INFO: It's always a good idea to check with the System Requirements page to ensure the version of Windows you are updating to is supported. This article has been written for 1903 which is certified with Symantec Encryption Desktop 10.4.2 MP3 and above. Refer to the System Requirements page for official certification information:
Update Dec 4, 2018: Microsoft has recently released Windows 10 1809. This version of Windows is now officially certified with Symantec Encryption Desktop 10.4.2 MP1.
Update July 31, 2019: Microsoft has released Windows 10 1903. This version of Windows is now officially certified with Symantec Encryption Desktop 10.4.2 MP3.
This article is targeted for standalone systems or smaller environments, rather than mass deployments for large enterprises. These steps are to guide an end user through the process of upgrading a Windows 10 system encrypted with Symantec Encryption Desktop 10.4.2. To view the sample upgrade scenarios and scripts for enterprise environments, see the Symantec Support Center article, How to upgrade computers encrypted with Symantec Encryption Desktop to a Windows 10 release.
Windows 10 has two types of updates:
The Windows 10 auto-update feature can perform these major updates. When the major update is performed on systems encrypted by Symantec Encryption Desktop, the upgrade fails as well as cause potential boot issues with the system itself.
Examples of these major updates are as follows:
Windows 10 Anniversary Update (version 1607 - RS1)
Windows 10 Creators Update (version 1703 - RS2)
Windows 10 Fall Creators Update (version 1709 - RS3)
Windows 10 April 2018 Update (version 1803 - RS4)
Windows 10 October 2018 Update (version 1809 - RS5)
Windows 10 May 2019 Update (version 1903 - RS6)
When attempting to update from one of these major versions of Windows to another, you need to consider special requirements. Windows 10 systems encrypted with Symantec Encryption Desktop 10.4.2 can be upgraded in either of the following methods:
Prerequisites before you start the upgrade:
Disable Windows Sign-On ARSO feature:
In order for authentication to work properly at preboot, you need to disable the Windows ARSO feature by performing the following steps:
Note: If Settings does not appear and the system is joined to a domain, proceed to the next steps.
TIP: For a list of known issues with Symantec Encryption Desktop 10.4.2 and Windows 10 April 2018 Update (AKA Build 1803 or RS4), see Symantec Support Center article, Troubleshooting incompatibility issues of April 2018 Update and Windows 10 Fall Creators Update with Symantec Encryption Desktop.
Method 1: Automatic steps which require no upgrade scripts (Available with SED 10.4.2 MP3 and above)
Method 2: Using Upgrade scripts (Required if using SED 10.4.2 MP2 or older)
Method 1 is the recommended option so if you can, upgrade your SED client to 10.4.2 MP3 and then follow the steps below:
Method 1: Steps with SED 10.4.2 MP3: Symantec Encryption Desktop 10.4.2 MP3 and beyond:
This new functionality supports Windows 10 upgrades starting with Windows 10 1607 and beyond. This feature is enabled by default and requires no special install options and once 10.4.2 MP3 or above is installed, the Windows 10 automatic update feature can be performed without running any special steps, scripts, or utilities, only authenticating each reboot. Just make sure the version of Windows 10 you are installing is certified before proceeding. Check the System Requirements page for more information on this.
TIP: It is always good practice to backup your systems before performing upgrades or other significant changes to the system.
If Automatic Updates are *not* being used, and you would like to manually deploy Windows 10 major updates *without* using upgrade scripts by using the Windows setup files directly, use the following command to install the Windows 10 upgrade build:
setup.exe /Auto Upgrade /DynamicUpdate disable /reflectdrivers "C:\Program Files\PGP Corporation\PGP Desktop\OS Upgrade Files" /Postoobe "C:\Program Files\PGP Corporation\PGP Desktop\OS Upgrade Files\setupcomplete.cmd
Using the above command will install Windows keeping current files, and will not attempt to download any updates during the upgrade. Using other Windows install options is fully supported as long as Microsoft supports the options for install, such as the "/Auto Upgrade", or "/DynamicUpdate disable" options mentioned. This is command provided simply for convenience.
The Windows 10 updates can now be applied manually requiring only authentication at preboot.
TIP: SED can use a bypass user to perform the upgrade so that during the upgrade you don't need to enter a passphrase between the required Windows update reboots. To add the bypass, look at steps 13 and 14 below.
