This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Benjamin_John
Contributor
‎2021-04-07 07:23 PM

Windows upgrade woes

I'm trying to upgrade our workstations from 1803 to 1909 using an SCCM task sequence. They have FDE/MEPP installed.

On our HP desktops (no pre-boot), we found that we had to change the boot order to be Checkpoint FDE followed by Windows Boot Manager for the upgrade to work. We were able to use SCCM and a HP Bios config utility to do this. After the change, we were able to upgrade most of our machines without issues. Still  some machines randomly fail with BSOD's, some times re-running the upgrade will work, sometimes it takes multiple tries. Some machines are missing either the Checkpoint FDE or the Windows Boot manager option in BIOS boot sequence. Not sure how to add these options back.

On our Dell laptops (pre-boot enabled), we found that the checkpoint option is missing in the BIOS boot sequence. I haven't found a way to programmatically add this option. These laptops are running E82.50 and have BCDBOOT already enabled and we are following the SK that mentions using the setupconfig file.

I have already opened a ticket, but not very helpful and I've seen most of the posts here about upgrades. 

Any times or ideas on why the FDE option would be missing?

Labels
6 Replies
J_B
Collaborator
‎2021-04-09 06:37 AM

First thing I would do is upgrade the endpoint client on the machines to the latest one as there have been several fixes to do with Windows 10 upgrades since the E82.50 client.  There are others, but the 2 main ones that I found are as follows.....

E84.30 - BCDBOOT mode is now the default for upgrades

E84.60 - Fixes the issue where Windows 10 upgrades require an extra restart to repair Media Encryption and Port Protection. Now, an extra restart is only necessary for Windows 10 version 1709 and lower.

0 Kudos
Benjamin_John
Contributor
‎2021-04-27 08:15 PM
In response to J_B

We are already on the latest version E84.60. Anyway, we managed to upgrade our most of our desktops either by re-running the update multiple times or just re-imaging some that just didn't want to upgrade.

Now we have turned our attention to upgrading the laptops and are running into stop code 0x05001647 on some laptops. If we decrypt the laptop, the upgrade continues. This clearly indicates that check point is the issue. Any ideas? I cant even find anything on this specific error code.

0 Kudos
Courtesy5
Explorer
‎2022-03-02 04:33 AM
In response to Benjamin_John

Any update on this issue?

We had similar issues with Random dell devices rebooting into a recovery screen. I was able to come up with a workaround which I am not sure is supported yet however it allows the device to upgrade fine. Run FDEcontrol.exe and set the device back to BOOTMGFW which cleans up the boot start, then during the upgrade set the machine back to BCDBOOT and restart. Upgrades worked after that

We did also see a small number of devices which failed when connected to certain external devices, once disconnected they would upgrade. Still working with CP support on these. 

0 Kudos
Benjamin_John
Contributor
‎2022-03-03 10:10 AM
In response to Courtesy5

Unfortunately, No. I think we ended up re-imaging some of the laptops.

Just ran into the same thing when doing 1909 to 21H2. How are you running FDEcontrol  when the laptop is in a BSOD state?

0 Kudos
Courtesy5
Explorer
‎2022-03-03 10:27 AM
In response to Benjamin_John

Do you know if the BSOD is actually a Recovery screen?

We recover the device when it fails presenting the recovery screen by going into the bios and adding a new boot record then placing it at the top of the boot order.  \EFI\BOOT\bootx64.efi

After recovering the device we use FDE control to set the device to Bootmgfw and our upgrade task sequence places the device back into BCDBOOT and restarts. We could not identify anything unique about the problem devices so far neither can Checkpoint support so we just added a step in the task sequence to rollback to Bootmgfw and then place the device into bcdboot and restart which seems to work so far. 

0 Kudos
Benjamin_John
Contributor
‎2022-03-03 10:42 AM
In response to Courtesy5

ah, yes, I remember adding the boot record in the BIOS menu now..

We are not using a task sequence for laptops anymore. so I guess we'll have to manually run fde control.

This whole process is just nutty and why it fails on random devices.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events