How to upgrade computers encrypted with Symantec Endpoint Encryption to a Windows 10 release

Article Id: 179017

Status: Published

Updated On: 28-07-2020 13:03

Legacy Id: HOWTO125875

Products:

Endpoint Encryption , Endpoint Encryption

Issue/Introduction:

This article will describe the various methods for upgrading Windows 10 on systems encrypted with Symantec Endpoint Encryption.

Resolution:

TIP: For step-by-step instructions on how to upgrade Windows 10 using the new method in Symantec Endpoint Encryption, see article 179265.

You can use the Symantec-provided upgrade scripts to upgrade your 32-bit and 64-bit client computers to the Microsoft Windows 10 Anniversary Update or later without decrypting and re-encrypting your drives.

The scripts support upgrades from the following Microsoft Windows operating systems:

Windows 7
Windows 8
Windows 8.1
Windows 10 (Earlier versions)

The scripts upgrade Windows to the Windows 10 Anniversary Update or later. The Windows 10 Anniversary Update or any later version of Windows 10.x, is a full OS upgrade and not a patch release, so an in-place OS upgrade is performed.

This article also includes upgrade scripts that you may use to automatically upgrade your Windows client computers to one of the supported Microsoft Windows 10 releases without decrypting and re-encrypting the drives.

Note: As of Symantec Endpoint Encryption 11.2.1 MP1, Windows 10 feature update on Symantec Endpoint Encryption encrypted systems is supported through Windows updates. The Windows feature update can run automatically and administrators do not require to manually run the feature update. For details refer to the “Support for Windows 10 feature update through Windows updates” section in the Symantec Endpoint Encryption 11.2.1 MP1 Release Notes.

However, if you do not want to initiate the Windows in-place upgrades through Windows 10 feature, refer to the instructions in this article for performing the updates later.

Note: Beginning with the Symantec Endpoint Encryption 11.3.0 MP1 release, when you install the Symantec Endpoint Encryption client, the WINSETUPAUTOMATION option is now enabled by default. In previous releases it was disabled by default. However, if you upgrade the system to Symantec Endpoint Encryption 11.3.0 MP1, then the existing value of WINSETUPAUTOMATION is retained.
Later, if the user uninstalls the Symantec Endpoint Encryption client, or edits the registry to set WINSETUPAUTOMATION=0 and restarts the system; then the contents (reflectdriver and PostOobe keys) of the SetupConfig.ini file are automatically deleted.
For details, see the help topic: Upgrading the client with support for Windows 10 feature update through Windows updates

Update history

Update	SEE Version	Date
Added compatibility with the following operating system: Microsoft Windows 10 Enterprise May 2019 Update (version 1903), 32-bit and 64-bit	11.3.0	May 10, 2019
Added compatibility with the following operating systems: Microsoft Windows 10 Enterprise October 2018 Update (version 1809), 32-bit and 64-bit Microsoft Windows 10 Pro October 2018 Update (version 1809), 32-bit and 64-bit	11.2.1	December 3, 2018
Added compatibility with the following operating systems: Microsoft Windows 10 Enterprise April 2018 Update (version 1803), 32-bit and 64-bit Microsoft Windows 10 Pro April 2018 Update (version 1803), 32-bit and 64-bit	11.1.3 MP1	May 15, 2018
Added compatibility with the following operating systems: Microsoft Windows 10 Enterprise Fall Creators Update (version 1709), 32-bit and 64-bit Microsoft Windows 10 Pro Fall Creators Update (version 1709), 32-bit and 64-bit	11.1.3 MP1	December 22, 2017
Added information related to Windows 10 Anniversary Update and Windows 10 Fall Creators Update (version 1709) to consolidate this article for all the upgrade scenarios related to Windows 10 Anniversary Update, Creators Update, and Fall Creators Update.	11.1.3 MP1	December 22, 2017

Evaluating Symantec Endpoint Encryption compatibility before upgrading to Windows 10

Ensure that you know the compatibility of your existing Symantec Endpoint Encryption version with the Windows 10 release that you want to upgrade. Also, verify that your client computer meets the hardware and software requirements. The following table list the compatibility and the minimum memory requirement for an in-place upgrade.

