Support Center > Search Results > SecureKnowledge Details
How to upgrade to Windows 10 1607 and above with FDE in-place
Solution

This article describes the different use cases to upgrade from Windows 7, Windows 8.1.1, Windows 10 1607 (or above) to a new Windows 10 version with Check Point Full Disk Encryption in-place during the upgrade phases.[3]

From E80.71 and onward Check Point Full Disk Encryption (FDE) has support for a seamless OS upgrade with FDE in-place.

This is possible due to changes made by Microsoft in Windows 10 1607 allowing third party software to have pre-configured parameters stored in the SetupConfig.ini file.

Note: Using the Windows 10 Media Creation Tool upgrade option is not supported. This upgrade option is not intended for upgrade scenarios, where additional configurations are required like the SetupConfig.ini file.

 


 

UEFI-based installation

When the BCD boot mode is enabled in FDE, Windows Update or WSUS can be used to upgrade Windows from one major version to another.

FDE also supports two different ways to bootstrap the UEFI boot loader.

Upgrade Windows via Windows Update or WSUS

  1. Install or upgrade to E80.71 or above.
  2. Then enable BCD based UEFI boot by running: "fdecontrol.exe set-uefi-bootmode bcdboot"[1]
  3. Reboot the computer once to make sure it is compatible with 3rd party applications via Microsoft BCD Store.
  4. FDE will now be using the Microsoft BCD Store for starting FDE and is ready for upgrading seamlessly via Windows Update or WSUS.

Upgrade Windows via ISO-file

  1. Install or upgrade to E80.71 or above.
  2. Then depending on the current UEFI boot mode[2]:
    1. Boot mode: BOOTMGFW (default installation mode)
      1. Either use the step-by-step procedure from sk112246, or switch UEFI boot mode to BCDBOOT by running "fdecontrol.exe set-uefi-bootmode bcdboot"[1]
    2. Boot mode: BCDBOOT (set by the fdecontrol.exe utility)
      1. Run setup.exe /ConfigFile "%SystemDrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini"
  3. Windows is now upgraded with FDE in-place.

Note: The default Preboot entry point when installing FDE is called "bootmgfw". A file is replaced on the EFI System Partition (ESP) that will invoke the FDE's Preboot loader and OS, which then chainload Windows after a successful authentication.

We've seen issues with this feature in the past and certain Windows Updates that interfere with that approach. That is why we introduced the alternative BCDBoot feature, which relies on bootstrapping via Windows BCD store instead. This is the recommended way from Microsoft.

The only problem with that is that we've seen firmware's out in the wild (HP, Dell, Lenovo, etc.) that don't honor third party bootloaders in the UEFI environment. However, we are working actively with all major UEFI-firmware vendors to make them aware of this problem and the short-term/mid-term plan is to switch our default behavior to using BCDBoot instead of Bootmgfw.

Exception for Dell Latitude Laptops running Windows 7:

Before installing Windows 7 May 2019 updates (KB4499164/KB4499175/KB2992611) on Dell Latitude laptops the boot mode  should be changed to BCDBOOT mode: "fdecontrol.exe set-uefi-bootmode bcdboot".

 

Important Note About Enabling BCDBOOT:

After enabling BCDBOOT using our fdecontrol.exe tool, [1]a reboot is required so our 'Full Disk Encryption' boot record is injected first into the bootorder in the firmware and [2]so the BOOTMODE of the machine is successfully changed from 'BOOTMGFW' to 'BCDBOOT'.

 


 

BIOS-based installation

The BCD based boot is not necessary on BIOS installation since FDE is booting through the Partition Boot Record instead of the BCD.

Upgrade Windows via Windows Update or WSUS

  1. Install or upgrade to E80.71 or above.
  2. FDE is now ready for in-place upgrade via Windows Update or WSUS.

Upgrade Windows via ISO-file

  1. Install or upgrade to E80.71 or above.
  2. Then run setup.exe /ConfigFile "%SystemDrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini"
  3. Windows is now upgraded with FDE in-place.

 


 

[1]: The utility fdecontrol.exe is installed in the directory "%ProgramFiles(x86)%\CheckPoint\Endpoint Security\Full Disk Encryption" on 64-bit Windows and in "%ProgramFiles%\CheckPoint\Endpoint Security\Full Disk Encryption" on 32-bit Windows.

[2]: The current UEFI boot mode can be determined by running "fdecontrol.exe get-uefi-bootmode" and will output either "BOOTMGFW" or "BCDBOOT"

[3]: Recent Windows updates on UEFI systems write to the boot area similar to Windows upgrades and will require the "BCDBOOT" to be configured to allow the update process to complete successfully.

[4]: The current UEFI boot mode can also be determined by the following cmd looking at the CheckPoint FDE 'UEFIInstallationMode' Registry Key:

REG QUERY "HKLM\SOFTWARE\WOW6432Node\CheckPoint\EndPoint Security\Full Disk Encryption" /v UEFIInstallationMode

*** Note that the CheckPoint FDE 'UEFIInstallationMode' Registry Key only exists if fdecontrol.exe has ever been used to enable and or disable BCDBOOT ***

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment