Support Center > Search Results > SecureKnowledge Details

How to upgrade to Windows 10 1607 and higher or Windows 11 with FDE in-place

Technical Level

Solution ID	sk120667
Technical Level
Product	Endpoint Security Client, Harmony Disk and Media Encryption
Version	E81.30 (EOL), E81.40 (EOL), E82.55 (EOL), E83.x (EOL), E83.10 (EOL), E83.11 (EOL), E83.15 (EOL), E83.20 (EOL), E83.30 (EOL), E83.40 (EOL), E83.50 (EOL), E84.x (EOL), E84.x (EOL), E84.20 (EOL), E84.30 (EOL), E84.40 (EOL), E84.50 (EOL), E84.60 (EOL), E84.70 (EOL)
OS	Windows
Platform / Model	Intel/PC
Date Created	03-Oct-2017
Last Modified	29-Aug-2022

Solution

This article describes the different use cases to upgrade from Windows 10 1607 (or higher) to a new Windows 10 or Windows 11 version with Check Point Full Disk Encryption(FDE) in-place during the upgrade phases. [3]

With version E80.71 or higher, configurations can be made to support seamless OS upgrade with FDE in-place using the SetupConfig.ini file.

For Endpoint Clients version E86.40 and above: When Full Disk Encryption is installed but switched off Windows update can be performed as usual.

This is possible due to changes made by Microsoft in Windows 10 1607. The changes allow third party software to have pre-configured parameters stored in the SetupConfig.ini file.

Note: Using the Windows 10 Media Creation Tool upgrade option is not supported. This upgrade option is not intended for upgrade scenarios where additional configurations are required like the SetupConfig.ini file.

UEFI-based installation

FDE support two ways of bootstrapping the UEFI boot loader (BOOTMGFW and BCDBOOT). The boot mode can be changed using the fdecontrol.exe utility [1]. BOOTMGFW is the default set boot mode for new installations using E82.30 and below. BCDBOOT is used in E82.40 and higher. Upgrading the FDE version do not change the already set boot mode.

When BCDBOOT mode is enabled in FDE, Windows Update or Windows Server Update Services (WSUS) can be used to upgrade Windows from one major version to another. The SetupConfig.ini file will then be automatically included in the upgrade process. Using any other way of upgrading, for example by using software management products like SCCM or by ISO-file, will require additional configuration to include the SetupConfig.ini file in the upgrade process.

Switch to bootmode BCDBOOT.

If you installed or upgraded from an earlier version than E82.40 you might be running bootmode BOOTMGFW and you need to switch to BCDBOOT.
If you installed E82.40 and later and have not changed the bootmode you can skip this section.

The current bootmode can be checked by running
"fdecontrol.exe get-uefi-bootmode" [1]
If the output shows BCDBOOT you are all set and can skip this section.
If the output shows BOOTMGFW you need to continue to change the bootmode.
To change the bootmode to BCDBOOT, run
"fdecontrol.exe set-uefi-bootmode bcdboot" [1]
Reboot the machine at least once to make sure it is compatible with 3rd party applications via Microsoft BCD Store

Upgrade Windows via Windows Update or WSUS

When the machine is using bootmode BCDBOOT as described in the previous section FDE and is ready for upgrading seamlessly via Windows Update or WSUS.
The Windows upgrade will automatically find the SetupConfig.ini file and use it's configuration during the upgrade.

Upgrade Windows via ISO-file (SCCM)

Starting with E86.60 there is no longer a need to issue the command line below. Note however that if the Windows installation was done without a Windows recovery partition the Windows upgrade procedure will create a new Windows recovery partition. Using the below command line will prevent Windows to perform the creation of the Windows recovery partition.

When upgrading via SCCM or manually by executing the Windows setup program, we need to add the path to the SetupConfig.ini file so its configuration is used during the upgrade of Windows.

Make sure the machine uses bootmode BCDBOOT as described in the earlier section.
To start the Windows setup program to start the upgrade
Run:
setup.exe /ConfigFile "%SystemDrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini"
Windows is now upgraded with FDE in-place.

Note: When FDE is in BOOTMGFW mode, a file is replaced on the EFI System Partition (ESP) that will invoke the FDE's Preboot loader and OS, which then chainload Windows after a successful authentication.

We have seen issues with this feature in the past and certain Windows Updates that interfere with this approach. That is why we introduced the alternative BCDBOOT feature, which relies on bootstrapping via Windows BCD store instead. This is the recommended way from Microsoft.

The only problem with using the BCD store is that we have seen firmware (HP, Dell, Lenovo, etc.) that do not honor third party bootloaders in the UEFI environment. However, we are working actively with all major UEFI-firmware vendors to make them aware of this problem.

Exception for Dell Latitude Laptops running Windows 7:

Before installing Windows 7 May 2019 updates (KB4499164/KB4499175/KB2992611) on Dell Latitude laptops the boot mode should be changed to BCDBOOT mode: "fdecontrol.exe set-uefi-bootmode bcdboot".

Important Note About Enabling BCDBOOT:

After enabling BCDBOOT using the fdecontrol.exe utility, a reboot is required so that the Full Disk Encryption boot record is injected first into the boot order in the firmware and the boot mode of the machine is successfully changed from BOOTMGFW to BCDBOOT.

BIOS-based installation

The BCD based boot is not necessary on BIOS installation since FDE is booting through the Partition Boot Record instead of the BCD.

Windows Update or Windows Server Update Services (WSUS) can be used to upgrade Windows from one major version to another. The SetupConfig.ini file will then be automatically included in the upgrade process. Using any other way of upgrading, for example by using software management products like SCCM or by ISO-file, will require additional configuration to include the SetupConfig.ini file in the upgrade process.

Upgrade Windows via Windows Update or WSUS

Install or upgrade to E80.71 or higher.
FDE is now ready for in-place upgrade via Windows Update or WSUS.

Upgrade Windows via ISO-file (SCCM)

Install or upgrade to E80.71 or higher.
Then run setup.exe /ConfigFile "%SystemDrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini"
Windows is now upgraded with FDE in-place.

[1]: The utility fdecontrol.exe is installed in the directory "%ProgramFiles(x86)%\CheckPoint\Endpoint Security\Full Disk Encryption" on 64-bit Windows and in "%ProgramFiles%\CheckPoint\Endpoint Security\Full Disk Encryption" on 32-bit Windows.

[2]: The current UEFI boot mode can be determined by running "fdecontrol.exe get-uefi-bootmode" and will output either "BOOTMGFW" or "BCDBOOT"

[3]: Recent Windows updates on UEFI systems write to the boot area similar to Windows upgrades and will require the "BCDBOOT" to be configured to allow the update process to complete successfully.

[4]: The current UEFI boot mode can also be determined by the following cmd looking at the CheckPoint FDE 'UEFIInstallationMode' Registry Key:

REG QUERY "HKLM\SOFTWARE\WOW6432Node\CheckPoint\EndPoint Security\Full Disk Encryption" /v UEFIInstallationMode

*** Note that the CheckPoint FDE 'UEFIInstallationMode' Registry Key may not exist. If the Registry Key do not exist, the used boot mode is BOOTMGFW. ***

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating