How to upgrade standalone Windows 10 systems encrypted with Symantec Endpoint Encryption 11

book

Article ID: 179265

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

 

Resolution

Symantec Endpoint Encryption is not typically configured as a "standalone" client, however in the context of this article will act as a guide to upgrade a single system with SEE 11, or a small group.  This article is intended as a guide using step-by-step instructions on "standalone" machines, but can be re purposed using the setup.exe command using deployment software to many systems remotely. 

 

Update Dec 4, 2018: Microsoft has recently released Windows 10 1809.  This version of Windows now officially certified by Symantec Endpoint Encryption 11.2.1.
Update June 28, 2019: Microsoft has released Windows 10 1903.  This version of Windows is now officially certified with Symantec Endpoint Encryption 11.3 and beyond.

Refer to the System Requirements page for official certification information:
Symantec Endpoint Encryption Client, version 11.3.x - System Requirements

Symantec Endpoint Encryption Client, version 11.2.x - System Requirements

 


Windows 10 has two types of updates

  • cumulative updates, which do not change the core version of Windows
  • major updates, which change the core version of Windows

Examples of these major updates are as follows:
Windows 10 Anniversary Update (version 1607 - RS1)
Windows 10 Creators Update (version 1703 - RS2)
Windows 10 Fall Creators Update (version 1709 - RS3)
Windows 10 April 2018 Update (version 1803 - RS4)
Windows 10 October 2018 Update (version 1809 - RS5)
Windows 10 May 2019 Update (version 1903 - RS6)

The Windows 10 auto-update feature can perform the major updates. When the major update is performed on systems encrypted with Symantec Endpoint Encryption, the upgrade fails as well as cause potential boot issues with the system itself. 

 

Steps with SEE 11.2.1 MP1 and beyond:
Symantec Endpoint Encryption 11.2.1 MP1 now supports Windows 10 automatic updates without the requirement of using upgrade scripts.  This new functionality supports Windows 10 upgrades starting with Windows 10 1607 and beyond.  In order to enable this functionality, run the following installation command: 

msiexec /i "SEE Client_x64.msi" WINSETUPAUTOMATION=1

Once this is done, using the Windows 10 automatic update feature can be done without running any special steps or utilities, only authenticating each reboot.

TIP: It is always good practice to backup your systems before performing upgrades or other significant changes to the system.

If Automatic Updates are *not* being used, and you would like to manually deploy Windows 10 major updates *without* using upgrade scripts by using the Windows setup files directly, use the same install string above, and use the following command to install the Windows 10 upgrade build:

setup.exe /Auto Upgrade /DynamicUpdate disable /reflectdrivers  "C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption\OS Upgrade Files" /Postoobe "C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption\OS Upgrade Files\setupcomplete.cmd

Using the above command in conjunction with the WINSETUPAUTOMATION=1 install option will install Windows keeping current files, and will not attempt to download any updates during the upgrade.  Using other Windows install options is fully supported as long as Microsoft supports the options for install, such as the "/Auto Upgrade", or "/DynamicUpdate disable" options mentioned.  This is command provided simply for convenience.

If Symantec Endpoint Encryption 11.2.1 MP1 was already installed, but the WINSETUPAUTOMATION=1 option was not set during install, this can be set manually in the registry at any time by modifying the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Encryption Anywhere\Hard Disk
WINSETUPAUTOMATION=dword:1

Important Tip: Symantec Endpoint Encryption 11.3.0 MP1 sets the WINSETUPAUTOMATION value to "1" by default.

Once this has been added, restart the machine for this to take effect.  The Windows 10 updates can now be applied manually requiring only authentication at preboot.

 

 

 

Steps with SEE 11.2.1 GA or older:
If SEE 11.2.1 MP1 is not being used, the methods below can be used to update Windows.

When attempting to update from one of these major versions of Windows to another, you need to consider special requirements. Windows 10 systems encrypted with Symantec Endpoint Encryption 11.2 can be upgraded in either of the following methods:

Method 1:  Use the upgrade sample scripts provided by Symantec to perform a manual upgrade without decrypting the system.

Method 2:  Fully decrypt these systems, perform the Windows update. Encrypt the drive again once the upgrade is complete.

This article describes Method 1 to perform a manual update of the core version of Windows without decrypting the system.

 

This article is targeted for standalone systems or smaller environments, rather than mass deployments for large enterprises. These steps are to guide an end-user through the process of upgrading a Windows 10 system encrypted with Symantec Endpoint Encryption 11.2. To view the sample upgrade scenarios and scripts for enterprise environments, see the Symantec Support Center article, Upgrading Encrypted Computers to the Windows 10 Anniversary Update or Later from Earlier Versions of Windows with Symantec Endpoint Encryption.

