How to automatically upgrade Windows 10/11 systems encrypted with Symantec Encryption Desktop 10 (PGP Desktop)
search cancel

How to automatically upgrade Windows 10/11 systems encrypted with Symantec Encryption Desktop 10 (PGP Desktop)


Article ID: 179262


Updated On:


Drive Encryption Desktop Email Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK


For instructions on upgrading Windows 10 systems encrypted with Symantec Encryption Desktop using SCCM, see the following article:
213895 - Deploy or Upgrade Windows 10 automatically using SCCM on systems encrypted with Symantec Encryption Desktop


This article will go over the general usage of Windows 10 Upgrades with Symantec Encryption Desktop, which can be performed all without using any special upgrade scripts.  For assistance on this, please feel free to reach out to Symantec Encryption Support.


TIP: For information on how to upgrade Symantec Endpoint Encryption 11 standalone clients, see the following article:

179265 - How to automatically upgrade Windows 10/11 systems encrypted with Symantec Endpoint Encryption 11 (SEE)


System Requirements: It's always a good idea to check with the System Requirements page to ensure the version of Windows you are updating to is supported. 

Encryption Desktop 10.5.0 for Windows System Requirements

Encryption Desktop 10.4.2 for Windows System Requirements

Update Dec 4, 2018: Microsoft has recently released Windows 10 1809.  This version of Windows is now officially certified with Symantec Encryption Desktop 10.4.2 MP1. 
Update July 31, 2019: Microsoft has released Windows 10 1903.  This version of Windows is now officially certified with Symantec Encryption Desktop 10.4.2 MP3.

This article is targeted for standalone systems or smaller environments, rather than mass deployments for large enterprises. These steps are to guide an end user through the process of upgrading a Windows 10 system encrypted with Symantec Encryption Desktop 10.4.2 or higher.

Windows 10 has two types of updates:

  • Cumulative updates, which do not change the core version of Windows
  • Major updates, which change the core version of Windows

The Windows 10 auto-update feature can perform these major updates. When the major update is performed on systems encrypted by Symantec Encryption Desktop, the upgrade fails as well as cause potential boot issues with the system itself. 

Examples of these major updates are as follows:

  • It is fully supported to use this same process to upgrade from Windows 10 to Windows 11.

Windows 11 2022 Update (version 22H2 - Added Oct 19, 2022 for PGP Desktop 10.5.1)
Windows 11 October 2021 Update (version 21H2)
Windows 10 May 2021 Update (version 21H1)
Windows 10 October 2020 Update (version 20H2)
Windows 10 May 2020 Update (version 2004 - 20H1)
Windows 10 November 2019 Update (version 1909 - 19H2)
Windows 10 May 2019 Update (version 1903 - 19H1)
Windows 10 October 2018 Update (version 1809 - RS5)
Windows 10 April 2018 Update (version 1803 - RS4)
Windows 10 Fall Creators Update (version 1709 - RS3)
Windows 10 Creators Update (version 1703 - RS2)
Windows 10 Anniversary Update (version 1607 - RS1)

When attempting to update from one of these major versions of Windows to another, you need to consider special requirements. Windows 10 systems encrypted with Symantec Encryption Desktop 10.4.2 can be upgraded in either of the following methods:

Prerequisites before you start the upgrade:

  • Back up your system.
    Note: Take a backup of your system before you perform any major change to the system, such as a major Windows update.
  • Symantec Encryption Desktop 10.4.2 is installed on Windows 10.
    Note: If Symantec Encryption Desktop 10.4.2 is not currently installed, it can be downloaded from your Broadcom Support portal, and installed over the top of Symantec Encryption Desktop 10.3.x/10.4.x.
  • A clean USB drive with no data on it.
    The data on this USB drive will be overwritten so make sure it is not one of your backup drives. A 16 GB USB drive is sufficient.
  • The upgrade scripts are attached to this article in the "Download Files" section, or the bottom of this article.  These upgrade scripts will be copied to the system that you will be upgrading.
  • At least 10 GB of free hard drive space is required.

