How to automatically upgrade Windows 10/11 systems encrypted with SEE (Symantec Endpoint Encryption) 11.x
search cancel

How to automatically upgrade Windows 10/11 systems encrypted with SEE (Symantec Endpoint Encryption) 11.x

book

Article ID: 179265

calendar_today

Updated On:

Products

Endpoint Encryption Desktop Email Encryption Drive Encryption Encryption Management Server File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

Symantec Endpoint Encryption uses best-of-class encryption for the highest security possible.  Once systems are encrypted, there is a preboot screen that is used to protect systems such that users must enter a passphrase before the system will even boot.

When performing a Windows 10 upgrade using the "Live Updates" which will automatically update the operating system to the latest release, no special steps are required on systems encrypted with Symantec Endpoint Encryption. The system can be automatically updated and when prompted to reboot, all you need to do is enter your passphrase at the preboot screen. 

This article will go over the details of the upgrade, but the main command to upgrade is listed here:

setup.exe /Auto Upgrade /DynamicUpdate disable /reflectdrivers  "C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption\OS Upgrade Files" /Postoobe "C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption\OS Upgrade Files\setupcomplete.cmd

Note: There is no need to decrypt a system before you perform any of these updates.

Deployment solutions are fully supported for Windows 10 upgrades on encrypted systems such as IT Management Suite (Altiris), SCCM, Intune, or Landesk to name a few.  If you are deploying Windows 10 updates centrally, there are some simple steps you can follow in order to successfully upgrade.  This article will discuss the general steps to upgrade a Windows 10 to a newer version of Windows 10 on systems encrypted with Symantec Endpoint Encryption.  These "Major" updates include upgrading from 1809 to Windows 10 20H2, for example.



TIPS:
For instructions on upgrading Windows 10 systems encrypted with Symantec Encryption using SCCM, see the following article:
213890 - Deploy or Upgrade Windows 10 using SCCM on systems encrypted with Symantec Endpoint Encryption.


For information on how to upgrade Symantec Encryption Desktop 10 systems see the following article:
179262 - How to automatically upgrade Windows 10/11 systems encrypted with Symantec Encryption Desktop 10 (PGP Desktop)

 

Resolution

This article is intended as a guide using step-by-step instructions on individual machines where the Windows update is installed manually (via setup.exe or deployment solutions).  These steps can be adapted to many different scenarios as long as the options being used are supported by Windows.  As was mentioned in the Introduction, steps for SCCM are available, and if automatic updates are being performed, there is no need to go through any special steps.  These steps are if you would like to install the Windows update manually.


Refer to the System Requirements page for official certification information

 

Tip: Symantec Endpoint Encryption 11.4 MP1 and above have additional improvements for Windows Updates and can be downloaded via the Broadcom Support Portal.

 


Windows 10 has two types of updates

  • Feature Updates (Major), which change the core version of Windows
  • Cumulative updates (Incremental), which do not change the core version of Windows

Examples of these major updates that are supported are as follows:

  • It is fully supported to use this same process to upgrade from Windows 10 to Windows 11.


Windows 11 2022 Update (version 22H2 - Added Sept 30, 2022 for SEE 11.4 GA and above)
Windows 11 October 2021 Update (version 21H2)

Windows 10 May 2021 Update (version 21H1)
Windows 10 October 2020 Update (version 20H2)
Windows 10 May 2020 Update (version 2004 - 20H1)
Windows 10 November 2019 Update (version 1909 - 19H2)
Windows 10 May 2019 Update (version 1903 - 19H1)
Windows 10 October 2018 Update (version 1809 - RS5)
Windows 10 April 2018 Update (version 1803 - RS4)
Windows 10 Fall Creators Update (version 1709 - RS3)
Windows 10 Creators Update (version 1703 - RS2)
Windows 10 Anniversary Update (version 1607 - RS1)



Method 1 (Automatic/Seamless) - Steps with SEE 11.3.0 and above (Recommended Procedure to follow):
Symantec Endpoint Encryption 11.3.0 have seamless Windows 10 upgrade functionality already set by default. 

If systems are upgraded from older versions, such as 11.2.0 or older, see sections 2 or 3 below for some tips using "WINSETUPAUTOMATION=1" as an upgrade option, but otherwise, Windows 10 can be automatically updated using the "Live Updates" or automatic updates feature with versions 11.3.0 seamlessly (No need to decrypt machines before applying a Feature Update or Cumulative Updates!  