Windows 10 version	Compatible Windows Operating systems	Compatible SEE version	Minimum disk space required
May 2019 Update (v1903)	Windows 7, 8, 8.1, 10, November 2015 update, Anniversary Update, Creators Update, Fall Creators Update, and April 2018 Update	11.3.0 or later	For 32-bit systems, 16 GB For 64-bit systems, 20 GB
October 2018 Update (v1809) (RS5)	Windows 7, 8, 8.1, 10, November 2015 update, Anniversary Update, Creators Update, Fall Creators Update, and April 2018 Update	11.2.1 or later
April 2018 Update (v1803) (RS4)	Windows 7, 8, 8.1, 10, November 2015 update, Anniversary Update, Creators Update, and Fall Creators Update	11.1.3 MP1 or later
Fall Creators Update (v1709) (RS3)	Windows 7, 8, 8.1, 10, November 2015 update, Anniversary Update, and Creators Update	11.1.3 MP1 or later
Creators Update (v1703) (RS2)	Windows 7, 8, 8.1, 10, November 2015 update, and Anniversary Update	11.1.2 or later
Anniversary Update (v1607) (RS1)	Windows 7, 8, 8.1, 10, and November 2015 update	11.1.1 MP1 or later

Understanding the in-place upgrade process

This article includes a limited number of upgrade scenarios. Administrators should consider customizing the procedures documented in this article to meet their organizations' requirements. This article also includes upgrade scripts that administrators may use to automatically upgrade client computers to a Windows 10 release without decrypting and re-encrypting the drives.

Symantec strongly recommends that administrators review and test the upgrade scripts and make necessary changes prior to deployment or upgrade. This ensures that the customized upgrade script meets the needs of that business environment, including any installed third-party applications. Testing the script also confirms that all the customizations and configuration changes work as expected. Administrators must use the process described in this article as a reference point for the in-place upgrade process.

You can upgrade your Windows client computers encrypted with Symantec Endpoint Encryption to a Windows 10 release without decrypting and re-encrypting the drives. To upgrade your client computers using in-place upgrade, you may choose one of the following methods:

Manual upgrade

Perform all the pre-upgrade tasks that are mentioned in the Before you begin to upgrade section, and then perform the instructions that are mentioned in the Upgrading your client computers manually section. Both these sections are available in this article.

Automatic upgrade

Automated upgrade using your custom script
Automate the tasks mentioned in the Before you begin to upgrade section and the Upgrading your client computers manually section, and any other tasks per your organization's requirement, and then deploy and upgrade using any remote deployment software, such as Ghost Solution Suite.
Automated upgrade using the upgrade script files (attached to this article)
Perform all the pre-upgrade tasks as mentioned in the Before you begin to upgrade section. Then using the appropriate upgrade script that is attached to this article, perform the instructions as mentioned in the Upgrading your client computers using the upgrade scripts section.

Before you begin to upgrade Windows 10

To plan your deployment or upgrade, you must first complete the preparatory tasks mentioned in this section before you begin the actual upgrade process.

Backup all your data to an external drive.
Extract the Windows 10 installation media (ISO) to a network shared folder. Ensure that the folder name does not contain any spaces. For example, copy the ISO file to \\filerserver\windows10media. To create a Windows 10 installation media (ISO), refer to the Microsoft documentation.
On the Windows computer that you want to upgrade, map the shared folder to a local drive using the command prompt with administrator privileges. For example, to map the shared folder \\filerserver\windows10media to the drive Z, use the following command:
net use Z:\\fileserver\windows10media
If Symantec Encryption Desktop is also installed, close the application. Be sure to exit PGPTray.exe and any other PGP service.
Unmount any virtual media or mounted drivers.
Set the computer sleep timer to one hour or more.
Enable the Autologon feature on the computer that you want to upgrade. For information about Autologon and how to enable it, refer to the Symantec Endpoint Encryption Management Server Policy Administrator Guide

Upgrading your client computers manually

Before you perform the following steps, ensure that you have performed all the steps mentioned in the Before you begin to upgrade section.

Create a local folder on the Windows computer that you want to upgrade. For example, C:\SEETemp.
Copy the following files from the client computer to the local folder (for example, C:\SEETemp) that you created in step 1:

Encryption driver files: eedDiskEncryptionDriver.sys, eedProtectionDriver.sys, eedCrashDumpFilter.sys, PGPce.sys, PGPce.sys.sig, eedDiskEncryptionDriver.inf, eedProtectionDriver.inf, eedCrashDumpFilter.inf, PGPce.inf
Note: The encryption drive files are available on the client computer at %systemroot%\System32\drivers.
Caution: If the encryption driver files are not copied from the same client computer, the client computer may not boot after upgrade because of missing files or driver version mismatch.
Symantec registry: RegisterDESoftware.re
Batch file: setupcomplete.cmd
Note: The Symantec registry file and the batch file are present in the compressed folder that is attached to this article. Download the compressed folder from the Download files section on this page. To download the appropriate compressed folder, see the table Windows 10 upgrade scripts for Symantec Endpoint Encryption 11.x client computers in this article.

