This article will describe the various methods for upgrading Windows 10 on systems encrypted with Symantec Endpoint Encryption.

TIP: For step-by-step instructions on how to upgrade Windows 10 using the new method in Symantec Endpoint Encryption, see article 179265.

You can use the Symantec-provided upgrade scripts to upgrade your 32-bit and 64-bit client computers to the Microsoft Windows 10 Anniversary Update or later without decrypting and re-encrypting your drives.

The scripts support upgrades from the following Microsoft Windows operating systems:

• Windows 7
• Windows 8
• Windows 8.1
• Windows 10 (Earlier versions)

The scripts upgrade Windows to the Windows 10 Anniversary Update or later. The Windows 10 Anniversary Update or any later version of Windows 10.x, is a full OS upgrade and not a patch release, so an in-place OS upgrade is performed.

This article also includes upgrade scripts that you may use to automatically upgrade your Windows client computers to one of the supported Microsoft Windows 10 releases without decrypting and re-encrypting the drives.

Note: As of Symantec Endpoint Encryption 11.2.1 MP1, Windows 10 feature update on Symantec Endpoint Encryption encrypted systems is supported through Windows updates. The Windows feature update can run automatically and administrators do not require to manually run the feature update. For details refer to the “Support for Windows 10 feature update through Windows updates” section in the Symantec Endpoint Encryption 11.2.1 MP1 Release Notes.

However, if you do not want to initiate the Windows in-place upgrades through Windows 10 feature, refer to the instructions in this article for performing the updates later.

Note: Beginning with the Symantec Endpoint Encryption 11.3.0 MP1 release, when you install the Symantec Endpoint Encryption client, the WINSETUPAUTOMATION option is now enabled by default. In previous releases it was disabled by default. However, if you upgrade the system to Symantec Endpoint Encryption 11.3.0 MP1, then the existing value of WINSETUPAUTOMATION is retained.
Later, if the user uninstalls the Symantec Endpoint Encryption client, or edits the registry to set WINSETUPAUTOMATION=0 and restarts the system; then the contents (reflectdriver and PostOobe keys) of the SetupConfig.ini file are automatically deleted.
For details, see the help topic: Upgrading the client with support for Windows 10 feature update through Windows updates

Update history

Evaluating Symantec Endpoint Encryption compatibility before upgrading to Windows 10

Ensure that you know the compatibility of your existing Symantec Endpoint Encryption version with the Windows 10 release that you want to upgrade. Also, verify that your client computer meets the hardware and software requirements. The following table list the compatibility and the minimum memory requirement for an in-place upgrade.

Understanding the in-place upgrade process

This article includes a limited number of upgrade scenarios. Administrators should consider customizing the procedures documented in this article to meet their organizations' requirements. This article also includes upgrade scripts that administrators may use to automatically upgrade client computers to a Windows 10 release without decrypting and re-encrypting the drives.

Symantec strongly recommends that administrators review and test the upgrade scripts and make necessary changes prior to deployment or upgrade. This ensures that the customized upgrade script meets the needs of that business environment, including any installed third-party applications. Testing the script also confirms that all the customizations and configuration changes work as expected. Administrators must use the process described in this article as a reference point for the in-place upgrade process.

You can upgrade your Windows client computers encrypted with Symantec Endpoint Encryption to a Windows 10 release without decrypting and re-encrypting the drives. To upgrade your client computers using in-place upgrade, you may choose one of the following methods:

Manual upgrade

• Perform all the pre-upgrade tasks that are mentioned in the Before you begin to upgrade section, and then perform the instructions that are mentioned in the Upgrading your client computers manually section. Both these sections are available in this article.

Automatic upgrade

• Automated upgrade using your custom script
  Automate the tasks mentioned in the Before you begin to upgrade section and the Upgrading your client computers manually section, and any other tasks per your organization's requirement, and then deploy and upgrade using any remote deployment software, such as Ghost Solution Suite.
• Automated upgrade using the upgrade script files (attached to this article)
  Perform all the pre-upgrade tasks as mentioned in the Before you begin to upgrade section. Then using the appropriate upgrade script that is attached to this article, perform the instructions as mentioned in the Upgrading your client computers using the upgrade scripts section.

Before you begin to upgrade Windows 10

To plan your deployment or upgrade, you must first complete the preparatory tasks mentioned in this section before you begin the actual upgrade process.

