Tuesday, May 17, 2016

Removing Dell Data Protection | Access but "your USH firmware is out of date"

We use OPAL self encrypting drives on our laptops which used to be managed by DDPA, a Wave product that Dell rebadged. There is a security vulnerability in DDPA which Dell and Wave have decided they won't fix, since the current product is Dell Data Protection | Security Tools (DDPST). Unfortunately, there is no direct upgrade path, so it's necessary to run a reset within DDPA, uninstall, install DDPST and re-encrypt.

I've come across a couple of instances where opening DDPA to run a reset results in a message indicating that the USH firmware is out of date, and the user should go to dell.com to get a newer version. As best I can tell, this is because of poor version detection within DDPA - the firmware is up to date as is the ControlVault driver, it's just that DDPA can't contemplate versions with those revisions. I haven't been able to find a Dell or Wave article on point.

Here's the routine which has gotten me out of this and into DDPST. There are quite a few restarts involved.
  1. Uninstall any separate instance of ControlVault Host Components in Programs and Features screen (restart)
  2. Downgrade the ControlVault firmware to 23.7.303.0 (restart)
  3. Log in as the DDPA admin Windows user (fortunately no longer a thing in DDPST). 
  4. Run DDPA - should let you in now. Run a Reset - will require Windows account password, DDPA password and, if set, BIOS password (restart)
  5. Uninstall DDPA - mandatory before installing DDPST. This may error out at the ControlVault driver uninstall. (Restart)
  6. Install ControlVault Host Components, then uninstall DDPA again. It should go cleanly this time. (Restart)
  7. Install DDPST, then the latest ControlVault Host Components, then the latest USH firmware.