Dell Technologies recommends a full backup before changing your computer’s operating system.
Dell has introduced the ability to upgrade your operating system from Windows 7, Windows 8, Windows 8.1, or Windows 10 RTM to Windows 10 feature updates version 1511 (November Update / Threshold 2) and later. For the latest information about the latest Windows 10 Feature Update compatibility, reference Dell Data Security / Dell Data Protection Windows 10 Feature Update Compatibility.
When transitioning from Windows 7 to Windows 10, follow the method that is described for the target version of Windows 10 that the devices are transitioning to.
This method functions when upgrades to Windows 10 feature update version 1803 (Spring Creators Update/ Redstone 4) and later (for example version 1903 (May 2019 Update / 19H1
). Dell and Microsoft have made strides to enhance the interoperability of applications with the Feature Update process to allow for an upgrade with little to no user interaction. During the Feature Update process, Windows now initiates notifications to application for various check-points within the Feature Update process. These check-points allow for applications to know the progress of the Windows Feature Update and deploy command that is based on the status and progress of the update. Dell Encryption uses these check-points to determine if the Windows 10 version that is being applied through the Feature Update is compatible with the current version of Dell Encryption. If the applying version of Windows 10 is not compatible, a notification is presented indicating so:
If the Feature Update is compatible, Dell Encryption automatically prepares for the Feature Upgrade (wsprobe -z
automatically runs, and drivers that are required in the upgrade process are injected). A notification presents when Dell Encryption initiates it automatic preparation. This dialog can present quickly, and may not have been seen on fast computers:
Once Dell Encryption has run through its preparation, the Feature Update should progress.
Windows 10 offers feature updates now through Windows Updates and various other sources. With 8.18.0 and later clients Dell Encryption supports updating Windows with Feature Updates, allowing Dell Encryption to remain installed and having files stay encrypted throughout the Windows Feature Update process. The methods that are outlined in this article are through Windows Updates, through Standalone Media, or through Deployment Models.
Windows Updates would entail an in Operating System upgrade through the typical method of update delivery.
Stand-alone Media encompasses downloading the Windows Feature Update install media from Microsoft.
Deployment Models explains how to prep for an upgrade through various deployment tools that offer managed Operating System Upgrades.
The Windows 10 Upgrade must be run from an unencrypted directory. Because USER
or COMMON
encryption is NOT unlocked during the Windows 10 Upgrade process, when the upgrade is run from a USER
or COMMON
encrypted directory, the upgrade fails even though the Dell Encryption Windows 10 Upgrade is performed correctly.
Dell Suggests the following Exclusions to be added to the Dell Encryption policies for Windows Feature Updates based on this requirement. These should be added to both Fixed Disk Exclusions (For SDE keys) and General Encryption Exclusions (Common/User):
-^%ENV:SYSTEMDRIVE%\$WINDOWS.~BT -^%ENV:SYSTEMDRIVE%\_SMSTaskSequence -^%ENV:SYSTEMDRIVE%\$GetCurrent\ -^%ENV:SYSTEMDRIVE%\$SysReset\ -^%ENV:SYSTEMDRIVE%\$Windows.~WS\ -^%ENV:SYSTEMDRIVE%\$Hyper-v.tmp\ -^%ENV:SYSTEMDRIVE%\Windows\SoftwareDistribution\ -^%ENV:SYSTEMDRIVE%\Windows10Upgrade\
Required for Feature Updates being pushed through SCCM and other third-party management applications:
-^%ENV:SYSTEMDRIVE%\Windows\ccmcache -^%ENV:SYSTEMDRIVE%\Windows\TEMP\BootImages -^%ENV:SYSTEMDRIVE%\Windows\Security\database\;chk.edb.jrs.log.sdb -^%ENV:SYSTEMDRIVE%\_SMSTSVolumeID.7159644d-f741-45d5-ab29-0ad8aa4771ca
No modifications are required when running Windows Feature Updates when running Dell Encryption version 8.18.0 or later. All Feature Updates through Windows Update will no longer prompt to remove Dell Encryption.
