Knowledge Base

Dell Encryption for Windows Best Practices: Windows 10 Upgrade / Migration


Dell Encryption Enterprise Shield (formally Dell Data Protection Enterprise Edition Shield) and Dell Encryption Personal (formally Dell Data Protection | Personal Edition) are fully compatible with Windows 10.


Affected Products:

Dell Data Protection | Enterprise Edition Shield
Dell Data Protection | Personal Edition
Dell Encryption Enterprise Shield
Dell Encryption Personal
Dell Encryption External Media Edition
Dell Encryption External Media
Dell Endpoint Security Suite
Dell Endpoint Security Suite Enterprise


Dell currently recommends a full backup prior to making any changes to your computer’s operating system.

Dell has introduced the ability to upgrade your OS from Windows 7, Windows 8, Windows 8.1, or Windows 10 RTM to Windows 10 Threshold 2 (build 1511, version 10.0.10586) and later.

Follow these steps to prepare the Dell Encryption Enterprise Shield on a Windows 7, Windows 8, Windows 8.1 or Windows 10 computer and confirm the client is ready for the Windows 10 update, supported updates are:

  • Windows 10 build 1511 "November Update" - Support introduced in 8.9.1
  • Windows 10 build 1607 "Anniversary Update" - Support introduced in 8.10.1
  • Windows 10 build 1703 "Creators Update" - Support in 8.13.0


Note: Please keep in mind when upgrading to Windows 10 that matching Windows versions is required to ensure a smooth transition between operating systems.

Windows 10 offers feature updates now through Windows Updates and various other sources. With 8.10.1 and later clients Dell Encryption supports updating Windows with Feature Updates, allowing Dell Encryption to remain installed and having files stay encrypted throughout the Windows Feature Update process. The methods this article outlines are through Windows Updates, through Standalone Media, or through Deployment Models.

Windows Updates would entail an in Operating System upgrade through the typical method of update delivery

Stand alone Media will encompass downloading the Windows Feature Update install media from Microsoft.

Deployment Models explains how to prep for an upgrade through various deployment tools that offer managed Operating System Upgrades.

The Windows 10 Upgrade must be run from either an unencrypted directory. Because USER or COMMON encryption is NOT unlocked during the Windows 10 Upgrade process, when the upgrade is run from a USER or COMMON encrypted directory, the upgrade will fail even though the Dell Data Protection | Encryption/Dell Encryption Windows 10 Upgrade is performed correctly.

Based on this requirement, Dell Suggests the following Exclusions to be added to the Dell Data Protection | Encryption/Dell Encryption policies for Windows Feature Updates. These should be added to both Fixed Disk Exclusions (For SDE keys) and General Encryption Exclusions (Common/User)

-^%ENV:SYSTEMDRIVE%\$WINDOWS.~BT
-^%ENV:SYSTEMDRIVE%\_SMSTaskSequence

Note: This process requires 8.10.1 or later of the Dell Encryption Enterprise Shield.

When pulling feature updates through Windows Updates, shown below.

You may encounter a failure indicating that Dell Encryption is required to be uninstalled before continuing.

Close this screen, run WSProbe -z (as an administrator from command prompt) and then try the update again.

Note: If a reboot occurs before your next attempt to update, WSProbe -z (ran from an administrative command prompt) will need to be ran again.

The update will prompt stating that more prep items will be ran in the background.

The status for updates can be checked in the new "Settings" menu for Windows 10.

To access the Update items via the settings menu

Click the Start button, then click settings

In Settings click Update & Security

When ready, the Update & Security section will show that a restart has been scheduled. Rebooting will begin the update process.

The Upgrade will complete, during login Windows will indicate that the PC was updated, and all of your data will be in the same location.

You can validate the new version of Windows was properly installed by checking the version of windows through the command "winver", ran at a command prompt or in PowerShell.

Note: Some devices running Dell Data Protection | Encryption version 8.10.1 or 8.11.0 may need to update their SetupConfig.ini file within C:\Users\Default\AppData\Local\Microsoft\Windows\WSUS the current file is missing a header of [SetupConfig] Currently we show:

Add the header to make it

This file applies to all local updates, and automates the need to pass the reflectdrivers command to the Windows Feature update coming through Windows Update. The changes have been made within the product, and no longer required to be manually changed as of 8.12.0.