Run the following command:
Z:\setup.exe /reflectdrivers C:\SEETemp /postoobe C:\SEETemp\setupcomplete.cmd
Note: During the in-place upgrade process, Windows 10 copies new files temporarily to a staging area. As the disk is already encrypted, the files in the staging area get encrypted. If the Windows operating system does not have access to the encryption drivers and the encryption passphrase, the in-place upgrade fails. Therefore, ensure to use the /reflectdrivers option of the Windows 10 setup.exe command during the in-place upgrade. The /reflectdrivers option provides access to the encryption drivers during the in-place upgrade process.
The Windows 10 setup wizard is displayed. Follow the instructions on the wizard to finish the upgrade.

Upgrading Opal/hardware-encrypted client computers manually

Caution: If your client computer is Opal/hardware-encrypted, do not use the attached upgrade scripts to upgrade. Instead, follow these steps:

Decrypt the Opal drive.
Uninstall Symantec Endpoint Encryption.
Use the appropriate installation media of a Windows 10 release that you want to upgrade, and then perform the upgrade.
Install all the required Windows updates.
Re-install Symantec Endpoint Encryption.

About upgrading your client computers using the upgrade script files

About the upgrade script files

The upgrade script files are compressed and attached to this article for download. You may use the upgrade script files to upgrade your 32-bit and 64-bit Symantec Endpoint Encryption client computers automatically to one of the supported Microsoft Windows 10 releases without decrypting and re-encrypting the drives. You can download the compressed archive of your choice, depending on the currently installed version of Windows and Symantec Endpoint Encryption, and the version of Windows 10 to which you want to upgrade.

To download the upgrade script files

Refer to the table Windows 10 upgrade scripts for Symantec Endpoint Encryption 11.x client computers in this article and identify the upgrade script that you want to download.
To download the identified upgrade script file, either click Download Files on the right side of the page or click the appropriate link under the Download Files section available at the bottom of the page.
To access the upgrade script file, extract the contents of the compressed folder.

To upgrade your client computers using the upgrade script files

Important: The following in-place upgrade steps are provided for reference only. Administrators should use this procedure as a guideline and customize the steps and the script to suit their organization's environment and requirements. Symantec strongly recommends administrators to review and test the upgrade scripts and make necessary changes prior to the upgrade. This ensures that the customized upgrade script meets the needs of the business environment, including any installed third-party applications. Testing the script also confirms that all the customizations and configuration changes work as expected.

Scenario: As an administrator, you want to perform an in-place upgrade on Windows client computers that are encrypted with Symantec Endpoint Encryption. You want to automate the in-place upgrade process without user intervention and run the upgrade process in the background using the /auto upgrade and /quiet switches.

Before you perform the following steps, ensure that you have performed all the steps mentioned in the Before you begin to upgrade section. If you choose to upgrade using the scripts, the steps in the Upgrading your client computers manually section are automatically performed by the upgrade script.

Extract the Windows 10 ISO to a file server and create a network share folder. For example, \\fileserver\windows10media. Make sure that the user has read access to the folder.
Download the appropriate upgrade script and extract it to a network share folder. For example, \\fileserver\In-place-upgrade-script.
In the folder containing the extracted files, edit the WinRS-upgrade-SEE11.cmd file, where is the RS version number (for example, WinRS2-upgrade-SEE11.cmd) and update the following command to add the /auto upgrade switch and the /quiet switch, and then save the file.
call %1\setup.exe /reflectdrivers %SEETempPath% /auto upgrade /quiet /postoobe %SEETempPath%\setupcomplete.cmd
Note: Perform Steps 4 through 7 on the client computer that you want to update. Ensure that you run the commands from the command prompt with administrator privileges. You can also compile these steps into a batch (.bat) file which you can deploy remotely using a third-party software deployment software.
To bypass preboot authentication by enabling the Autologon feature run the following command:
eedAdminCli --enable-Autologon --count 3 --au AdminUserName -ap AdminPassword
To map a network drive, run the following command:
net use Z:\\fileserver\windows10media
To copy the upgrade scripts to a local folder, run the following command:
xcopy \\fileserver\In-place-upgrade-script C:\Symc-scripts /i /a /s /y
To navigate to the local folder that contains the upgrade scripts, run the following command:
cd C:\Symc-scripts
To initialize the in-place upgrade script, run the following command:
WinRS-upgrade-SEE11.cmd [Folder path to the Setup.exe file in the Windows 10 Installation Media]\
For example:
WinRS2-upgrade-SEE11.cmd Z:\

Table: Windows 10 upgrade scripts for Symantec Endpoint Encryption 11.x client computers

