fast Startup in windows.

Disable Fastboot in BIOS

Upgrade BIOS to the latest version.

Switch to BCDBOOT and reboot the system at least once.

What is that Windows Partition (95mb) you have thats not encrypted for?  That may be why its not upgrading.

We only have 1 entry in FDE, which is the C:\ drive.

Was this issue ever resolved?  I'd love to know how you fixed it. 

Hello, thanks for your insight!

Do we know if this is still a requirement? I was able to upgrade from windows 1709-1903 without configuring the bcdboot. I made sure to install 81.30 checkpoint prior. I didn’t not have any issues. 

I did make sure to use the /driverinstall variable pointing to the checkpoint driver in the cmd parameters for windows 10uograde.

Hi Team,

I again replicate the process with a new PC with E81.40 client package.

But Again the issue remains same. Encrypted done successfully but we unbale to upgrade to the latest Windows 10 build.

Disable Fast Startup in windows = DONE

Machine A = Windows 10 build 1083

Machine B= Windows 10 build 1809

We upgrade to windows 10 build 1903

Switch to BCDBOOT not required because we use legacy BIOS.

Change the FastBoot to Minimal.

BIOS Update Done Successfully.

ERROR:-

Regards

@Chinmaya_Naik 

Try to set Fastboot of BIOS to Thorough

I would make sure to have CP versions 81.30 installed prior. Also, are you using /reflectdriver parameter command in task sequence?

I ask about the bcdboot as I’ve upgraded a system with uefi and did not make that change 

The BCDBoot registry key was the issue we struggled with.  If Its not set to BCDboot for UEFI then the checkpoint partition wont show in Bios as a boot partition.  That Checkpoint boot partition has to be the first boot option in BIOS or windows wont upgrade. 

Its not an issue on legacy machines but Checkpoint doesnt change the setting by default, you have to do it yourself on each machine. 

Hi Team,

We are able to upgrade the windows 10 build to the latest build 1903. (sk120667)

The below step needs to follow.

STEP_01: Make the Pendrive bootable with Windows 10 build 1903 ISO.

STEP_02: Browse the Pendrive location via CMD with Administrator permission and run the below command.

setup.exe /ConfigFile "%SystemDrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini"

Setup will start and able to upgrade with latest version.

Still, I try 3 times and able to upgrade every time successfully.

BUT the question is that why it is not happening using the Windows media creation tool or using the SSCM server ?

Because any customer at any organization they did not going to follow the above procedure because it's a manual process to insert Pendrive on each machine and then run the upgrade.

I already try to upgrade windows using with clients starting from E80.90 to E81.40 but still face the same issue. 

I request the checkpoint R & D team to make this thing possible because windows build upgrade is an important feature for an Organization.

Regards

@Chinmaya_Naik 

Has anyone engaged checkpoint support on this?  I'm facing this issue as well.  I've tried all the different suggestions, except for the Pendrive one.  Mostly because this would not be a viable option for us.  Users all over the place, impossible to visit every laptop...

We're in the process of testing a Windows 10 upgrade with the new E82.40 client.  There are many fixes in this client to do with the Installer process and references to the Windows upgrade process.

Will report back to see if it fixes the issue for us.

Late yesterday evening, I was successful.  Some more configuring and testing to do, but as someone else said, adding this into the install string made it work.  /ConfigFile "%SystemDrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini"

So I ran this manually on the machine needing the upgrade, copying the win 10 ISO to the local machine and mounting it, and then running this command.  

"D:\setup.exe" /auto upgrade /DynamicUpdate disable /ShowOOBE none /quiet /noreboot /compat IgnoreWarning /BitLocker TryKeepActive /ConfigFile "%SystemDrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini"

Waited for processes to finish, rebooted and the update processes as expected upon reboot.   

After the reboot, checkpoint did complain that it repaired things and needed another reboot, but it came back up just fine.   

I did change the bcdboot mode as well, as others mentioned not sure if that was needed...  

We use desktop central for software/patching deployments so I'll be manually deploying the upgrade with that, not sccm.  

I feel confident that since I was able to get it to work manually with the above command I should be able to automate it with desktop central.   

I should mention we are using checkpoint client 82.30. 

I'll try to post back here if I run into more issues, or am successful and have any other ah-ha moments.  

Dear Community,

I just got a question regarding 1809 -> 1909 upgrade method.
It works just well in our environment. Changing bootmode to BCDBOOT and run the setup.exe with parameter.
Upgrade is successful.

But should I change bootmode back to BOOTMGFW?

Thats the information I dont find on the knowledge base article and threads.

Thank you in advance.

Hey Andrew...I think you found the jackpot here. I have been going crazy for about 5 weeks trying to figure this issue out and after looking at a number of random user's setupconfig.ini file, every one of them had the typo you mention in it. I don't know if the source of this type was from our old client or the new one we just installed (E84.71), but what is weird with us is that we have had some successes with Windows in-place upgrades with a SCCM task sequence that has the task variable to call the setupconfig.ini and the few users whose upgrades were successful also had the typo in their setupconfig.ini file so at this point I am even more baffled than before. I do wonder if some combination of BIOS, HP fast boot, secure boot, or some other UEFI settings plays a role here. At any rate, Checkpoint has been pretty much useless in their support on this topic and your post absolutely seems the most plausible reply I've seen so far and I'm about to test it out. Appreciate your info. Cheers

Hello Andrew_Scott

Have you had any luck finding a solution? We have random dell devices which are failing to boot post first restart of the in place upgrade. We are using SCCM task sequence however not specifying the setupconfig.ini rather using the command line within a step in the task sequence. We did see that on all of the device there was an extra \ in the setupconfig file however correcting that did not solve the issue.