Technical Article
Windows 10 Upgrade with DriveLock Disk Protection
DriveLock SE 2017
Windows 10 Upgrade
Contents
1 INTRODUCTION ...... 2
2 PREPARE THE WINDOWS 10 SETUP ...... 2
2.1 PREREQUISITES ...... 2
2.2 BASIC STEPS TO CREATE THE WINDOWS 10 SETUP ...... 2
2.3 OPTIONS FOR DLUPGPREP.EXE ...... 3
3 RUN THE WINDOWS 10 UPGRADE ...... 4
3.1 PREREQUISITES ...... 4
3.2 BASIC STEPS TO UPGRADE WINDOWS 10 ...... 4
4 RESTRICTIONS AND KNOWN ISSUES ...... 5
1 Windows 10 Upgrade
1 Introduction
Technically an upgrade of Windows 10 to a new version – e.g. from Windows 10 Version 1511 to Windows 10 Version 1607 or to Version 1703 – does not differ to an upgrade of e.g. Windows 7 to Windows 8.1 or from Windows 8.1 to Windows 10. After starting the setup, the computer boots from a special installation environment to run the upgrade installation. This installation environment does not contain the DriveLock encryption driver and thus cannot connect the encrypted system disk. This causes the Windows 10 upgrade to fail.
In order to upgrade a DriveLock encrypted Windows installation to a new version of Windows previously DriveLock installations had to decrypt the system disk, to run the windows upgrade and then to encrypt the system disk again.
To help customers to keep the system disk protected while upgrading Windows 10, DriveLock has developed a tool to inject the DriveLock encryption Driver into the Windows 10 installation environment. Using this modified installation, the encrypted system disk can be accessed and Windows can continue the upgrade. 2 Prepare the Windows 10 Setup
2.1 Prerequisites
Windows 10 Installation – a DVD, an ISO-file or a folder containing the complete setup (install.wim) for the Windows 10 version you want to upgrade to. DLFdeEd.sys – the DriveLock encryption driver – 32-bit or 64-bit – corresponding to the Windows 10 version you want to upgrade to. DLUpgPrep.exe – a command line tool to prepare the Windows 10 setup to load the DriveLock encryption driver in the Windows 10 installation environment.
Download the DriveLock encryption driver and the DLUpgPrep tool from : http://download.drivelock.com/web/DLUpgPrep.zip
2.2 Basic steps to create the Windows 10 setup
1. Create a working folder on a local disk (NTFS required), e.g. C:\DLUpgPrep. 2. Extract DLUpgPrep.zip to that folder. 3. Assure that the original Windows 10 setup is available (insert DVD, mount the ISO) e.g. as drive letter D: 4. Open an administrative command window and navigate to C:\DLUpgPrep 5. Run DLUpgPrep.exe -index 1 -saveto W10 -files 64-bit -copyfrom D:\ 6. Wait (about 20 minutes) until the upgrade tool has finished its work with a successfully done message. The original setup files are copied from D:\ to C:\DLUpgPrep\W10. Then C:\DLUpgPrep\64-bit\DLFdeEd.sys is injected to the setup to be loaded, when Windows boots the installation environment. As a result, in folder W10 you get a Windows 10 setup, which can be used to upgrade to a Windows 10 version while the system disk is encrypted by DriveLock Disk Protection.
2 Windows 10 Upgrade
7. Copy the modified Windows installation in folder W10 to an installation media (USB-stick or DVD) or to a network share.
2.3 Options for DLUpgPrep.exe
-help show the options -verbose print verbose information -index the index to the edition – the Windows setup may contain multiple editions of Windows 10, e.g. Windows 10 Home and Windows 10 Pro If omitted, available editions are printed and have to be entered at the command line. -saveto the path where the resulting Windows setup is stored -files the path, where DLFdeED.sys is found -copyfrom the path where the original Windows 10 setup files are copied from – omit, if the “saveto” folder already contains the appropriate Windows 10 setup
Experts only:
-mount the path, where the WIM is already mounted to (not with -saveto) -re_mount the path, where the recovery WIM is or shall be mounted to
Example to modify a Windows 10 32-bit edition
DLUpgPrep.exe -index 1 -saveto W10-32-bit -files 32-bit -copyfrom D:\
The DLFdeEd.sys is taken from folder 32-bit and the modified setup is stored in folder W10-32-bit.
Example to modify a multiple version edition of windows 10 (e.g. Home and Pro)
DLUpgPrep.exe -index 1 -saveto W10 -files 64-bit -copyfrom D:\ DLUpgPrep.exe -index 2 -saveto W10 -files 64-bit
In the first step, the setup files are copied to folder W10 and the first edition is prepared with the DriveLock encryption driver. In the second step, the setup files already residing in folder W10 are reused and the second edition is prepared. If you omit the -index option, you will be asked for it, showing you the corresponding edition name.