If deployment tools are being used to deploy Windows 10 updates, see the information in this section below, but automatic Windows 10 updates can be provided without having to do anything to the system and can be done automatically.

Contact Symantec Encryption Support for any assistance/guidance.



________________________________________________________________________________________________
TIP 1 - Make a Backup!
It is always good practice to backup your systems before performing upgrades or other significant changes to the system
________________________________________________________________________________________________


If Deployment tools such as Symantec IT Management Suite (AKA Altiris) or SCCM are being used, and you would like to manually deploy Windows 10 major updates by using the Windows setup files directly, use the string below to install the Windows 10 upgrade builds:

setup.exe /Auto Upgrade /DynamicUpdate disable /reflectdrivers  "C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption\OS Upgrade Files" /Postoobe "C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption\OS Upgrade Files\setupcomplete.cmd

Using the above command will upgrade Windows keeping current files, and will not attempt to download any updates during the upgrade.  Using other Windows install options is fully supported as long as Windows supports the options for install, such as the "/Auto Upgrade", or "/DynamicUpdate disable" options mentioned.  This is command provided simply for convenience, but any upgrade command supported by Microsoft is also supported by Symantec Endpoint Encryption.

**The above command assumes all the setup files are copied to the directory you are running the command from

________________________________________________________________________________________________
TIP 2 - Make Windows Upgrades/Feature Updates Unattended and Seamless!
 
When applying a Windows 10 "Feature Update", which are one of the more major updates multiple reboots must take place.  Using SEE, unattended reboots can be achieved by using the "Autologon" functionality so that when if a user is not around to enter the preboot passphrase, the Autologon user will take care of this automatically.  In order to do this, a command can be run to enable Autologon.  This is a protected operation and so it must be authenticated with either a passphrase, or some of the Advanced Settings, namely, the "Allow Autologon Management for SYSTEM User" setting.  Using this these reboots can be performed all automatically.  For more information on usiong this Autologon feature, see the following article:

178697 - How to use the Autologon Utility for Symantec Endpoint Encryption version 11

________________________________________________________________________________________________
TIP 3 - Make Windows Upgrades/Feature Updates Unattended and Seamless! 
If Symantec Endpoint Encryption 11.2.1 MP1 or newer was already installed, but the WINSETUPAUTOMATION=1 option was not set during install, this can be set manually in the registry at any time by modifying the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Encryption Anywhere\Hard Disk
WINSETUPAUTOMATION=dword:1

Symantec Endpoint Encryption 11.3.0 MP1 sets the WINSETUPAUTOMATION value to "1" by default.  As mentioned, this can also be set during an upgrade using the command above during an upgrade to 11.3.0 or above.

Once this has been added, restart the machine for this to take effect.
________________________________________________________________________________________________

Troubleshooting
If you would like to review the Windows Update Logs, open Power Shell as Administrator and run the following command:

 

Get-WindowsUpdateLog

This will create an output file "WindowUpdate.log" file on the Desktop.

________________________________________________________________________________________________
TIP 4 - Deploy Windows Upgrades with SCCM
For instructions on upgrading Windows 10 systems encrypted with Symantec Encryption using SCCM, see the following article:
213890 - Deploy or Upgrade Windows 10 using SCCM on systems encrypted with Symantec Endpoint Encryption.
________________________________________________________________________________________________

 

Method 2 (Automatic when used with WINSETUPAUTOMATION=1) - Steps with SEE 11.2.1 MP1:
Symantec Endpoint Encryption 11.2.1 MP1 and above supports Windows 10 automatic updates without the requirement of using and special upgrade scripts.  This new functionality supports Windows 10 upgrades starting with Windows 10 1607 and beyond.  If you have systems that are older than SEE Client version 11.3.0, please upgrade as these older versions have reached an EOS\EOL phase.  Going forward, 11.3.0 and above are the minimum requirements for using Symantec Endpoint Encryption.  If you have systems that are older than 11.2.1 MP1 and need to be upgraded, use the following install string to enable the "WINSETUPAUTOMATION" option--this is needed to ensure automatic updates are applied properly: 

msiexec /i "SEE Client_x64.msi" WINSETUPAUTOMATION=1

Once you have installed using this option and are now on 11.3.0 or above, there will not be a need to use this option again as this is set automatically going forward and the Windows 10 automatic Feature Updates or Cumulative Updates can be done without running any special steps, utilities, or commands.

