Windows 10 Inplace upgrade with Checkpoint FDE (Windows 10 and Configuration Manager)

Question

Hi felllow engineers,

I am trying to implement IPU TS to update from Windows 10 1903 to 20H2.

All my computers have Check Point FDE enabled. Therefor, I have to use the use a SCCM package with Windows 10 20H2 source and run a task sequence command line option as blow;

setup.exe /auto upgrade /DynamicUpdate disable /ShowOOBE none /quiet /noreboot /compat IgnoreWarning /postrollbackcontext system /ConfigFile "%SystemDrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini"

My questions are,

Has anyone done this before ? Could you please share the process you take to upgrade with FDE ?

What is the rollback procedure if the upgrade fails. Will it automatically roll back which I don't think as I'm not using the buildin "Upgrade Operating System" TS action. Should I include additiona roll back steps. Could you please share some of your experiences.

Answer 1

Use the standard "Upgrade operating system step" instead of a package. Add the "OSDSETUPADDITIONALUPGRADEOPTIONS" task sequence variable before the upgrade os step and point to the drivers vs the setupini file.

Example variable value: /reflectdrivers "C:\program files (x86)\checkpoint\endpoint security\full disk encryption\driver" /resizerecoverypartition disable /noreboot

Depending on which version of checkpoint you have installed you may have to enable BCD boot on the device and restart prior to the upgrade.

Answer 2

Hi,

Thanks for posting in Microsoft MECM Q&A forum.

With version E80.71 or higher, configurations can be made to support seamless OS upgrade with FDE in-place using the SetupConfig.ini file. Here is a article for your reference:
How to upgrade to Windows 10 1607 and higher with FDE in-place
Please note: The links are not from Microsoft, just for your reference. Hope it helps. Thanks for your time.
 
Best regards,
Simon

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

@Simon Ren-MSFT
Thank you for the reply. How would I add the command (setup.exe with SetupConfig.ini) to a inplace upgrade task sequence..
As far as I know Inplace Upgrade TS has its own default command.

Or is it down via a TS package and setting the command as program?

Your assistance is much appreciated.

Answer 4

You can use the Native Step
You don't need to use SetupConfig.ini
You can do this all in your task sequence.

This works with any 3rd Party Encryption, I've tested a couple different ones, and I know it works with CheckPoint

Here is a mockup I tossed together to show how it would work:

Using a Set TS Variable Step, set the Variable: OSDSetupAdditionalUpgradeOptions
Set it to something like this:

/ReflectDrivers "C:\Program Files (x86)\CheckPoint\Endpoint Security\Full Disk Encryption\Driver" /ResizeRecoveryPartition Disable /DiagnosticPrompt disable /priority high /MigNEO Disable  

Then use a normal Upgrade Windows Step:

Take a look at this page, Demo 3, it will show the SMSTS.log file how it builds the windows 10 setup command and adds the content in the OSDSetupAdditionalOptions variable. https://docs.recastsoftware.com/ConfigMgr-Docs/TaskSequence/SCCM-TaskSequence-Step-Upgrade-Operating-System.html#demo-3---upgrade-from-1809-to-1909