HINT: If you use the copyfrom option in the second step, the existing files in the saveto folder are replaced by the originals, you will lose the already prepared first edition.
Example, if your working directory already contains the Windows setup in folder W10Enterprise and DLFdeEd.sys
DLUpgPrep.exe -index 1 -saveto W10Enterprise
Example for scripting experts, who want to use DLUpgPrep in own scripts, if the WIM is already mounted.
DLUpgPrep.exe -mounted .\mymnt –re_mounted .\mymntre
DLUpgPrep expects the WIM to be mounted at .\mymnt and expects the recovery WIM either to be mounted to .\mymntre or will mount it to .\mymntre. If option -re_mounted is omitted, the default path .\mntre will be used. The -mounted option cannot be used in combination with the -saveto and the -index option.
3 Windows 10 Upgrade
3 Run the Windows 10 Upgrade
3.1 Prerequisites
A DriveLock prepared Windows 10 setup – you may copy the setup directly to the target computer, run it from an USB-stick or DVD or from a network share. The Windows setup must match the Windows edition installed on the target computer – do not switch the edition, e.g. from Home to Pro or from Pro to Enterprise. The DriveLock version on the target computer must be DriveLock 7.6.16 or newer – upgrade DriveLock first, before you upgrade Windows 10. We strongly recommend to backup important data before you run the Windows 10 upgrade.
3.2 Basic steps to upgrade Windows 10
Basically, the upgrade of Windows 10 with DriveLock injected does not differ from the Windows 10 upgrade without DriveLock except, that when the upgrade reboots the computer (several times), you must first pass the DriveLock Pre Boot Authentication (PBA) before the upgrade will continue. For unattended upgrades, you may set the PBA to auto logon.
1. Set the PBA to auto logon for 3 reboots. Open an administrative command window and run for example DLFdeCmd enableautologon alice wonderland * 3 Automatically logs on user alice from domain wonderland for the next 3 reboots, the password will be entered at the command line. Replace alice and wonderland by the user and domain of your choice. 2. Save the registry parameters of the original DriveLock encryption driver. Open regedit.exe and export HKLM\SYSTEM\CurrentControlSet\Services\pded\Parameters to a file. 3. Start the Windows 10 setup 4. Select you want to keep files and apps (otherwise Windows will do a new installation and your data will be lost). 5. The computer will automatically reboot several times 6. After the upgrade is finished restart Windows to ensure auto logon is no longer active 7. Import the saved Paramaters into the registry again.
4 Windows 10 Upgrade
4 Restrictions and Known Issues
Prepare the setup
The Windows setup source must contain the windows installation as windows image (install.wim). Installation media created with the Microsoft Media Creation Tool contain an encrypted setup distribution file (install.esd) instead and cannot be modified by the DLUpgPrep tool. Some AV-Products block access to content of the DVD/ISO, e.g. to autorun.inf, and DLUpgPrep cannot copy the complete source. Disable real time scanning until DLUpgPrep finished working. Run DLUpgPrep in verbose mode to figure out the cause for any issues.
Run the upgrade
Encryption or decryption of disks must have completed. Do not upgrade, while a disk en-/decryption is running. There must be only one disk/partition, which contains the DriveLock EFS (e.g. C:\SECURDSK). Upgrading Windows 7 or Windows 8.1 to Windows 10 is not supported. A new installation of Windows on an encrypted disk is not supported. Sometimes the Windows 10 setup requests, to reboot the computer first. Reboot and start the setup again. Sometimes the Windows 10 setup requests an activation key. Then it will not do an upgrade but a new installation. Cancel the setup and check why Windows does not perform an upgrade. One reason could be, that the Windows edition does not match the target platform. Windows may overwrite/delete the computer specific parameters of the original DriveLock encryption driver in the registry (HKLM\SYSTEM\CurrentControlSet\Services\pded\Parameters) during the upgrade. Thus, the Parameters must be saved before and be restored after the upgrade (see Basic steps to upgrade Windows 10, step 2 and step 7). Don’t use the DriveLock prepared Windows Setup to upgrade a Windows where DriveLock Disk Protection is not installed. Windows will install the DriveLock Disk Protection driver without any settings. This may cause unexpected behavior. DriveLock Disk protection for UEFI is only released for Windows 10 Version 1703 with Windows Update KB4032188. You may either select to download updates from the internet while upgrading Windows or include KB4032188 to the windows installation image in advance. See the DriveLock Release Notes for more information on KB4032188.
5 Windows 10 Upgrade
Copyright
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user.
© 2017 DriveLock SE. All rights reserved.
DriveLock and others are either registered trademarks or trademarks of DriveLock SE or its subsidiaries in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
6