Microsoft offers the ability to download Windows Feature Updates as ISO files for easy upgrades and deployments. You can get that media here: https://support.microsoft.com/en-us/help/12387/windows-10-update-history External Link

Note: This process requires 8.10.1 or later of the Dell Encryption Client

Before inserting the media, run WSProbe -z (as an administrator from command prompt). This prepares the encrypted data for the upgrade process (no decryption is done).

Note: If a reboot occurs before your next attempt to update, WSProbe -z (ran from an administrative command prompt) will need to be ran again.


When this media is inserted into a system running earlier versions of Microsoft Windows, a prompt to upgrade is presented.

You will need to close out of this prompt, as the upgrade must be ran with a specific command.

Open an administrative command prompt (or leverage the one that is open for the WSProbe -z functionality).

Navigate to the drive letter that contains the Windows Feature Update media (in this example, D: is the drive that contains the Windows Feature Update media)

Run the setup.exe with this command to inject the Dell Encryption Drivers

Setup.exe /reflectdrivers "C:\ProgramData\Dell\Dell Data Protection\Encryption\DDPEDrivers"

Note: This folder is only present in 8.10.1 and later versions of Dell Encryption


This command will launch the Windows Feature Update process. Proceed through the prompts normally, no other steps must be taken.

Microsoft offers the ability to download Windows Feature Updates as ISO files for easy upgrades and deployments. You can get that media here: https://support.microsoft.com/en-us/help/12387/windows-10-update-history External Link

To prepare a Windows Feature Update for deployment, most environments will have to leverage an install.wim file. Due to the nature of how Dell Encryption supports the Windows Feature Update path, we will have to inject the drivers and necessary registry files into the install media.

To accomplish this, the Windows 10 Application Development Kit (ADK) is required. You can find the latest version here: https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit External Link

You will also need a batch file and appropriate registry keys, which are unable to be linked externally for customer download. You can get these from support by calling the support line at: 877.459.7304 Ext. 4310039. For support outside the US, reference ProSupport’s International Contact numbers list. This batch file takes an expanded Windows Feature Update ISO (downloaded above) and injects drivers and registry files into the install.wim and WinRE.wim files within the upgrade ISO.

To find the appropriate drivers for your upgrade media, we will need to pull the drivers from a device that is 8.10.1 or later for the appropriate Operating System bit-rate (32-bit or 64-bit). These are found in C:\ProgramData\Dell\Dell Data Protection\Encryption\DDPEDrivers\

  • Batch script (provided by Dell Support)
  • Extracted ISO of the Windows Feature Update installer (Provided by Microsoft)
  • Registry Keys (Provided by Dell Support with script)
  • Dell Encryption Drivers (Pulled from a device on your network, or provided by Dell Support)

Open the Deployment and Imaging Tools Environment as an administrator

Then run the batch script. Entering just the batch file gives information on syntax

Syntax is:

Usage: Build-FFE-Integrated-Dell-Image "Win10UpgradeDir" "DDPEDriversDir"

Where:

Win10UpgradeDir -- Path to the Windows 10 ISO files extracted to a directory
DDPEDriversDir -- Optional path to the DDP|E drivers directory. The DDP|E drivers will be obtained from the local installation if this parameter is not supplied.

Note: It is expected that the .bat file and the RegistryFiles folder are in the same location.

Once the process completes, you will end up with an upgraded install.wim file within the extracted ISO directory that you provided the tool. You can compress this back into an iso with various methods, such as OSCDimg https://technet.microsoft.com/en-us/library/cc749036%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396 External Link

The install files are now ready for use.