Microsoft offers the ability to download Windows Feature Updates as ISO files for upgrades and deployments. You can get that media here: https://support.microsoft.com/en-us/help/12387/windows-10-update-history
No modifications are required when running Windows Feature Updates when running Dell Encryption version 8.18.0 or later. All Feature Updates through Standalone Media will no longer prompt to remove Dell Encryption.
Microsoft offers the ability to download Windows Feature Updates as ISO files for upgrades and deployments. You can get that media here: https://support.microsoft.com/en-us/help/12387/windows-10-update-history
To prepare a Windows Feature Update for deployment, most environments have to leverage an install.wim
file. Due to the nature of how Dell Encryption supports the Windows Feature Update path, we have to inject the drivers and necessary registry files into the install media.
The Windows 10 Application Development Kit (ADK) is required to accomplish this. You can find the latest version here: https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit
You also need a batch file and appropriate registry keys, which are unable to be linked externally for customer download. You can get these from support by calling the support line at: 877.459.7304 Ext. 4310039, for support outside the US, reference ProSupport’s International Contact numbers list. This batch file takes an expanded Windows Feature Update ISO (downloaded above) and injects drivers and registry files into the install.wim
and WinRE.wim
files within the upgrade ISO.
We must pull the drivers from a device that is running the version of Dell Encryption that is installed on your endpoints, to find the appropriate drivers for your upgrade media and the appropriate Operating System bit rate (32-bit or 64-bit). In 8.10.1 through 8.17.2, drivers for Dell Encryption are found in "C:\ProgramData\Dell\Dell Data Protection\Encryption\DDPEDrivers\
." In 8.18.0 and later, this location has been moved to: "C:\Windows\System32\Update\Run\B67DD994-EDF9-4D19-8A1C-88B12D796657\ReflectDrivers
"
We must pull the drivers from a device that is running the version of Dell Encryption is installed on your endpoints, to find the appropriate drivers for your upgrade media and the appropriate Operating System bit rate (32-bit or 64-bit). These are found in C:\ProgramData\Dell\Dell Data Protection\Encryption\DDPEDrivers\
Open the Deployment and Imaging Tools Environment as an administrator.
Then run the batch script. Entering the batch file gives information about syntax.
Syntax is:
Usage: Build-FFE-Integrated-Dell-Image "Win10UpgradeDir" "DDPEDriversDir"
Where:
Win10UpgradeDir
-- Path to the Windows 10 ISO files that are extracted to a directory DDPEDriversDir
-- Optional path to the Dell Data Protection | Encryption drivers directory. The Dell Data Protection | Encryption drivers are obtained from the local installation if this parameter is not supplied.
RegistryFiles
folder are in the same location.
Once the process has finished, you end up with an upgraded install.wim
file within the extracted ISO directory that you provided to the tool.
The install files are now ready for use.
WSProbe -z
is no longer required to be ran on the endpoints before the Windows Feature Update is run.
Dell Encryption as of 8.18 and later automatically checks the version of the Operating System that is being installed against an internal list of supported Operating System versions. If a match is not found, the Feature Update is blocked and a notification is presented to the logged in user:
These blocks can be overwritten to allow for testing with an unsupported Operating System. A registry key enables this ability:
HKLM\Software\Dell\Dell Data Protection\Encryption REG_SZ:SupportedWindows10Upgrade Value: <HighestSupportedBuildHere>
This example would allow any Windows 10 build to install up to 10.0.17300.1.
HKLM\Software\Dell\Dell Data Protection\Encryption REG_SZ:SupportedWindows10Upgrade Value: <10.0.17300.1>
This functionality relies on Windows 10 build versions to allow for future granularity of Cumulative Update and Feature Update support. The build number of the installing feature update is displayed within the Windows Update:
In this example, the value for "SupportedWindows10Upgrade" must be "10.0.17686.1003" or higher.
This upgrade methodology leverages a command through the Dell Encryption application (wsprobe -z
) which modifies how encryption keys are unlocked during the Feature Update process. Leveraging this process allows for data to remain encrypted on the drive, and ensures that Common and User key encrypted data remain locked during the upgrade process, allowing for secure updates.