Disable Windows Sign-On ARSO feature:
In order for authentication to work properly at preboot, you need to disable the Windows ARSO feature by performing the following steps:

  1. On the Windows Start menu, type "Settings".  A cogwheel icon appears, press Enter.
  2. Click on the "Accounts" icon.
  3. On the left side, select "Sign-in options".
  4. Scroll down to the "Use my sign-in info to automatically finish setting up my device after an update or restart" option, and disable this option.


Note: If Settings does not appear and the system is joined to a domain, proceed to the next steps.



Methods covered for upgrading in this article: 

Method 1: Automatic steps which require no upgrade scripts (Available with SED 10.4.2 MP3 and above)
Method 2: Using Upgrade scripts (Required if using SED 10.4.2 MP2 or older)

Method 1 is the recommended option so if you can, upgrade your SED client to 10.4.2 MP3 and then follow the steps below:


Method 1: Steps with SED 10.4.2 MP3: Symantec Encryption Desktop 10.4.2 MP3 and beyond:
This new functionality supports Windows 10 upgrades starting with Windows 10 1607 and beyond.  This feature is enabled by default and requires no special install options and once 10.4.2 MP3 or above is installed, the Windows 10 automatic update feature can be performed without running any special steps, scripts, or utilities, only authenticating each reboot.  Just make sure the version of Windows 10 you are installing is certified before proceeding.  Check the System Requirements page for more information on this.

TIP: It is always good practice to backup your systems before performing upgrades or other significant changes to the system.

If Automatic Updates are *not* being used, and you would like to manually deploy Windows 10 major updates *without* using upgrade scripts by using the Windows setup files directly, use the following command to install the Windows 10 upgrade build:

setup.exe /Auto Upgrade /DynamicUpdate disable /reflectdrivers  "C:\Program Files\PGP Corporation\PGP Desktop\OS Upgrade Files" /Postoobe "C:\Program Files\PGP Corporation\PGP Desktop\OS Upgrade Files\setupcomplete.cmd"

Using the above command will install Windows keeping current files, and will not attempt to download any updates during the upgrade.  Using other Windows install options is fully supported as long as Microsoft supports the options for install, such as the "/Auto Upgrade", or "/DynamicUpdate disable" options mentioned.  This is command provided simply for convenience.

The Windows 10 updates can now be applied manually requiring only authentication at preboot.

TIP: SED can use a bypass user to perform the upgrade so that during the upgrade you don't need to enter a passphrase between the required Windows update reboots.  To add the bypass, look at steps 13 and 14 below.

For more details on this new Windows 10 Live Update functionality, see article:


Method 2: Steps with SED 10.4.2 MP2 and older:  
Use the upgrade sample scripts provided by Symantec (attached to this article) to perform a manual upgrade without decrypting the system.

Step 1: Go to the system you want to upgrade and open the C: drive. Create the "SEE-Upgrade-scripts" folder to copy the Symantec Encryption Upgrade scripts in this folder.

Step 2: Download the upgrade script from this article ""

In this example, you will be using the "" file.  Extract this zip file to the system you will be upgrading, and copy all of the upgrade files and paste them in the "SEE-Upgrade-scripts" folder.  You should see the following files:


These are the upgrade scripts that are used in the back ground. However, you will use only "WinRS4-upgrade-SED1042.cmd" for running the commands. 

Step 3: Go to the Microsoft site to download Windows 10 at

Note: This download provides all the needed Windows 10 files to update. These files can be used to perform a full or clean Windows upgrade. However, for these steps, you will use them to simply update Windows 10 to the newer version of Windows 10.

Step 4: Get your clean USB drive and ensure you have plenty of space on it (16 GB).

Step 5: On the Microsoft page, click "Download tool now"

This downloads the Windows 10 installation media.  As of this writing, the Windows 10 May 2019 Update (version 1903) is currently available, so the tool is called "MediaCreationTool1903.exe".

