Support Center > Search Results > SecureKnowledge Details
How to upgrade to Windows 10 1607 and higher with FDE in-place Technical Level
Solution

This article describes the different use cases to upgrade from Windows 7, Windows 8.1.1 or Windows 10 1607 (or higher) to a new Windows 10 version with Check Point Full Disk Encryption(FDE) in-place during the upgrade phases. [3]

With version E80.71 or higher, configurations can be made to support seamless OS upgrade with FDE in-place using the SetupConfig.ini file.

This is possible due to changes made by Microsoft in Windows 10 1607. The changes allow third party software to have pre-configured parameters stored in the SetupConfig.ini file.

Note: Using the Windows 10 Media Creation Tool upgrade option is not supported. This upgrade option is not intended for upgrade scenarios where additional configurations are required like the SetupConfig.ini file.

 


 

UEFI-based installation

FDE support two ways of bootstrapping the UEFI boot loader (BOOTMGFW and BCDBOOT). The boot mode can be changed using the fdecontrol.exe utility [1]. BOOTMGFW is the default set boot mode for new installations using E82.30 and below. BCDBOOT is used in E82.40 and higher. Upgrading the FDE version do not change the already set boot mode.

When BCDBOOT mode is enabled in FDE, Windows Update or Windows Server Update Services (WSUS) can be used to upgrade Windows from one major version to another. The SetupConfig.ini file will then be automatically included in the upgrade process. Using any other way of upgrading, for example by using software management products like SCCM or by ISO-file, will require additional configuration to include the SetupConfig.ini file in the upgrade process.

Upgrade Windows via Windows Update or WSUS

  1. Install or upgrade to E80.71 or higher.
  2. Then enable BCD based UEFI boot by running: "fdecontrol.exe set-uefi-bootmode bcdboot" [1]
  3. Reboot the computer once to make sure it is compatible with 3rd party applications via Microsoft BCD Store.
  4. FDE will now be using the Microsoft BCD Store for starting FDE and is ready for upgrading seamlessly via Windows Update or WSUS.

Upgrade Windows via ISO-file

  1. Install or upgrade to E80.71 or higher.
  2. Then depending on the current UEFI boot mode: [2]
    1. Boot mode: BOOTMGFW
      1. Either use the step-by-step procedure from sk112246, or switch UEFI boot mode to BCDBOOT by running "fdecontrol.exe set-uefi-bootmode bcdboot" [1]
    2. Boot mode: BCDBOOT
      1. Run setup.exe /ConfigFile "%SystemDrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini"
  3. Windows is now upgraded with FDE in-place.

Note: When FDE is in BOOTMGFW mode, a file is replaced on the EFI System Partition (ESP) that will invoke the FDE's Preboot loader and OS, which then chainload Windows after a successful authentication.

We have seen issues with this feature in the past and certain Windows Updates that interfere with this approach. That is why we introduced the alternative BCDBOOT feature, which relies on bootstrapping via Windows BCD store instead. This is the recommended way from Microsoft.

The only problem with using the BCD store is that we have seen firmware (HP, Dell, Lenovo, etc.) that do not honor third party bootloaders in the UEFI environment. However, we are working actively with all major UEFI-firmware vendors to make them aware of this problem. 

Exception for Dell Latitude Laptops running Windows 7:

Before installing Windows 7 May 2019 updates (KB4499164/KB4499175/KB2992611) on Dell Latitude laptops the boot mode  should be changed to BCDBOOT mode: "fdecontrol.exe set-uefi-bootmode bcdboot".

 

Important Note About Enabling BCDBOOT:

After enabling BCDBOOT using the fdecontrol.exe utility, a reboot is required so that the Full Disk Encryption boot record is injected first into the boot order in the firmware and the boot mode of the machine is successfully changed from BOOTMGFW to BCDBOOT.

 


 

BIOS-based installation

The BCD based boot is not necessary on BIOS installation since FDE is booting through the Partition Boot Record instead of the BCD.

Windows Update or Windows Server Update Services (WSUS) can be used to upgrade Windows from one major version to another. The SetupConfig.ini file will then be automatically included in the upgrade process. Using any other way of upgrading, for example by using software management products like SCCM or by ISO-file, will require additional configuration to include the SetupConfig.ini file in the upgrade process.

Upgrade Windows via Windows Update or WSUS

  1. Install or upgrade to E80.71 or higher.
  2. FDE is now ready for in-place upgrade via Windows Update or WSUS.

Upgrade Windows via ISO-file

  1. Install or upgrade to E80.71 or higher.
  2. Then run setup.exe /ConfigFile "%SystemDrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini"
  3. Windows is now upgraded with FDE in-place.

 


 

[1]: The utility fdecontrol.exe is installed in the directory "%ProgramFiles(x86)%\CheckPoint\Endpoint Security\Full Disk Encryption" on 64-bit Windows and in "%ProgramFiles%\CheckPoint\Endpoint Security\Full Disk Encryption" on 32-bit Windows.

[2]: The current UEFI boot mode can be determined by running "fdecontrol.exe get-uefi-bootmode" and will output either "BOOTMGFW" or "BCDBOOT"

[3]: Recent Windows updates on UEFI systems write to the boot area similar to Windows upgrades and will require the "BCDBOOT" to be configured to allow the update process to complete successfully.

[4]: The current UEFI boot mode can also be determined by the following cmd looking at the CheckPoint FDE 'UEFIInstallationMode' Registry Key:

REG QUERY "HKLM\SOFTWARE\WOW6432Node\CheckPoint\EndPoint Security\Full Disk Encryption" /v UEFIInstallationMode

*** Note that the CheckPoint FDE 'UEFIInstallationMode' Registry Key may not exist. If the Registry Key do not exist, the used boot mode is BOOTMGFW. ***

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment