Dell Encryption Enterprise and Dell Encryption Personal Best Practices: Windows 10 Feature Update or Migration

The Windows 10 Upgrade must be run from an unencrypted directory. Because USER or COMMON encryption is not unlocked during the Windows 10 Upgrade process, when the upgrade is run from a USER or COMMON encrypted directory, the upgrade fails even though the Dell Encryption Windows 10 Upgrade is performed correctly.

Dell Suggests the following Exclusions to be added to the Dell Encryption policies for Windows Feature Updates based on this requirement. These should be added to both Fixed Disk Exclusions (For SDE keys) and General Encryption Exclusions (Common/User):

-^%ENV:SYSTEMDRIVE%\$WINDOWS.~BT
-^%ENV:SYSTEMDRIVE%\_SMSTaskSequence
-^%ENV:SYSTEMDRIVE%\$GetCurrent\
-^%ENV:SYSTEMDRIVE%\$SysReset\
-^%ENV:SYSTEMDRIVE%\$Windows.~WS\
-^%ENV:SYSTEMDRIVE%\$Hyper-v.tmp\
-^%ENV:SYSTEMDRIVE%\Windows\SoftwareDistribution\
-^%ENV:SYSTEMDRIVE%\Windows10Upgrade\

Required for Feature Updates being pushed through SCCM and other third-party management applications:

-^%ENV:SYSTEMDRIVE%\Windows\ccmcache
-^%ENV:SYSTEMDRIVE%\Windows\TEMP\BootImages
-^%ENV:SYSTEMDRIVE%\Windows\Security\database\;chk.edb.jrs.log.sdb
-^%ENV:SYSTEMDRIVE%\_SMSTSVolumeID.7159644d-f741-45d5-ab29-0ad8aa4771ca

The steps to pulling feature updates through Windows Updates are shown below.

Figure 8: (English Only) Windows Update

You may encounter a failure indicating that Dell Encryption is required to be uninstalled before continuing.

Figure 9: (English Only) Uninstall and continue

Close this screen, run WSProbe -z (as an administrator from command prompt) and then try the update again.

Figure 10: (English Only) Type WSProbe -z

The update prompts stating that more preparing items are run in the background.

Figure 11: (English Only) Windows Update is preparing items

The status for updates can be checked in the new Settings menu for Windows 10.

To access the Update items using the settings menu:

1. Click the Start button, then click Settings.

Figure 12: (English Only) Click Settings

2. In Settings, click Update & Security.

Figure 13: (English Only) Click Update & Security

3. When ready, the Update & Security section show that a restart has been scheduled. Rebooting begins the update process.

Figure 14: (English Only) Click Restart Now

Figure 15: (English Only) Windows Update status window

4. The upgrade finishes, during login, Windows indicates that the personal computer was updated, and all your data are in the same location.

You can validate the new version of Windows was properly installed by checking the version of windows through the command "winver," run at a command prompt or in PowerShell.

Figure 16: (English Only) About Windows

Microsoft offers the ability to download Windows Feature Updates as ISO files for upgrades and deployments. Get the download here: https://support.microsoft.com/en-us/help/12387/windows-10-update-history

Before inserting the media, run WSProbe -z as an administrator from command prompt. This prepares the encrypted data for the upgrade process (no decryption is done).

Figure 19: (English Only) Type WSProbe -z

When this media is inserted into a computer running earlier versions of Microsoft Windows, a prompt to upgrade is presented.

Close out of this prompt, as the upgrade must be run with a specific command.

Figure 20: (English Only) Close out of this prompt

Open an administrative command prompt (or leverage the command prompt that is open for the WSProbe -z functionality).

Go to the drive letter that contains the Windows Feature Update media. In this example, D: is the drive that contains the Windows Feature Update media.

Figure 21: (English Only) Change DIR to drive with Windows Feature Update media

Run the setup.exe with this command to inject the Dell Encryption Drivers:

Setup.exe /reflectdrivers "C:\ProgramData\Dell\Dell Data Protection\Encryption\DDPEDrivers"

Figure 22: (English Only) Type Setup.exe /reflectdrivers "C:\ProgramData\Dell\Dell Data Protection\Encryption\DDPEDrivers"

This command launches the Windows Feature Update process. Proceed through the prompts, no other steps must be taken.

Microsoft offers the ability to download Windows Feature Updates as ISO files for upgrades and deployments. Get the download here: https://support.microsoft.com/en-us/help/12387/windows-10-update-history

To prepare a Windows Feature Update for deployment, most environments have to leverage an install.wim file. Due to the nature of how Dell Encryption supports the Windows Feature Update path, we have to inject the drivers and necessary registry files into the install media.

The Windows 10 Application Development Kit (ADK) is required to accomplish this. You can find the latest version here: https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit

You need a batch file and appropriate registry keys, which are unable to be linked externally for customer download. You can get these from support by calling the support line at: 877.459.7304 Ext. 4310039. For support outside the US, reference ProSupport’s International Contact numbers list. This batch file takes an expanded Windows Feature Update ISO (downloaded above) and injects drivers and registry files into the install.wim and WinRE.wim files within the upgrade ISO.