Windows 10 offers feature updates now through Windows Updates and various other sources. With 8.10.1 and later clients Dell Encryption supports updating Windows with Feature Updates, allowing Dell Encryption to remain installed, and having files remain encrypted throughout the Windows Feature Update process. The methods that are outlined are through Windows Updates, Stand-alone Media, or Deployment Models.
Windows Updates entails an Operating System upgrade through the typical method of update delivery.
Stand-alone Media encompasses downloading the Windows Feature Update install media from Microsoft.
Deployment Models explains how to prep for an upgrade through various deployment tools that offer managed Operating System Upgrades.
The Windows 10 Upgrade must be run from an unencrypted directory. Because USER
or COMMON
encryption is not unlocked during the Windows 10 Upgrade process, when the upgrade is run from a USER
or COMMON
encrypted directory, the upgrade fails even though the Dell Encryption Windows 10 Upgrade is performed correctly.
Dell Suggests the following Exclusions to be added to the Dell Encryption policies for Windows Feature Updates based on this requirement. These should be added to both Fixed Disk Exclusions (For SDE keys) and General Encryption Exclusions (Common/User):
-^%ENV:SYSTEMDRIVE%\$WINDOWS.~BT -^%ENV:SYSTEMDRIVE%\_SMSTaskSequence -^%ENV:SYSTEMDRIVE%\$GetCurrent\ -^%ENV:SYSTEMDRIVE%\$SysReset\ -^%ENV:SYSTEMDRIVE%\$Windows.~WS\ -^%ENV:SYSTEMDRIVE%\$Hyper-v.tmp\ -^%ENV:SYSTEMDRIVE%\Windows\SoftwareDistribution\ -^%ENV:SYSTEMDRIVE%\Windows10Upgrade\
Required for Feature Updates being pushed through SCCM and other third-party management applications:
-^%ENV:SYSTEMDRIVE%\Windows\ccmcache -^%ENV:SYSTEMDRIVE%\Windows\TEMP\BootImages -^%ENV:SYSTEMDRIVE%\Windows\Security\database\;chk.edb.jrs.log.sdb -^%ENV:SYSTEMDRIVE%\_SMSTSVolumeID.7159644d-f741-45d5-ab29-0ad8aa4771ca
The steps to pulling feature updates through Windows Updates are shown below.
You may encounter a failure indicating that Dell Encryption is required to be uninstalled before continuing.
Close this screen, run WSProbe -z
(as an administrator from command prompt) and then try the update again.
WSProbe -z
(run from an administrative command prompt) will be run again.
The update prompts stating that more preparing items are run in the background.
The status for updates can be checked in the new Settings menu for Windows 10.
To access the Update items using the settings menu:
You can validate the new version of Windows was properly installed by checking the version of windows through the command "winver
," run at a command prompt or in PowerShell.
C:\Users\Default\AppData\Local\Microsoft\Windows\WSUS
. The current file is missing a header of [SetupConfig]
. We show:
reflectdrivers
command to the Windows Feature update coming through Windows Update. The changes have been made within the product, and no longer required to be manually changed as of 8.12.0.
Microsoft offers the ability to download Windows Feature Updates as ISO files for upgrades and deployments. Get the download here: https://support.microsoft.com/en-us/help/12387/windows-10-update-history
Before inserting the media, run WSProbe -z
as an administrator from command prompt. This prepares the encrypted data for the upgrade process (no decryption is done).
WSProbe -z
(run from an administrative command prompt) must be run again.
When this media is inserted into a computer running earlier versions of Microsoft Windows, a prompt to upgrade is presented.
Close out of this prompt, as the upgrade must be run with a specific command.
Open an administrative command prompt (or leverage the command prompt that is open for the WSProbe -z
functionality).
Go to the drive letter that contains the Windows Feature Update media. In this example, D: is the drive that contains the Windows Feature Update media.
Run the setup.exe with this command to inject the Dell Encryption Drivers:
Setup.exe /reflectdrivers "C:\ProgramData\Dell\Dell Data Protection\Encryption\DDPEDrivers"
C:\Windows\System32\Update\Run\B67DD994-EDF9-4D19-8A1C-88B12D796657\ReflectDrivers"
by default.
This command launches the Windows Feature Update process. Proceed through the prompts, no other steps must be taken.