For more details on this new Windows 10 Live Update functionality, see article: https://knowledge.broadcom.com/external/article/175484
Step 1: Go to the system you want to upgrade and open the C: drive. Create the "SEE-Upgrade-scripts" folder to copy the Symantec Encryption Upgrade scripts in this folder.
Step 2: Download the upgrade script from this article "SED_Win8_10_Upgrade_SED_10.4.2.zip"
In this example, you will be using the "SED_Win8_10_Upgrade_SED_10.4.2.zip" file. Extract this zip file to the system you will be upgrading, and copy all of the upgrade files and paste them in the "SEE-Upgrade-scripts" folder. You should see the following files:
These are the upgrade scripts that are used in the back ground. However, you will use only "WinRS4-upgrade-SED1042.cmd" for running the commands.
Step 3: Go to the Microsoft site to download Windows 10 at
Note: This download provides all the needed Windows 10 files to update. These files can be used to perform a full or clean Windows upgrade. However, for these steps, you will use them to simply update Windows 10 to the newer version of Windows 10.
Step 4: Get your clean USB drive and ensure you have plenty of space on it (16 GB).
Step 5: On the Microsoft page, click "Download tool now"
This downloads the Windows 10 installation media. As of this writing, the Windows 10 May 2019 Update (version 1903) is currently available, so the tool is called "MediaCreationTool1903.exe".
Double-click the "MediaCreationTool1903.exe" file, which displays a Microsoft window.
Step 6: To proceed, accept all the prompts for the license agreement.
Step 7: Choose the option to create the installation media on the USB drive
Note: During the creation wizard, choose "Both" for Architecture.
Click Next to start the creation of the USB drive for the upgrade. This process could take a while depending on download speed, USB speed, and so on. Wait till it is complete:
Step 8: Once the USB drive has been created, take it to your Windows 10 system you want to upgrade. In this case, you will be updating Windows 10 April 2018 Update (version 1803).
Step 9: Now open the C: drive on your system and create the "Win10-1803-upgrade-setup-files" folder.
Step 10: Copy all of the Windows setup files from the USB drive created from Step 7 to the "Win10-1803-upgrade-setup-files" folder.
On the USB Drive, you should see the following files\folders:
setup.exe, bootmgr, boot, efi, sources, support, x64, x86
These files and folders should now be in the c:\Win10-1803-upgrade-setup-files folder you just created.
Step 11: Now you should have two folders created on the C: drive:
Step 12: Now that you have all the needed files to do the upgrade, open a command prompt with administrative permissions:
Click the Start menu, type "cmd", and once it appears in the list, "right-click" on it, and select "Run as administrator" to ensure the commands work properly.
Step 13: Now we will add the bypass user so that you will not need to enter the password each time the Windows upgrade process reboots the system (3 reboots is required to perform this update).
Type the following:
cd "Program Files (x86)\PGP Corporation\PGP Desktop"
This should place you at the following prompt:
C:\Program Files (x86)\PGP Corporation\PGP Desktop>
Step 14: Run the following command:
pgpwde --add-bypass --disk 0 --count 3 --interactive
Once prompted, enter the Drive Encryption passphrase until the following is returned:
"Request sent to Add bypass was successful"
Proceed to the next step:
Note: If adding the bypass did not work, the update will still work, however, you will need to enter your passphrase for each reboot.
Step 15: Close Symantec Encryption Desktop. Ensure to exit PGPTray and any other PGP service.
Step 16: On the command prompt, type the following to be at the root of C drive:
Step 17: Type the following to access SEE-Upgrade-Scripts
Step 18: Type the following and press Enter:
TIP: If you type the first part of the file, and hit tab, it should auto complete.
The above screenshot should reflect the command. Once you run this command, the Windows 10 upgrade screens are displayed. Wait till this process is complete.
The reboots happen automatically. Once the upgrade is completed, reboot again until you are prompted to enter the passphrase. This completes the Windows 10 upgrade.
If you get stuck while performing these steps, it's best to backtrack to see if any steps may have been missed. For further assistance, contact Symantec Support.
For information on how to upgrade Symantec Endpoint Encryption 11 standalone clients, see article HOWTO128509.
Windows 10 upgrade SED
Windows 10 upgrade PGP
Upgrade Encrypted Drives
Upgrade PGP Encrypted Drives
Upgrade PGP-Encrypted Drives