How to automatically upgrade Windows 10 systems encrypted with Symantec Endpoint Encryption 11


Article ID: 179265


Updated On:


Endpoint Encryption


Symantec Endpoint Encryption uses best-of-class encryption for the highest security possible.  Once systems are encrypted, there is a preboot screen that is used to protect systems such that users must enter a passphrase before the system will even boot.

When performing a Windows 10 upgrade using the "Live Updates" which will automatically update the operating system to the latest release, no special steps are required on systems encrypted with Symantec Endpoint Encryption. The system can be automatically updated and when prompted to reboot, all you need to do is enter your passphrase at the preboot screen.


If you are deploying Windows 10 updates centrally, there are some simple steps you can follow in order to successfully upgrade.  This article will discuss the general steps to upgrade a Windows 10 to a newer version of Windows 10 on systems encrypted with Symantec Endpoint Encryption.  These "Major" updates include upgrading from 1809 to Windows 10 20H2, for example.


For instructions on upgrading Windows 10 systems encrypted with Symantec Encryption using SCCM, see article 213890 - Deploy or Upgrade Windows 10 using SCCM on systems encrypted with Symantec Endpoint Encryption.


Symantec Endpoint Encryption is not typically configured as a "standalone" client, however in the context of this article will act as a guide to upgrade a single system with SEE 11, or a small group.  This article is intended as a guide using step-by-step instructions on "standalone" machines, but can be re purposed using the setup.exe command using deployment software to many systems remotely. 

TIP: For information on how to upgrade Symantec Encryption Desktop 10 systems see article 179262.

Update Dec 4, 2018: Microsoft has recently released Windows 10 1809.  This version of Windows now officially certified by Symantec Endpoint Encryption 11.2.1.
Update June 28, 2019: Microsoft has released Windows 10 1903.  This version of Windows is now officially certified with Symantec Endpoint Encryption 11.3 and beyond.

Refer to the System Requirements page for official certification information:
Symantec Endpoint Encryption Client, version 11.3.x - System Requirements

Symantec Endpoint Encryption Client, version 11.2.x - System Requirements


Windows 10 has two types of updates

  • cumulative updates, which do not change the core version of Windows
  • major updates, which change the core version of Windows

Examples of these major updates are as follows:
Windows 10 Anniversary Update (version 1607 - RS1)
Windows 10 Creators Update (version 1703 - RS2)
Windows 10 Fall Creators Update (version 1709 - RS3)
Windows 10 April 2018 Update (version 1803 - RS4)
Windows 10 October 2018 Update (version 1809 - RS5)
Windows 10 May 2019 Update (version 1903 - RS6)

The Windows 10 auto-update feature can perform the major updates. When the major update is performed on systems encrypted with Symantec Endpoint Encryption, the upgrade fails as well as cause potential boot issues with the system itself. 


Section 1 of 3: Steps with SEE 11.3.0 and above:
Symantec Endpoint Encryption 11.3.0 have seamless Windows 10 upgrade functionality already set by default. 

If systems are upgraded from older versions, see sections 2 or 3 below, but otherwise, Windows 10 can be automatically updated using the "Live Updates" or automatic updates feature with versions 11.3.0 seamlessly.  This means that if Symantec Encryption has encrypted the system, the automatic Windows 10 updates (both cumulative and major updates) and there is never a need to decrypt a system prior to Windows 10 updates.

If deployment tools are being used to deploy Windows 10 updates, see the information in this section below, but automatic Windows 10 updates can be provided without having to do anything to the system and can be done automatically!

TIP: It is always good practice to backup your systems before performing upgrades or other significant changes to the system.


If Deployment tools such as Symantec IT Management Suite (AKA Altiris) or SCCM are being used, and you would like to manually deploy Windows 10 major updates by using the Windows setup files directly, use the string below to install the Windows 10 upgrade builds:

setup.exe /Auto Upgrade /DynamicUpdate disable /reflectdrivers  "C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption\OS Upgrade Files" /Postoobe "C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption\OS Upgrade Files\setupcomplete.cmd

Using the above command will install Windows keeping current files, and will not attempt to download any updates during the upgrade.  Using other Windows install options is fully supported as long as Microsoft supports the options for install, such as the "/Auto Upgrade", or "/DynamicUpdate disable" options mentioned.  This is command provided simply for convenience, but any upgrade command supported by Microsoft is also supported by Symantec Endpoint Encryption.