Microsoft offers the ability to download Windows Feature Updates as ISO files for upgrades and deployments. Get the download here: https://support.microsoft.com/en-us/help/12387/windows-10-update-history
To prepare a Windows Feature Update for deployment, most environments have to leverage an install.wim
file. Due to the nature of how Dell Encryption supports the Windows Feature Update path, we have to inject the drivers and necessary registry files into the install media.
The Windows 10 Application Development Kit (ADK) is required to accomplish this. You can find the latest version here: https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit
You need a batch file and appropriate registry keys, which are unable to be linked externally for customer download. You can get these from support by calling the support line at: 877.459.7304 Ext. 4310039, for support outside the US, reference ProSupport’s International Contact numbers list. This batch file takes an expanded Windows Feature Update ISO (downloaded above) and injects drivers and registry files into the install.wim
and WinRE.wim
files within the upgrade ISO.
To find the appropriate drivers for your upgrade media, we must pull the drivers from a device that is 8.10.1 or later for the appropriate Operating System bit rate (32-bit or 64-bit). These are found in C:\ProgramData\Dell\Dell Data Protection\Encryption\DDPEDrivers\
. In 8.18.0 and later, this folder has been changed to "C:\Windows\System32\Update\Run\B67DD994-EDF9-4D19-8A1C-88B12D796657\ReflectDrivers
."
To generate media:
Syntax is:
Usage: Build-FFE-Integrated-Dell-Image "Win10UpgradeDir" "DDPEDriversDir"
Where:
Win10UpgradeDir
-- Path to the Windows 10 ISO files that are extracted to a directory.DDPEDriversDir
-- Optional path to the DDP|E drivers directory (the Dell Data Protection | Encryption drivers are obtained from the local installation if this parameter is not supplied).
.bat
file and the RegistryFiles
folder are in the same location.
Once the process finishes, you end up with an upgraded install.wim
file within the extracted ISO directory that you provided to the tool.
The install files are now ready for use.
Wsprobe -z
is still required with this method, as this command unlocks key material for the upgrade process to be able to consume with the drivers that are now loaded into the install media.
This Methodology decrypts the drive in the background, allowing for a transition to the latest feature update. This should be leveraged as a final option if the solutions for "8.18.0 and later" as well as the options for "8.10.1 and later" do not deliver the wanted results.
WSProbe.exe
file and enter the applicable command:
LSARecovery
file that is backed up during Dell Encryption Personal's provisioning process):
WSProbe -E -B "backup_file_path" "password"
LSARecovery
file to C:\Program Files\Dell\Dell Data Protection\Encryption\
and select the LSARecovery
file from that location. Dell is researching this to ensure the best experience possible is delivered.
To check progress of the preparation process, you can run. WSProbe –E
WSProbe -R
WSProbe -R
command resumes normal Encryption client functionality and is run after the computer is successfully upgraded. It can also be used to roll back to normal Encryption client functionality before an upgrade is performed.
To check progress of the preparation process, you can run. WSProbe –E
WSProbe
again and until the prompt to run the Windows Upgrade displays:
WSProbe -E
WSProbe -R
This method may run into issues with files not decrypting. To avoid this, we should automatically create a registry key of:
HKLM\Software\Credant\DecryptAgent\ DWORD: MaxBytesReboot Value: 0
To check progress of the preparation process, you can run: WSProbe –E
WSProbe -R
command resumes normal Encryption client functionality and is run after the computer is successfully upgraded. It can also be used to roll back to normal Encryption client functionality before an upgrade is performed.
To check progress of the preparation process, run WSProbe –E
As an administrator, open a command prompt in the same location as the WSProbe.exe
file and enter the applicable command:
WSProbe -E -I "import_file_path" "password"
WSProbe -E -S "forensics_admin_name" "password"
WSProbe -E
WSProbe -R
If the Preparation complete. Please run Windows Upgrade now message does not display, follow these steps:
WSProbe
again and until the prompt to run the Windows Upgrade displays:
WSProbe -E
WSProbe -R
This method may run into issues with files not decrypting. To avoid this, we should automatically create a registry key of:
HKLM\Software\Credant\DecryptAgent\ DWORD: MaxBytesReboot Value: 0
To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.