Loading...

Knowledge Center


How to upgrade a Windows operating system with Drive Encryption installed
Technical Articles ID:   KB79908
Last Modified:  4/23/2018
Rated:


Environment

McAfee Drive Encryption (DE) 7.2.x, 7.1.x

For details of DE supported environments, see KB79422.

Summary

Recent updates to this article:

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Date Update
July 20, 2017 Updated to reflect that this article and attachments are also applicable to DE 7.2.x for operating systems earlier than Windows 10.
July 18, 2017 Added IMPORTANT statement about this article not applying to Windows 10 or later releases.

IMPORTANT: This article does not apply to Windows 10 or later releases. For how to upgrade a Windows 10 operating system to:
  • Windows 10 November update with DE 7.1 Patch 3 Hotfix 1148978 or later, see KB84962.
  • Windows 10 Anniversary Update with DE 7.1 Patch 3 Hotfix 1148978 or later installed, see KB87909.

    For additional information about Windows 10 compatibility with McAfee products, see KB85784.

This article provides the information needed to refresh the Windows operating system (OS) without having to decrypt the hard drive and uninstall DE.

The attached Refresh Tools enable you to perform an operating system refresh using standard Microsoft tools.

Upgrading to Microsoft Windows 7 or later
McAfee has worked with Microsoft to include a step to check for Endpoint Encryption during an upgrade to Windows 7 or later. If the Windows installer detects Drive Encryption on the system, the installation stops and displays a message that the upgrade cannot continue while the Endpoint Encryption product is installed.

Refresh Tools
McAfee has introduced functionality in the form of two small, free tools called DE 7.x Refresh Tools that enable you to perform an OS Refresh using the standard Microsoft tools. The tools from Microsoft include, but are not limited to:
  • Microsoft System Center 2012 Service Pack 1 Configuration Manager (SCCM)
  • Microsoft Deployment Toolkit (MDT) 2012 (Update1)
    IMPORTANT: This refresh process is not supported on OPAL encrypted drives.

The DE 7.x Refresh Tools can be used along with these Microsoft tools to achieve the following functionality, while keeping a computer encrypted. That is, you do not need to decrypt before and re-encrypt after:
  • A major operating system upgrade (such as Windows XP to Windows 7)
  • Part of a standard reimaging process (such as Windows 7 to Windows 7)
  • A method of applying a service pack (such as Windows 7 to Windows 7 Service Pack 1)

The DE 7.x Refresh Tools are command-line utilities and can be called from any script or program. The tools are useful because OS Refresh, reimage, and service pack installation activities change data on the hard disk in a way that could break DE. A simple example is the fact that the MBR is modified by an OS refresh; any modification of the MBR will break DE.

There are two separate versions of the Refresh Tool for DE 7.x. One for MBR systems, and one for UEFI systems. There are also 32-bit and 64-bit builds for each tool. The documentation referenced in the Solution describes a generic process to update the operating system while the hard disk remains encrypted. The process is generic to work with several different Microsoft tools. Ensure that you read and understand the documentation referenced in the Solution, especially the sections on the knowledge expected of the implementer.

Customer expectations/disclaimer
You are expected to have the knowledge or expertise to use the Microsoft tool of choice. You must either have that knowledge in-house or be able to hire an expert with that particular technology. The documentation describes when particular steps related to DE need to occur in the general reimaging process. It is up to you to insert the appropriate steps during the reimaging process to achieve the expected result. If the relevant skills are not available to you, McAfee recommends that you acquire those skills before starting on the implementation of such a process.

What does McAfee support?
Each customer's refresh process is different and Technical Support cannot be experts in a customer's process, nor are they experts in Microsoft tools:
  • Technical Support will help customers using the Refresh Tools if the specific DE functionality they provide is not operating as expected.
    For example, the tool is not writing or storing the MBR as expected.
     
  • McAfee does not support Microsoft tools.
    For example, Technical Support cannot answer questions such as "On the second reboot, it cannot find the operating system - why is that?"
    This is a process-related question and is outside the expertise of Technical Support.

McAfee Professional Services
If you need assistance or advice, contact McAfee Professional Services. Depending on the geographical location, Professional Services can help in implementing or debugging the refresh process.

Solution

The following documents provide McAfee recommended solutions for refreshing Windows systems encrypted with DE 7.1.x on systems in one of the following modes:
  • Master Boot Record (MBR)
  • Unified Extensible Firmware Interface (UEFI) systems only
Document ID
Description
PD24854
Refresh systems running Windows in Master Boot Record (MBR) mode only, which are encrypted with DE 7.x
PD24855 Refresh systems running Windows in Unified Extensible Firmware Interface (UEFI) mode only, which are encrypted with DE 7.x


NOTE: In these documents, OS Refresh refers to the process whereby the disk hosting the OS is cleared, and a new OS installed, using a tool that works on the file level and not the sector level. The process and utilities provided address the common problems occurring, while maintaining the encrypted drive during the OS Refresh.

The Attachments section of this article includes the following DE 7.x Windows upgrade packages for use with these documents:
  • DETech32bit.zip
  • DETech64bit.zip

Workaround

NOTE: The following information was provided to customers before availability of the OS Refresh process provided in the documents listed in the Solution. Although the details are still valid for DE 7.x, McAfee recommends that you use the OS Refresh process provided in the documents above.

If you perform a major operating system upgrade or you are applying a Microsoft service pack, you can do the following:
  1. Either decrypt and deactivate, or uninstall the product.
  2. Perform the upgrade.
  3. Reinstall or reactivate/encrypt the disk.
IMPORTANT:
  • During the upgrade, the MBR is replaced. If Endpoint Encryption is installed and active, the Endpoint Encryption MBR is replaced and the product no longer functions correctly. If the drive is still encrypted, the new operating system fails to boot because it cannot read the data successfully.
  • Also, during activation, Endpoint Encryption stores a copy of the original MBR in the Pre-Boot File System (PBFS). If you authenticate successfully, Endpoint Encryption loads the MBR that is stored in the PBFS, which then loads the operating system. The MBR stored in the PBFS must be the MBR required to boot the currently installed system.

Applying service packs
There is potential for issues when applying Microsoft hotfixes and service packs when the hard disk is encrypted. Microsoft service packs include numerous hotfixes and changes to the system. Some of these changes can include critical system files, potentially resulting in serious issues if the system is encrypted. McAfee cannot test all possible combinations before a service pack is released. If you intend to keep client systems encrypted during a service pack updated, McAfee recommends that you first complete an upgrade on a test system to ensure that it completes successfully.

Attachment

DETech32bit.zip
4.5MB • < 1 minute @ broadband


Attachment

DETech64bit.zip
5.3MB • < 1 minute @ broadband


Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.