SCCM manage Bitlocker encryption natively during OS upgrade. But when comes to disks with third party encryption drivers then it’s always a challenge to upgrade OS. I have seen IT Admin decrypt the disk before OS Upgrade. Then after inplace OS upgrade, re-enable encryption. This need huge effort, time and impacts end user experience. This post describes Windows 10 upgrade task sequence configuration for McAfee Encrypted Machines. This configuration allows IT to perform successful OS upgrade keeping the Mcafee encryption intact.
Starting with Windows 10 1607, Microsoft provided command-line switch “/ReflectDrivers “. It allows drivers added to the OS image during the setup and installation phase.The Windows 10 upgrade starts by running setup.exe on the client.As shown below we need to add the switch “/ReflectDrivers ” along with the path to a folder that contains Mcafee encryption drivers.For more details refer Windows setup command line
Setup.exe /ReflectDrivers "%programfiles%\McAfee\Endpoint Encryption\OSUpgrade" . OR Setup.exe /ReflectDrivers "C:\Program Files\McAfee\Endpoint Encryption\OSUpgrade"
Note : if /ReflectDrivers switch is not used during OS upgrade then computer will fail to boot.
Now we know the command-line switch, next we will see how this can be incorporated in SCCM task sequence. As shown below, task sequence doesn’t provide option to add the additional OS upgrade switch in the GUI.
Hence to append additional Windows setup command line switch we need to use the variable “OSDSetupAdditionalUpgradeOptions”. As mentioned in the Niall Brady post,we can use this variable for other purpose.
- Before updating task-sequence variable “OSDSetupAdditionalUpgradeOptions”
Set command line: "C:\WINDOWS\ccmcache\XX\SETUP.EXE" /ImageIndex 3 /auto Upgrade /quiet /noreboot /postoobe "C:\WINDOWS\SMSTSPostUpgrade\SetupComplete.cmd" /postrollback "C:\WINDOWS\SMSTSPostUpgrade\SetupRollback.cmd" /installdrivers "C:\WINDOWS\ccmcache\XX" /DynamicUpdate Disable
- After updating task-sequence variable “OSDSetupAdditionalUpgradeOptions” the final Windows installation command line will look like below from SCCM
Executing command line: "C:\_SMSTaskSequence\Packages\XXXXXXXX\SETUP.EXE" /ImageIndex 1 /auto Upgrade /quiet /noreboot /postoobe "C:\WINDOWS\SMSTSPostUpgrade\SetupComplete.cmd" /postrollback "C:\WINDOWS\SMSTSPostUpgrade\SetupRollback.cmd" /installdrivers "C:\_SMSTaskSequence\Packages\XXXXXXXX" /DynamicUpdate Disable /ReflectDrivers "C:\Program Files\McAfee\Endpoint Encryption\OSUpgrade"
Note : The use of MBR2GPT.exe tool is currently unsupported with McAfee Drive Encryption. So, you cannot switch from legacy BIOS to UEFI. This capability is still in proof of concept form and expected to add in planned future Mcafee release.