Section 2 of 3: Steps with SEE 11.2.1 MP1:
Symantec Endpoint Encryption 11.2.1 MP1 supports Windows 10 automatic updates without the requirement of using upgrade scripts.  This new functionality supports Windows 10 upgrades starting with Windows 10 1607 and beyond.  In order to enable this functionality, run the following installation command: 

msiexec /i "SEE Client_x64.msi" WINSETUPAUTOMATION=1

Once this is done, using the Windows 10 automatic update feature can be done without running any special steps or utilities, only authenticating each reboot.

Important Tip: If Symantec Endpoint Encryption 11.2.1 MP1 or newer was already installed, but the WINSETUPAUTOMATION=1 option was not set during install, this can be set manually in the registry at any time by modifying the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Encryption Anywhere\Hard Disk

 Symantec Endpoint Encryption 11.3.0 MP1 sets the WINSETUPAUTOMATION value to "1" by default.

Once this has been added, restart the machine for this to take effect.  The Windows 10 updates can now be applied manually requiring only authentication at preboot.

As mentioned, WINSETUPAUTOMATION is automatically set to 1 on any new installs of 11.2.1 or above by default.  If WINSETUPAUTOMATION is set to 0, then this was done manually, but there is no reason to have this set because most scenarios will desire to have automatic Windows 10 upgrades.



Section 3 of 3: Steps with SEE 11.2.1 GA or older:
If SEE 11.2.1 MP1 is not being used, the methods below can be used to update Windows.

When attempting to update from one of these major versions of Windows to another, you need to consider special requirements. Windows 10 systems encrypted with Symantec Endpoint Encryption 11.2 can be upgraded in either of the following methods:

Method 1:  Use the upgrade sample scripts provided by Symantec to perform a manual upgrade without decrypting the system.

Method 2:  Fully decrypt these systems, perform the Windows update. Encrypt the drive again once the upgrade is complete.

This article describes Method 1 to perform a manual update of the core version of Windows without decrypting the system.


This article is targeted for standalone systems or smaller environments, rather than mass deployments for large enterprises. These steps are to guide an end-user through the process of upgrading a Windows 10 system encrypted with Symantec Endpoint Encryption 11.2. To view the sample upgrade scenarios and scripts for enterprise environments, see the Symantec Support Center article, Upgrading Encrypted Computers to the Windows 10 Anniversary Update or Later from Earlier Versions of Windows with Symantec Endpoint Encryption.

Prerequisites before you start the upgrade:

  • Back up your system
    Note: Take a backup of your system before you perform any major change to the system, such as a major Windows update.
  • Symantec Endpoint Encryption 11.1.3 MP1 or above is installed on Windows 10 system.
    Note: If Symantec Endpoint Encryption 11.2 is not currently installed, then the Symantec Endpoint Encryption 11.2 server suite can be downloaded from FileConnect. The Symantec Endpoint Encryption administrator can create a new 11.2 client, and install it over the current Symantec Endpoint Encryption 11 product.
  • A clean USB drive with no data on it. The data on this USB drive will be overwritten, so make sure it is not one of your backup drives.  A 16 GB USB drive is sufficient.
  • The upgrade scripts are attached to this article in the "Download Files" section, or the bottom of this article. These upgrade scripts are copied to the system that you will be upgrading.
  • At least 10 GB of free hard drive space.

Disable Windows Sign-On ARSO feature:
In order for authentication to work properly at preboot, you need to disable the Windows ARSO feature by performing the following steps:

  1. On the Windows Start menu, type "Settings".  A cogwheel icon appears, press Enter.
  2. Click on the "Accounts" icon.
  3. On the left side, select "Sign-in options".
  4. Scroll down to the "Use my sign-in info to automatically finish setting up my device after an update or restart" option, and disable this option.