 

Important Note: Symantec Endpoint Encryption versions prior to 11.3.0 should really be upgraded to 11.3.0 or above (As of this writing, the current version is 11.3.1 MP1) to continue to be supported.

 

 

Method 3 (Manual Method) - Steps with SEE 11.2.1 GA or older (Not recommended as newer versions are now streamlined!
See Method 1)
:

Important Note: Versions prior to SEE Client 11.3.0 should be upgraded as soon as possible as this version has reached the EOS\EOL phase.  Symantec Endpoint Encryption 11.3.0 GA and above are now supported and is where all future updates will be included.  As of the version of this writing, the current version of Symantec Endpoint Encryption is 11.3.1 MP1.

If SEE 11.2.1 MP1 is not being used, the methods below can be used to update Windows.

 

############################################################################################################################
Everything from this point downwards in this article is provided for historical reference only.  Using the latest version greatly simplifies the upgrade process.
############################################################################################################################

 

When attempting to update from one of these major versions of Windows to another, you need to consider special requirements. Windows 10 systems encrypted with Symantec Endpoint Encryption 11.2 can be upgraded in either of the following methods.  Neither of the below options are recommended at this point, so see the above sections for a better way to upgrade:

Method 1:  Use the upgrade sample scripts provided by Symantec to perform a manual upgrade without decrypting the system.

Method 2:  Fully decrypt these systems, perform the Windows update. Encrypt the drive again once the upgrade is complete.

This article describes Method 1 to perform a manual update of the core version of Windows without decrypting the system.

 

This article is targeted for standalone systems or smaller environments, rather than mass deployments for large enterprises. These steps are to guide an end-user through the process of upgrading a Windows 10 system encrypted with Symantec Endpoint Encryption 11.2. To view the sample upgrade scenarios and scripts for enterprise environments, see the Symantec Support Center article, Upgrading Encrypted Computers to the Windows 10 Anniversary Update or Later from Earlier Versions of Windows with Symantec Endpoint Encryption.

Prerequisites before you start the upgrade:

  • Back up your system
    Note: Take a backup of your system before you perform any major change to the system, such as a major Windows update.
  • Symantec Endpoint Encryption 11.1.3 MP1 or above is installed on Windows 10 system.
    Note: If Symantec Endpoint Encryption 11.4 is not currently installed, then the Symantec Endpoint Encryption 11.4 installation files can be downloaded from Broadcom Support Site. The Symantec Endpoint Encryption administrator can create a new 11.4 client, and install it over the current Symantec Endpoint Encryption 11.x product.
  • A clean USB drive with no data on it. The data on this USB drive will be overwritten, so make sure it is not one of your backup drives.  A 16 GB USB drive is sufficient.
  • The upgrade scripts are attached to this article in the "Download Files" section, or the bottom of this article. These upgrade scripts are copied to the system that you will be upgrading.
  • At least 10 GB of free hard drive space.


Disable Windows Sign-On ARSO feature:
In order for authentication to work properly at preboot, you need to disable the Windows ARSO feature by performing the following steps:

  1. On the Windows Start menu, type "Settings".  A cogwheel icon appears, press Enter.
  2. Click on the "Accounts" icon.
  3. On the left side, select "Sign-in options".
  4. Scroll down to the "Use my sign-in info to automatically finish setting up my device after an update or restart" option, and disable this option.

Note: If Settings does not appear on the Start menu and the system is joined to a domain, proceed to the next steps.

Step-by-step instructions to upgrade the Windows 10 system:

Step 1: Go to the system you want to upgrade and open the C: drive. Create the "SEE-Upgrade-scripts" folder to copy the Symantec Encryption Upgrade scripts in this folder.

Step 2: Download the upgrade script from this article "Win8_10_Upgrade_SEE11.2.zip"

In this example, you will be using the "Win8_10_Upgrade_SEE11.2.zip" file.  Extract this zip file to the system you will be upgrading, and copy all the upgrade files and paste them in the "SEE-Upgrade-scripts" folder.  You should see the following files:

DisableARSO.reg
eedPasswordFilter.reg
Post-WinRS4-upgrade-SEE11.2-register.bat
Readme.txt
RegisterDESoftware.reg
setupcomplete.cmd
WinRS4-upgrade-SEE11.2.cmd

These are the upgrade scripts that are used in the back ground. However, you will use only "WinRS4-upgrade-SEE11.2.cmd" for running the commands. 