Windows 10 version	Compatible Symantec Endpoint Encryption version	Script	Description
Windows 10 Anniversary Update (RS1)	11.1.1 MP1 or later	Win7_Upgrade_SEE11.1.2.zip	Contains the scripts for upgrading from Windows 7 to the Windows 10 Anniversary Update. Note: This script also works while upgrading to Windows 10 RS1 or RS2.
		Win8_10_Upgrade_SEE11.1.2.zip	Contains the scripts for upgrading from Windows 8, 8.1, or an earlier version of Windows 10 to the Windows 10 Anniversary Update. Note: This script also works while upgrading to Windows 10 RS1 or RS2.
Windows 10 Creators Update (RS2)	11.1.2 or later	Win7_Upgrade_SEE11.1.2.zip	Contains the scripts for upgrading from Windows 7 to the Windows 10 Anniversary Update or Creators Update.
		Win8_10_Upgrade_SEE11.1.2.zip	Contains the scripts for upgrading from Windows 8, 8.1, or an earlier version of Windows 10 to the Windows 10 Anniversary Update or Creators Update.
Windows 10 Fall Creators Update (version 1709) (RS3)	11.1.3 MP1 or later	Win7_Upgrade_SEE11.1.3MP1.zip	Contains the scripts for upgrading from Windows 7 to the Windows 10 Fall Creators Update (version 1709).
		Win8_10_Upgrade_SEE11.1.3MP1.zip	Contains the scripts for upgrading from Windows 8, 8.1, or an earlier version of Windows 10 to the Windows 10 Fall Creators Update (version 1709).
Windows 10 April 2018 Update (version 1803) (RS4)	11.1.3 MP1 or later	Win7_Upgrade_SEE11.1.3MP1.zip	Contains the scripts for upgrading from Windows 7 to the Windows 10 April 2018 Update (version 1803).
		Win8_10_Upgrade_SEE11.1.3MP1.zip	Contains the scripts for upgrading from Windows 8, 8.1, or an earlier version of Windows 10 to the Windows 10 April 2018 Update (version 1803).
Windows 10 October 2018 Update (v1809) (RS5) or Windows 10 May 2019 Update (v1903)	11.2.1 or later	Win7_Upgrade_SEE11.2.1.zip	Contains the scripts for upgrading from Windows 7 to the Windows 10 October 2018 Update (v1809) and the Windows 10 May 2019 Update (v1903).
		Win8_10_Upgrade_SEE11.2.1.zip	Contains the scripts for upgrading from Windows 8, 8.1, or an earlier version of Windows 10 to the Windows 10 October 2018 Update (v1809) and the Windows 10 May 2019 Update (v1903).

Troubleshooting

Troubleshooting for Windows 10 Anniversary Update (version 1607) or later:

Symantec provides an additional script that you can run after completing the upgrade to Windows 10 Anniversary Update or later, only if you face any of the issue that are described below.

The post-upgrade script automatically applies a workaround for the following issues:

The hibernation feature in Windows no longer works on systems that were upgraded from Windows 7. Affected systems shut down completely instead of entering hibernation mode.
The Symantec Endpoint Encryption client no longer registers new users.
When users change their Windows password, they are unable to use the new password to authenticate at preboot.

To run the post-upgrade script:

Open an administrator command prompt and navigate to the folder in which you extracted the upgrade scripts.
Run the Post-WinRS-upgrade-SEE11-register.bat file to apply the workaround.
Restart the computer.

Additional troubleshooting for Windows 10 Fall Creators Update (version 1709) or later:

Symantec provides an additional script that you can run after completing the upgrade to the Windows 10 RS3, only if you face any of the issue that are described below.

The post-upgrade script automatically applies a workaround for the following issues:

Windows 10 Fall Creators Update (version 1709) or later workgroup computers are unable to authenticate at preboot.
For the Windows 10 Fall Creators Update (version 1709) or later workgroup computers, single sign-on may not work even when the single sign-on policy is enabled.
While viewing the "Provider Order" under "Network Connections", an error message appears and the network provider list is not displayed.

To run the post-upgrade script:

Open an administrator command prompt and navigate to the folder in which you extracted the upgrade scripts.
Run the Post-WinRS3-upgrade-SEE11-register.bat file to apply the workaround.
Restart the computer.

Note: When you run the post-upgrade script, the "Windows Settings->Accounts->Sign-in options->Privacy->Use my sign in info to automatically finish setting up my device after an update or restart" setting is automatically disabled. For details to disable this setting, refer to the Microsoft article: Winlogon Automatic Restart Sign-On (ARSO).

To view the known issues specific to Windows 10 Fall Creators Update and Symantec Endpoint Encryption 11.1.3 MP1 or later, see the Symantec Support Center article, Known Issues with Windows 10 Fall Creators Update (version 1709) or later and Symantec Endpoint Encryption 11.1.3 MP1 or later.