Note: Wsprobe -z is still required with this method, as this command unlocks key material for the upgrade process to be able to consume with the drivers that are loaded now into the install media.
  • As an administrator, open a command prompt in the same location as the WSProbe.exe file and enter the applicable command:
    • To allow Windows 10 Upgrade mode to authenticate against a key bundle file for Dell Encryption Personal (formally Dell Data Protection | Personal Edition) upgrade preparation (the LSARecovery file that is backed up during Dell Encryption Personal's provisioning process) WSProbe -E -B "backup_file_path" "password"
Note: For Dell Encryption Personal systems, if the decryption fails to start, you may need to copy the LSARecovery file to C:\Program Files\Dell\Dell Data Protection\Encryption\ and select the LSARecovery file from that location. Dell is currently researching this to ensure the best experience possible is delivered.

To check progress of the preparation process, you can run: WSProbe –E

  • System is ready for upgrade when the following message displays: "Preparation complete. Please run Windows Upgrade now."
  • Restart the computer, if prompted.
  • Run the Windows upgrade.
  • Restart the computer.
  • Once the upgrade has completed, open a command prompt and enter:
    • WSProbe -R
Note: The WSProbe -R command resumes normal Encryption client functionality and is run after the computer is successfully upgraded. It can also be used to roll back to normal Encryption client functionality before an upgrade is performed.
  • Restart the computer, if prompted.

To check progress of the preparation process, you can run: WSProbe –E

  • If the following message does not display: "Preparation complete. Please run Windows Upgrade now."
    • Follow the prompts that are listed.
    • Run WSProbe again and until the prompt to run the Windows Upgrade displays:
      • WSProbe -E
    • Run the Windows upgrade.
    • Restart the computer, if prompted.
    • Once the upgrade has completed, open a command prompt and enter:
      • WSProbe -R

This method may run into issues with files not decrypting. To avoid this, we should automatically create a registry key of:

HKLM\Software\Credant\DecryptAgent\
DWORD: MaxBytesReboot
Value: 0

To check progress of the preparation process, you can run: WSProbe –E

Note: The WSProbe -R command resumes normal Encryption client functionality and is run after the computer is successfully upgraded. It can also be used to roll back to normal Encryption client functionality before an upgrade is performed.

To check progress of the preparation process, you can run: WSProbe –E

  • As an administrator, open a command prompt in the same location as the WSProbe.exe file and enter the applicable command:
    • To allow Windows 10 Upgrade mode to import and authenticate against a pre-existing key bundle file (can be downloaded from the Dell Security Management Server [formally Dell Data Protection | Enterprise Edition]):
      • WSProbe -E -I "import_file_path" "password"
    • To contact the Dell Security Management Server or Dell Security Management Virtual Server (formally Dell Data Protection | Virtual Edition), which transfers the key bundle, which is used to validate the proper key material is present:
      • WSProbe -E -S "forensics_admin_name" "password"
    • To check progress of the preparation process, you can run:
      • WSProbe -E
    • System is ready for upgrade when the following message displays: "Preparation complete. Please run Windows Upgrade now."
    • Restart the computer, if prompted.
    • Run the Windows upgrade.
    • Restart the computer.
    • Once the upgrade has completed, open a command prompt and enter:
      • WSProbe -R
    • Restart the computer, if prompted.
    • The following message does not display: "Preparation complete. Please run Windows Upgrade now."
      • Follow the prompts that are listed.
      • Run WSProbe again and until the prompt to run the Windows Upgrade displays:
        • WSProbe -E
      • Run the Windows upgrade.
      • Restart the computer, if prompted.
      • Once the upgrade has completed, open a command prompt and enter:
        • WSProbe -R

This method may run into issues with files not decrypting. To avoid this, we should automatically create a registry key of:

HKLM\Software\Credant\DecryptAgent\
DWORD: MaxBytesReboot
Value: 0


For additional support, US based customer can call Dell Data Protection ProSupport at: 877.459.7304 Ext. 4310039 or you may also contact us via the Chat Portal. For support outside the US, reference ProSupport’s International Contact Numbers list. Visit the Dell Security Community Forum to get insights from other community members and additional resources to help you manage your environment.


Article ID: SLN298382

Last Date Modified: 08/16/2017 07:57 AM


Rate this article

Accurate
Useful
Easy to understand
Was this article helpful?
Yes No
Send us feedback
Feedback shows invalid character, not accepted special characters are <> () &#92;
Sorry, our feedback system is currently down. Please try again later.

Thank you. Your feedback has been sent.