1. Backup all your data to an external drive.
2. Extract the Windows 10 installation media (ISO) to a network shared folder. Ensure that the folder name does not contain any spaces. For example, copy the ISO file to \\filerserver\windows10media. To create a Windows 10 installation media (ISO), refer to the Microsoft documentation.
3. On the Windows computer that you want to upgrade, map the shared folder to a local drive using the command prompt with administrator privileges. For example, to map the shared folder \\filerserver\windows10media to the drive Z, use the following command:
   net use Z:\\fileserver\windows10media
4. If Symantec Encryption Desktop is also installed, close the application. Be sure to exit PGPTray.exe and any other PGP service.
5. Unmount any virtual media or mounted drivers.
6. Set the computer sleep timer to one hour or more.
7. Enable the Autologon feature on the computer that you want to upgrade. For information about Autologon and how to enable it, refer to the Symantec Endpoint Encryption Management Server Policy Administrator Guide

Upgrading your client computers manually

Before you perform the following steps, ensure that you have performed all the steps mentioned in the Before you begin to upgrade section.

1. Create a local folder on the Windows computer that you want to upgrade. For example, C:\SEETemp.
2. Copy the following files from the client computer to the local folder (for example, C:\SEETemp) that you created in step 1:

• Encryption driver files: eedDiskEncryptionDriver.sys, eedProtectionDriver.sys, eedCrashDumpFilter.sys, PGPce.sys, PGPce.sys.sig, eedDiskEncryptionDriver.inf, eedProtectionDriver.inf, eedCrashDumpFilter.inf, PGPce.inf
  Note: The encryption drive files are available on the client computer at %systemroot%\System32\drivers.
  Caution: If the encryption driver files are not copied from the same client computer, the client computer may not boot after upgrade because of missing files or driver version mismatch.
• Symantec registry: RegisterDESoftware.re
   
• Batch file: setupcomplete.cmd
  Note: The Symantec registry file and the batch file are present in the compressed folder that is attached to this article. Download the compressed folder from the Download files section on this page. To download the appropriate compressed folder, see the table Windows 10 upgrade scripts for Symantec Endpoint Encryption 11.x client computers in this article.

3. Run the following command:
   Z:\setup.exe /reflectdrivers C:\SEETemp /postoobe C:\SEETemp\setupcomplete.cmd
   Note: During the in-place upgrade process, Windows 10 copies new files temporarily to a staging area.  As the disk is already encrypted, the files in the staging area get encrypted. If the Windows operating system does not have access to the encryption drivers and the encryption passphrase, the in-place upgrade fails. Therefore, ensure to use the /reflectdrivers option of the Windows 10 setup.exe command during the in-place upgrade. The /reflectdrivers option provides access to the encryption drivers during the in-place upgrade process.
4. The Windows 10 setup wizard is displayed. Follow the instructions on the wizard to finish the upgrade.

Upgrading Opal/hardware-encrypted client computers manually

Caution: If your client computer is Opal/hardware-encrypted, do not use the attached upgrade scripts to upgrade. Instead, follow these steps:

1. Decrypt the Opal drive.
2. Uninstall Symantec Endpoint Encryption.
3. Use the appropriate installation media of a Windows 10 release that you want to upgrade, and then perform the upgrade.
4. Install all the required Windows updates.
5. Re-install Symantec Endpoint Encryption.

About upgrading your client computers using the upgrade script files

About the upgrade script files

The upgrade script files are compressed and attached to this article for download. You may use the upgrade script files to upgrade your 32-bit and 64-bit Symantec Endpoint Encryption client computers automatically to one of the supported Microsoft Windows 10 releases without decrypting and re-encrypting the drives. You can download the compressed archive of your choice, depending on the currently installed version of Windows and Symantec Endpoint Encryption, and the version of Windows 10 to which you want to upgrade.

To download the upgrade script files

1. Refer to the table Windows 10 upgrade scripts for Symantec Endpoint Encryption 11.x client computers in this article and identify the upgrade script that you want to download.
2. To download the identified upgrade script file, either click Download Files on the right side of the page or click the appropriate link under the Download Files section available at the bottom of the page.
3. To access the upgrade script file, extract the contents of the compressed folder.

To upgrade your client computers using the upgrade script files

Important: The following in-place upgrade steps are provided for reference only. Administrators should use this procedure as a guideline and customize the steps and the script to suit their organization's environment and requirements. Symantec strongly recommends administrators to review and test the upgrade scripts and make necessary changes prior to the upgrade. This ensures that the customized upgrade script meets the needs of the business environment, including any installed third-party applications. Testing the script also confirms that all the customizations and configuration changes work as expected.

