This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Steve_Lander
Collaborator
‎2018-05-11 04:30 AM

Windows 10 1803 Auto Upgrade with FDE Failing

Has anyone tried auto upgrading their version of Windows 10 to 1803 with FDE enabled and were successful?  We want to eventually use Shavlik to push out the upgrade, which uses the Windows Update Service, but we are running into the same problems with Shavlik as using the /auto upgrade switch.

I can get this to work manually by following the instructions in this SK article How to upgrade to Windows 10 1607 and above with FDE in-place and going through each of the prompts and turning off everything, but when I run it using the auto upgrade feature | setup.exe /ConfigFile "%SystemDrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini" /auto upgrade /PBRupdate disable | or any of the other switches (which just flat out breaks the .ini file, see Windows 10 Setup Command Line Switches – Home is where I lay my head ) it fails and seems to break the UEFI BIOS somehow and corrupts the upgrade, which it reverts back to 1703.  We then have to reset the BIOS and change it back to UEFI before it can boot again.  

We are using Windows 10 64bit Enterprise 1703 | UEFI BIOS | Fast Boot and Fast Startup turned off | CheckPoint Endpoint with all blades except VPN and capsule docs.

10 Replies
PhoneBoy
Admin
Admin
‎2018-05-11 09:20 AM

Did you open a TAC case on this issue?

0 Kudos
Alexandra_Gofma
Employee Alumnus
Employee Alumnus
‎2018-05-13 04:19 AM

Hi Steve, which Endpoint version you have installed?

Only version E80.83 supports Windows 10 1803

Please refer to sk115192

0 Kudos
Steve_Lander
Collaborator
‎2018-05-14 12:52 PM
In response to Alexandra_Gofma

I was able to upgrade from 1703 to 1803 once I upgraded the Endpoint to E80.83.  Do you know when this is slated to become GA?  

0 Kudos
Kim_Moberg
Advisor
‎2018-05-15 07:14 AM
In response to Steve_Lander

Hi Steve

it's in GA today 🙂

Enterprise Endpoint Security E80.83 Windows Clients 

Best regards

Kim

Best Regards
Kim
Sebastien_Rho
Employee Alumnus
Employee Alumnus
‎2018-07-12 10:56 AM
In response to Alexandra_Gofma

FYI, I had the same issue with a customer of mine, running E80.84 with Windows 10 build 1709, the FDE failed and we to decrypt the drive manually since it was not booting up in Windows (Logged in PreBoot sucessfully though), in the end we ended up opening a case with TAC.

Soren_Kristense
Contributor
‎2018-08-30 05:16 AM

Hi

We see the same issue running E80.84, is there a solution?

Best regards

Søren

0 Kudos
Kim_Moberg
Advisor
‎2018-08-30 07:39 AM
In response to Soren_Kristense

Hi Søren

Did you try e80.86?

BR

Kim

Best Regards
Kim
0 Kudos
Felix_Winter
Explorer
‎2018-10-17 12:20 AM

We have this issue too. Any news about it?

0 Kudos
Steve_Lander
Collaborator
‎2018-10-23 05:15 AM
In response to Felix_Winter

It seems that this is still an issue for us.  While we tested in the lab and a small sample in production without any issue with upgrading from 1703 to 1803, we decided to upgrade everyone to 1803.  About half the computers we upgraded had an issue.  Some failed the update, and others bluescreened after the update, and the only way to get back to Windows was to reset the BIOS to factory, and if you went back and changed anything in the BIOS (such as turning off fast boot), it would blue screen and you have to reset the BIOS again, and also some are on legacy boot but we cant turn them back to UEFI, but somehow they magically work.

Also the upgrade seems to change things in the BIOS, such as the selection for the M.2 drive.  See screenshot below, it should say "M.2 Check Point Full Disk Encryption Windows Boot Manager".  Our endpoints are on a mix of E80.84 and E80.86, and it happens for both versions. 

Has anyone else had these same issues when upgrading to 1803 with Checkpoint FDE?  I am also opening a case with TAC on this.  

0 Kudos
Steve_Lander
Collaborator
‎2018-10-17 05:22 AM

We have gotten this to work in our environment.  Hopefully in the future updating Windows 10 versions will be more streamlined with the CheckPoint Suite.

We are using E80.84, but this should work for future versions.

First we had to make sure the computers we wanted to upgrade had their boot order set to BCDBOOT by running this .bat file "C:\Program Files (x86)\CheckPoint\Endpoint Security\Full Disk Encryption\fdecontrol.exe" set-uefi-bootmode bcdboot  (see How to upgrade to Windows 10 1607 and above with FDE in-place ).  If BCD is not run, the upgrade will fail after the first reboot.

Then we moved the computer in a policy where the Pre-Boot Environment for FDE was off, so after the upgrade when Windows is applying updates, you didn't have to log in every time through the Pre-Boot.  

We then use WSUS to upgrade 1703 to 1803.  You can probably push it through manually too if you have another method of delivering the update.

Hope this helps!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events