Note: If Settings does not appear on the Start menu and the system is joined to a domain, proceed to the next steps.

Step-by-step instructions to upgrade the Windows 10 system:

Step 1: Go to the system you want to upgrade and open the C: drive. Create the "SEE-Upgrade-scripts" folder to copy the Symantec Encryption Upgrade scripts in this folder.

Step 2: Download the upgrade script from this article ""

In this example, you will be using the "" file.  Extract this zip file to the system you will be upgrading, and copy all the upgrade files and paste them in the "SEE-Upgrade-scripts" folder.  You should see the following files:


These are the upgrade scripts that are used in the back ground. However, you will use only "WinRS4-upgrade-SEE11.2.cmd" for running the commands. 

Step 3: Go to the Microsoft site to download Windows 10 at

Note: This download provides all the needed Windows 10 files to update. These files can be used to perform a full or clean Windows upgrade. However, for these steps, you will use them to simply update Windows 10 to the newer version of Windows 10.

Step 4: Get your clean USB drive and ensure you have plenty of space on it (16 GB)

Step 5: On the Microsoft page, click the "Download tool now" option:

This downloads the Windows 10 installation media.  As of this writing, the Windows 10 April 2018 Update (version 1803) is currently available, so the tool is called "MediaCreationTool1803.exe".

Double-click the "MediaCreationTool1803.exe" file, which displays a Microsoft window.

Step 6: To proceed, accept all the prompts for the license agreement.

Step 7: Choose the option to create the installation media on the USB drive:

Note: During the creation wizard, choose "Both" for Architecture.

Click Next to start the creation of the USB drive for the upgrade. This process could take a while depending on download speed, USB speed, and so on. Wait till it is complete.

Step 8: Once the USB drive has been created, take it to your Windows 10 system you want to upgrade.  In this case, you will be updating to Windows 10 April 2018 Update (version 1803).

Step 9: Now open the C: drive on your system and create a folder called "Win10-1803-upgrade-setup-files".

Step 10: Copy all of the Windows setup files from the USB drive created from Step 7 to the "Win10-1803-upgrade-setup-files" folder.

On the USB drive, you should see the following files\folders:
setup.exe, bootmgr, boot, efi, sources, support, x64, x86

These files and folders should now be in the c:\Win10-1803-upgrade-setup-files folder you just created.

Step 11: Now you should have two folders created on the C: drive

  • Win10-1803-upgrade-setup-files, which contains all the Windows upgrade files from step 10
  • SEE-Upgrade-scripts, which contains all the Symantec upgrade files from step 2

Step 12: Now you have all the needed files to perform the upgrade, open a command prompt with administrative permissions:

Click the Start menu, type "cmd", and once it appears in the list, "right-click" on it, and select "Run as administrator" to ensure the commands work properly.

Step 13: On the command prompt, type the following to be at the root of C drive:

Step 14: Type the following to access SEE-Upgrade-Scripts:
cd SEE-Upgrade-Scripts  

Step 15: If Symantec Encryption Desktop is also installed, close the application. Be sure to exit PGPTray.exe and any other PGP service.

Step 16: Type the following, and press Enter:
WinRS4-upgrade-SEE11.2.cmd c:\win10-1803-upgrade-setup-files

TIP: If you type the first part of the file, and hit tab, it should autocomplete.


The above screenshot should reflect the command.  Once you run this command, the Windows 10 upgrade screens are displayed.  During the process, there will be three reboots.  Authenticate the preboot screen each time to allow the full Windows 10 upgrade process to complete.  The reboots happen automatically, so pay attention to the process and when you need to upgrade. The process takes less than 30 minutes to complete, ensure that the process completes successfully, and that the system is not shut down. This completes the Windows 10 upgrade.

If you get stuck while performing these steps, it is best to backtrack to see if any steps may have been missed. For further assistance, contact Symantec Support.

TIP: For information on how to upgrade Symantec Encryption Desktop 10 systems see article 179262.

Windows 10 upgrade SEE
Windows 10 upgrade SEE
Upgrade Encrypted Drives
Upgrade SEE Encrypted Drives
Upgrade SEE-Encrypted Drives

Attachments get_app