Double-click the "MediaCreationTool1903.exe" file, which displays a Microsoft window.

Step 6: To proceed, accept all the prompts for the license agreement.

Step 7: Choose the option to create the installation media on the USB drive

Note: During the creation wizard, choose "Both" for Architecture.

Click Next to start the creation of the USB drive for the upgrade. This process could take a while depending on download speed, USB speed, and so on. Wait till it is complete:

Step 8: Once the USB drive has been created, take it to your Windows 10 system you want to upgrade. In this case, you will be updating Windows 10 April 2018 Update (version 1803).

Step 9: Now open the C: drive on your system and create the "Win10-1803-upgrade-setup-files" folder.

Step 10: Copy all of the Windows setup files from the USB drive created from Step 7 to the "Win10-1803-upgrade-setup-files" folder.

On the USB Drive, you should see the following files\folders:
setup.exe, bootmgr, boot, efi, sources, support, x64, x86

These files and folders should now be in the c:\Win10-1803-upgrade-setup-files folder you just created.

Step 11: Now you should have two folders created on the C: drive:

  • Win10-1803-upgrade-setup-files, which contains all the Windows upgrade files from step 10.
  • SEE-Upgrade-scripts, which contains all the Symantec upgrade files from step 2.

Step 12: Now that you have all the needed files to do the upgrade, open a command prompt with administrative permissions:

Click the Start menu, type "cmd", and once it appears in the list, "right-click" on it, and select "Run as administrator" to ensure the commands work properly.

Step 13: Now we will add the bypass user so that you will not need to enter the password each time the Windows upgrade process reboots the system (3 reboots is required to perform this update).

Type the following:

then type:

cd "Program Files (x86)\PGP Corporation\PGP Desktop"

This should place you at the following prompt:
C:\Program Files (x86)\PGP Corporation\PGP Desktop>

Step 14: Run the following command:
pgpwde --add-bypass --disk 0 --count 3 --interactive

Once prompted, enter the Drive Encryption passphrase until the following is returned:

"Request sent to Add bypass was successful"

Proceed to the next step:

Note: If adding the bypass did not work, the update will still work, however, you will need to enter your passphrase for each reboot.

Step 15: Close Symantec Encryption Desktop. Ensure to exit PGPTray and any other PGP service.

Step 16: On the command prompt, type the following to be at the root of C drive:

Step 17: Type the following to access SEE-Upgrade-Scripts
cd SEE-Upgrade-Scripts

Step 18: Type the following and press Enter:
WinRS4-Upgrade-SED1042.cmd c:\win10-1803-upgrade-setup-files

TIP: If you type the first part of the file, and hit tab, it should auto complete.

The above screenshot should reflect the command.  Once you run this command, the Windows 10 upgrade screens are displayed. Wait till this process is complete.

The reboots happen automatically. Once the upgrade is completed, reboot again until you are prompted to enter the passphrase. This completes the Windows 10 upgrade.

If you get stuck while performing these steps, it's best to backtrack to see if any steps may have been missed. For further assistance, contact Symantec Support.

TIP: For information on how to upgrade Symantec Endpoint Encryption 11 standalone clients, see article 179265.

Windows 10 upgrade SED
Windows 10 upgrade PGP
Upgrade Encrypted Drives
Upgrade PGP Encrypted Drives
Upgrade PGP-Encrypted Drives

Additional Information

194755 - Systems fail to boot after installing Endpoint Encryption Removable Media Encryption with Virtualization-Based Security enabled (Device Guard\HVCI)

162486 - Systems unable to boot properly after Encrypting disk with Symantec Drive Encryption when BIOS set to RAID On

179265 - How to automatically upgrade Windows 10 systems encrypted with Symantec Endpoint Encryption 11

213890 - Deploy or Upgrade Windows 10 automatically using SCCM on systems encrypted with Symantec Endpoint Encryption

161041 - Windows PE Recovery Tools for Endpoint Encryption

Attachments get_app