Step 3: Go to the Microsoft site to download Windows 10 at
https://www.microsoft.com/en-us/software-download/windows10

Note: This download provides all the needed Windows 10 files to update. These files can be used to perform a full or clean Windows upgrade. However, for these steps, you will use them to simply update Windows 10 to the newer version of Windows 10.

Step 4: Get your clean USB drive and ensure you have plenty of space on it (16 GB)

Step 5: On the Microsoft page, click the "Download tool now" option:

This downloads the Windows 10 installation media.  As of this writing, the Windows 10 April 2018 Update (version 1803) is currently available, so the tool is called "MediaCreationTool1803.exe".

Double-click the "MediaCreationTool1803.exe" file, which displays a Microsoft window.

Step 6: To proceed, accept all the prompts for the license agreement.

Step 7: Choose the option to create the installation media on the USB drive:



Note: During the creation wizard, choose "Both" for Architecture.

Click Next to start the creation of the USB drive for the upgrade. This process could take a while depending on download speed, USB speed, and so on. Wait till it is complete.

Step 8: Once the USB drive has been created, take it to your Windows 10 system you want to upgrade.  In this case, you will be updating to Windows 10 April 2018 Update (version 1803).

Step 9: Now open the C: drive on your system and create a folder called "Win10-1803-upgrade-setup-files".

Step 10: Copy all of the Windows setup files from the USB drive created from Step 7 to the "Win10-1803-upgrade-setup-files" folder.

On the USB drive, you should see the following files\folders:
setup.exe, bootmgr, boot, efi, sources, support, x64, x86

These files and folders should now be in the c:\Win10-1803-upgrade-setup-files folder you just created.

Step 11: Now you should have two folders created on the C: drive

  • Win10-1803-upgrade-setup-files, which contains all the Windows upgrade files from step 10
  • SEE-Upgrade-scripts, which contains all the Symantec upgrade files from step 2

Step 12: Now you have all the needed files to perform the upgrade, open a command prompt with administrative permissions:

Click the Start menu, type "cmd", and once it appears in the list, "right-click" on it, and select "Run as administrator" to ensure the commands work properly.

Step 13: On the command prompt, type the following to be at the root of C drive:
cd\ 

Step 14: Type the following to access SEE-Upgrade-Scripts:
cd SEE-Upgrade-Scripts  

Step 15: If Symantec Encryption Desktop is also installed, close the application. Be sure to exit PGPTray.exe and any other PGP service.

Step 16: Type the following, and press Enter:
WinRS4-upgrade-SEE11.2.cmd c:\win10-1803-upgrade-setup-files

TIP: If you type the first part of the file, and hit tab, it should autocomplete.


 

The above screenshot should reflect the command.  Once you run this command, the Windows 10 upgrade screens are displayed.  During the process, there will be three reboots.  Authenticate the preboot screen each time to allow the full Windows 10 upgrade process to complete.  The reboots happen automatically, so pay attention to the process and when you need to upgrade. The process takes less than 30 minutes to complete, ensure that the process completes successfully, and that the system is not shut down. This completes the Windows 10 upgrade.

If you get stuck while performing these steps, it is best to backtrack to see if any steps may have been missed. For further assistance, contact Symantec Support.

TIP: For information on how to upgrade Symantec Encryption Desktop 10 systems see article 179262.

 

Keywords:
Windows 10 upgrade SEE
Windows 10 upgrade SEE
Upgrade Encrypted Drives
Upgrade SEE Encrypted Drives
Upgrade SEE-Encrypted Drives
 

Additional Information

227219 - Making Symantec Endpoint Encryption Management Server Public Facing

194755 - Systems fail to boot after installing Endpoint Encryption Removable Media Encryption with Virtualization-Based Security enabled (Device Guard\HVCI)

162486 - Systems unable to boot properly after Encrypting disk with Symantec Drive Encryption when BIOS set to RAID On

213890 - Deploy or Upgrade Windows 10 automatically using SCCM on systems encrypted with Symantec Endpoint Encryption

179262 - How to automatically upgrade Windows 10 systems encrypted with Symantec Encryption Desktop 10.4.2.x and 10.5.x

161041 - Windows PE Recovery Tools for Endpoint Encryption

153530 -  Best Practices: Symantec Endpoint Encryption and Symantec Drive Encryption

193931 - How to download Symantec Encryption products from the Broadcom download Portal 

Update Jun 2022 - EPG-26584 - SEE 11.4 HF1

Attachments

Win8_10_Upgrade_SEE11.2.zip get_app