Using Patch Management Solution to deploy Windows 10 feature updates to endpoints with drive encryption

book

Article ID: 173085

calendar_today

Updated On:

Products

Patch Management Solution for Windows

Issue/Introduction

Symantec provides Patch Management Solution and specific upgrade scripts that let you install Windows 10 feature updates on endpoints with Symantec encryption products without decrypting and re-encrypting your drives.

Before Windows 10 feature updates installation, consider the following:

  • The scripts natively support Windows 10 feature updates installation on 32-bit and 64-bit client computers that use Symantec Endpoint Encryption and Symantec Encryption Desktop. The scripts are provided as an example and may require modification for a specific environment.
  • Ensure that your version of Symantec Endpoint Encryption or Symantec Encryption Desktop supports the Microsoft Windows 10 version that you plan to install.
    See Symantec Endpoint Encryption and Symantec Encryption Desktop support
  • The current implementation is not suitable for Opal hardware encrypted drives.

Resolution

Upgrade scripts overview

Symantec provides the preparatory script prepare.cmd that you can find under the Download Files section below. You add this script to Patch Management Solution software update policy distribution package. When an endpoint receives the policy with the package, the preparatory script does the following:

  • Detects the installed encryption product.
  • Facilitates generation and usage of required artifacts:
    • setupcomplete.cmd
      This script is executed at the end of the upgrade process to register the components of an encryption product and finalize Windows configuration.
    • RegisterSoftware.reg
      The script setupcomplete.cmd uses this registry file to register the components of an encryption product if they are detected on the endpoint.
      See Symantec Endpoint Encryption and Symantec Encryption Desktop support
    • SetupConfig.ini
      These configuration settings for Windows 10 feature updates installation are generated in the package directory. These settings provide Windows setup with the information about the location of encryption drivers.
    • Folder with encryption drivers
  • Copies the required encryption drivers from the Windows System32 folder to the temporary folder (DRV) that is provided to Windows setup using the ReflectDrivers parameter.

Note that you can use the script prepare.cmd for encrypted and non-encrypted systems. If no encryption product is found, RegisterSoftware.reg is not created and setupcomplete.cmd is generated only with the commands required to complete Windows 10 feature update installation.

 

To deploy Windows 10 feature updates to endpoints with encryption

Use Patch Management Solution software update policies together with upgrade scripts provided by Symantec.

Note: Symantec strongly recommends that you review and test the provided upgrade scripts and make necessary changes prior to Windows 10 feature updates deployment.

Create and configure a software update policy as described in DOC9422, and perform the additional steps during the process:

  1. After you have copied an appropriate ISO file to the policy distribution package location (step 7.5), copy and paste the preparatory script prepare.cmd to this package location.
    Repeat this procedure for all packages that are involved in the feature updates installation on your encrypted Windows 10 systems.


     
  2. After you have added all the required ISO files and preparatory scripts to the policy distribution package location (step 8), modify the update(s) command line(s) as follows:
    • On the Software Update Policy page, on the Advanced tab, under Command Line, click the command line.


       
    • On the Command-line Options page, click Custom, and then after swuenv.bat, add the command for prepare.cmd execution (i.e., swuenv.bat && call prepare.cmd &&).

 

Symantec Endpoint Encryption and Symantec Encryption Desktop support

The upgrade scripts provided by Symantec support Symantec Endpoint Encryption and Symantec Encryption Desktop by default.

For more information about Windows 10 upgrade with these products (e.g., enabling the automatic logon feature during the upgrade process), see the following knowledge base articles:
How to upgrade computers encrypted with Symantec Encryption Desktop to a Windows 10 release
How to upgrade computers encrypted with Symantec Endpoint Encryption to a Windows 10 release

After Windows 10 feature updates installation, encryption software is registered in the system using the following entries in RegisterSoftware.reg (the actual entries depend on the encryption product identified on the endpoint):

Symantec Endpoint Encryption
----------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eedPasswordFilter]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eedPasswordFilter\NetworkProvider]
"Name"="eedPasswordFilter"
"Class"=dword:00000002
"ProviderPath"="C:\\Program Files\\Symantec\\Endpoint Encryption Clients\\Drive Encryption\\eedPasswordFilter.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"SmartCardLogonNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\ProviderOrder]
"eedPasswordFilter"=dword:00001770

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableAutomaticRestartSignOn"=dword:1

Symantec Encryption Desktop
---------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableAutomaticRestartSignOn"=dword:1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\ProviderOrder]
"PGPpwflt"=dword:00001770

 

Customizations

You can use the following customization options to address specifics of your environment:

Note: Symantec recommends that you verify and test driver and OS compatibility during the due diligence process.

  1. To provide custom drivers, create the DRV directory in the package(s) location(s) on the Notification Server computer and place the required drivers with appropriate architecture.
    The contents of this folder will be copied to the staging location on the endpoint and its path will be used for the ReflectDrivers parameter.

Note: Use only the minimal required set of encryption drivers. Unnecessary drivers may lead to unpredictable results during the upgrade process.

For more information about the ReflectDrivers parameter, see Windows Setup Command-Line Options.

  1. Provide a custom RegisterSoftware.reg file if you require additional registry manipulations (e.g., non-standard registration of an encryption product, etc.).
    Note: The custom file will not be executed if no drive encryption is detected on the system.

  1. Provide a custom setupcomplete.cmd if you need to perform additional steps after Windows 10 feature updates installation.
    The custom script must contain commands from the sample file:

    regedit.exe /s "%ProgramData%\Symantec\Patch\Win\RegisterSoftware.reg"
    sc config RemoteRegistry start= disabled
    sc start RemoteRegistry
    net user administrator /active:Yes


    Append additional commands to the end of the file.
    Note: The setupcomplete.cmd script is executed at the first Windows 10 start after OOBE on both encrypted and non-encrypted Windows 10 systems.

  1. Provide custom SetupConfig.ini file if you need to customize the process of new Windows 10 version installation.
    Actual Windows 10 upgrade process will be executed with the command line “Setup.exe /ConfigFile <path to SetupConfig.ini>”
    For more information, see Windows Setup Automation Overview

    Sample SetupConfig.ini:

    [SetupConfig]
    Auto=Upgrade
    Quiet
    ShowOOBE=none
    NoReboot
    Telemetry=Disable
    DynamicUpdate=disable
    ReflectDrivers=C:\ProgramData\Symantec\Patch\Win\Drv
    PostOOBE=C:\ProgramData\Symantec\Patch\Win\setupcomplete.cmd

Attachments

prepare.cmd get_app