To find the appropriate drivers for your upgrade media, we must pull the drivers from a device that is 8.10.1 or later for the appropriate Operating System bit rate (32-bit or 64-bit). These are found in C:\ProgramData\Dell\Dell Data Protection\Encryption\DDPEDrivers\. In 8.18.0 and later, this folder has been changed to "C:\Windows\System32\Update\Run\B67DD994-EDF9-4D19-8A1C-88B12D796657\ReflectDrivers."

Figure 23: (English Only) DDPEDrivers in Windows Explorer

• Batch script (provided by Dell Support)
• Extracted ISO of the Windows Feature Update installer (Provided by Microsoft)
• Registry Keys (Provided by Dell Support with script)
• Dell Encryption Drivers (Pulled from a device on your network, or provided by Dell Support)

To generate media:

1. Open the Deployment and Imaging Tools Environment as an administrator.

Figure 24: (English Only) Run Deployment and Imaging Tools Environment as an administrator

2. Run the batch script. Entering the batch file gives information about syntax.

Figure 25: (English Only) Type Build-FFE-Integrated-Dell-Image "Win10UpgradeDir" "DDPEDriversDir"

Syntax is:

Usage: Build-FFE-Integrated-Dell-Image "Win10UpgradeDir" "DDPEDriversDir"

Where:

Win10UpgradeDir -- Path to the Windows 10 ISO files that are extracted to a directory
DDPEDriversDir -- Optional path to the DDP|E drivers directory. The Dell Data Protection | Encryption drivers are obtained from the local installation if this parameter is not supplied.

Once the process finishes, you end up with an upgraded install.wim file within the extracted ISO directory that you provided the tool.

The install files are now ready for use.

• As an administrator, open a command prompt in the same location as the WSProbe.exe file and enter the applicable command:
  • Windows 10 Upgrade mode to authenticate against a key bundle file for Dell Encryption Personal (formally Dell Data Protection | Personal Edition) you must first use the command below, which is part of the upgrade preparation (the LSARecovery file that is backed up during Dell Encryption Personal's provisioning process):
    • WSProbe -E -B "backup_file_path" "password"

To check progress of the preparation process, you can run. WSProbe –E

1. System is ready for upgrade when the following message displays "Preparation complete. Run Windows Upgrade now."
2. Restart the computer, if prompted.
3. Run the Windows upgrade.
4. Restart the computer.
5. Once the upgrade has finsihed, open a command prompt and enter:
   • WSProbe -R

6. Restart the computer, if prompted.

To check progress of the preparation process, you can run. WSProbe –E

1. If the following message does not display: Preparation complete. Please run Windows Upgrade now.
   1. Follow the prompts that are listed.
   2. Run WSProbe again and until the prompt to run the Windows Upgrade displays.
      • WSProbe -E
   3. Run the Windows upgrade.
   4. Restart the computer, if prompted.
   5. Once the upgrade has finished, open a command prompt and enter:
      • WSProbe -R

This method may run into issues with files not decrypting. To avoid this, we should automatically create a registry key of:

HKLM\Software\Credant\DecryptAgent\
DWORD: MaxBytesReboot
Value: 0

To check progress of the preparation process, you can run: WSProbe –E

To check progress of the preparation process, run WSProbe –E

As an administrator, open a command prompt in the same location as the WSProbe.exe file and enter the applicable command:

• To allow Windows 10 Upgrade mode to import, and authenticate against a pre-existing key bundle file (can be downloaded from the Dell Security Management Server [formally Dell Data Protection | Enterprise Edition]):
  • WSProbe -E -I "import_file_path" "password"
• To contact the Dell Security Management Server or Dell Security Management Virtual Server (formally Dell Data Protection | Virtual Edition), which transfers the key bundle, which is used to validate the proper key material is present:
  • WSProbe -E -S "forensics_admin_name" "password"
• To check progress of the preparation process, you can run:
  • WSProbe -E

1. System is ready for upgrade when the following message displays: Preparation complete. Please run Windows Upgrade now.
2. Restart the computer, if prompted.
3. Run the Windows upgrade.
4. Restart the computer.
5. Once the upgrade has finished, open a command prompt and enter:
   • WSProbe -R

6. Restart the computer, if prompted.

If the Preparation complete. Please run Windows Upgrade now message does not display, follow these steps:

1. Follow the prompts that are listed.
2. Run WSProbe again and until the prompt to run the Windows Upgrade displays:
   • WSProbe -E
3. Run the Windows upgrade.
4. Restart the computer, if prompted.
5. Once the upgrade has finished, open a command prompt and enter:
   • WSProbe -R

This method may run into issues with files not decrypting. To avoid this, we should automatically create a registry key of:

HKLM\Software\Credant\DecryptAgent\
DWORD: MaxBytesReboot
Value: 0