Scenario: As an administrator, you want to perform an in-place upgrade on Windows client computers that are encrypted with Symantec Endpoint Encryption. You want to automate the in-place upgrade process without user intervention and run the upgrade process in the background using the /auto upgrade and /quiet switches.

Before you perform the following steps, ensure that you have performed all the steps mentioned in the Before you begin to upgrade section. If you choose to upgrade using the scripts, the steps in the Upgrading your client computers manually section are automatically performed by the upgrade script.

1. Extract the Windows 10 ISO to a file server and create a network share folder. For example, \\fileserver\windows10media. Make sure that the user has read access to the folder.
2. Download the appropriate upgrade script and extract it to a network share folder. For example, \\fileserver\In-place-upgrade-script.
   In the folder containing the extracted files, edit the WinRS-upgrade-SEE11.cmd file, where  is the RS version number (for example, WinRS2-upgrade-SEE11.cmd) and update the following command to add the /auto upgrade switch and the /quiet switch, and then save the file.
   call %1\setup.exe /reflectdrivers %SEETempPath% /auto upgrade /quiet /postoobe %SEETempPath%\setupcomplete.cmd
   Note: Perform Steps 4 through 7 on the client computer that you want to update. Ensure that you run the commands from the command prompt with administrator privileges. You can also compile these steps into a batch (.bat) file which you can deploy remotely using a third-party software deployment software.
4. To bypass preboot authentication by enabling the Autologon feature run the following command:
   eedAdminCli --enable-Autologon --count 3 --au AdminUserName -ap AdminPassword 
5. To map a network drive, run the following command:
   net use Z:\\fileserver\windows10media
6. To copy the upgrade scripts to a local folder, run the following command:
   xcopy \\fileserver\In-place-upgrade-script C:\Symc-scripts /i /a /s /y
7. To navigate to the local folder that contains the upgrade scripts, run the following command:
   cd  C:\Symc-scripts
8. To initialize the in-place upgrade script, run the following command:
   WinRS-upgrade-SEE11.cmd [Folder path to the Setup.exe file in the Windows 10 Installation Media]\
   For example:
   WinRS2-upgrade-SEE11.cmd Z:\

Table: Windows 10 upgrade scripts for Symantec Endpoint Encryption 11.x client computers

Troubleshooting

Troubleshooting for Windows 10  Anniversary Update (version 1607) or later:

Symantec provides an additional script that you can run after completing the upgrade to Windows 10 Anniversary Update or later, only if you face any of the issue that are described below.

The post-upgrade script automatically applies a workaround for the following issues:

• The hibernation feature in Windows no longer works on systems that were upgraded from Windows 7. Affected systems shut down completely instead of entering hibernation mode.
• The Symantec Endpoint Encryption client no longer registers new users.
• When users change their Windows password, they are unable to use the new password to authenticate at preboot.

To run the post-upgrade script:

1. Open an administrator command prompt and navigate to the folder in which you extracted the upgrade scripts.
2. Run the Post-WinRS-upgrade-SEE11-register.bat file to apply the workaround.
3. Restart the computer.

Additional troubleshooting for Windows 10 Fall Creators Update (version 1709) or later:

Symantec provides an additional script that you can run after completing the upgrade to the Windows 10 RS3, only if you face any of the issue that are described below.

The post-upgrade script automatically applies a workaround for the following issues:

• Windows 10 Fall Creators Update (version 1709) or later workgroup computers are unable to authenticate at preboot.
• For the Windows 10 Fall Creators Update (version 1709) or later workgroup computers, single sign-on may not work even when the single sign-on policy is enabled.
• While viewing the "Provider Order" under "Network Connections", an error message appears and the network provider list is not displayed.

To run the post-upgrade script:

1. Open an administrator command prompt and navigate to the folder in which you extracted the upgrade scripts.
2. Run the Post-WinRS3-upgrade-SEE11-register.bat file to apply the workaround.
3. Restart the computer.

Note: When you run the post-upgrade script, the "Windows Settings->Accounts->Sign-in options->Privacy->Use my sign in info to automatically finish setting up my device after an update or restart" setting is automatically disabled. For details to disable this setting, refer to the Microsoft article: Winlogon Automatic Restart Sign-On (ARSO).

To view the known issues specific to Windows 10 Fall Creators Update and Symantec Endpoint Encryption 11.1.3 MP1 or later, see the Symantec Support Center article, Known Issues with Windows 10 Fall Creators Update (version 1709) or later and Symantec Endpoint Encryption 11.1.3 MP1 or later.