Prerequisites before you start the upgrade:

  • Back up your system
    Note: Take a backup of your system before you perform any major change to the system, such as a major Windows update.
  • Symantec Endpoint Encryption 11.1.3 MP1 or above is installed on Windows 10 system.
    Note: If Symantec Endpoint Encryption 11.2 is not currently installed, then the Symantec Endpoint Encryption 11.2 server suite can be downloaded from FileConnect. The Symantec Endpoint Encryption administrator can create a new 11.2 client, and install it over the current Symantec Endpoint Encryption 11 product.
  • A clean USB drive with no data on it. The data on this USB drive will be overwritten, so make sure it is not one of your backup drives.  A 16 GB USB drive is sufficient.
  • The upgrade scripts are attached to this article in the "Download Files" section, or the bottom of this article. These upgrade scripts are copied to the system that you will be upgrading.
  • At least 10 GB of free hard drive space.


Disable Windows Sign-On ARSO feature:
In order for authentication to work properly at preboot, you need to disable the Windows ARSO feature by performing the following steps:

  1. On the Windows Start menu, type "Settings".  A cogwheel icon appears, press Enter.
  2. Click on the "Accounts" icon.
  3. On the left side, select "Sign-in options".
  4. Scroll down to the "Use my sign-in info to automatically finish setting up my device after an update or restart" option, and disable this option.

Note: If Settings does not appear on the Start menu and the system is joined to a domain, proceed to the next steps.

Step-by-step instructions to upgrade the Windows 10 system:

Step 1: Go to the system you want to upgrade and open the C: drive. Create the "SEE-Upgrade-scripts" folder to copy the Symantec Encryption Upgrade scripts in this folder.

Step 2: Download the upgrade script from this article "Win8_10_Upgrade_SEE11.2.zip"

In this example, you will be using the "Win8_10_Upgrade_SEE11.2.zip" file.  Extract this zip file to the system you will be upgrading, and copy all the upgrade files and paste them in the "SEE-Upgrade-scripts" folder.  You should see the following files:

DisableARSO.reg
eedPasswordFilter.reg
Post-WinRS4-upgrade-SEE11.2-register.bat
Readme.txt
RegisterDESoftware.reg
setupcomplete.cmd
WinRS4-upgrade-SEE11.2.cmd

These are the upgrade scripts that are used in the back ground. However, you will use only "WinRS4-upgrade-SEE11.2.cmd" for running the commands. 

Step 3: Go to the Microsoft site to download Windows 10 at
https://www.microsoft.com/en-us/software-download/windows10

Note: This download provides all the needed Windows 10 files to update. These files can be used to perform a full or clean Windows upgrade. However, for these steps, you will use them to simply update Windows 10 to the newer version of Windows 10.

Step 4: Get your clean USB drive and ensure you have plenty of space on it (16 GB)

Step 5: On the Microsoft page, click the "Download tool now" option:

This downloads the Windows 10 installation media.  As of this writing, the Windows 10 April 2018 Update (version 1803) is currently available, so the tool is called "MediaCreationTool1803.exe".

Double-click the "MediaCreationTool1803.exe" file, which displays a Microsoft window.

Step 6: To proceed, accept all the prompts for the license agreement.

Step 7: Choose the option to create the installation media on the USB drive:



Note: During the creation wizard, choose "Both" for Architecture.

Click Next to start the creation of the USB drive for the upgrade. This process could take a while depending on download speed, USB speed, and so on. Wait till it is complete.

Step 8: Once the USB drive has been created, take it to your Windows 10 system you want to upgrade.  In this case, you will be updating to Windows 10 April 2018 Update (version 1803).

Step 9: Now open the C: drive on your system and create a folder called "Win10-1803-upgrade-setup-files".

Step 10: Copy all of the Windows setup files from the USB drive created from Step 7 to the "Win10-1803-upgrade-setup-files" folder.

On the USB drive, you should see the following files\folders:
setup.exe, bootmgr, boot, efi, sources, support, x64, x86

These files and folders should now be in the c:\Win10-1803-upgrade-setup-files folder you just created.

Step 11: Now you should have two folders created on the C: drive

  • Win10-1803-upgrade-setup-files, which contains all the Windows upgrade files from step 10
  • SEE-Upgrade-scripts, which contains all the Symantec upgrade files from step 2

Step 12: Now you have all the needed files to perform the upgrade, open a command prompt with administrative permissions:

Click the Start menu, type "cmd", and once it appears in the list, "right-click" on it, and select "Run as administrator" to ensure the commands work properly.

Step 13: On the command prompt, type the following to be at the root of C drive:
cd\ 

Step 14: Type the following to access SEE-Upgrade-Scripts:
cd SEE-Upgrade-Scripts  

Step 15: If Symantec Encryption Desktop is also installed, close the application. Be sure to exit PGPTray.exe and any other PGP service.

Step 16: Type the following, and press Enter:
WinRS4-upgrade-SEE11.2.cmd c:\win10-1803-upgrade-setup-files

TIP: If you type the first part of the file, and hit tab, it should autocomplete.


 

The above screenshot should reflect the command.  Once you run this command, the Windows 10 upgrade screens are displayed.  During the process, there will be three reboots.  Authenticate the preboot screen each time to allow the full Windows 10 upgrade process to complete.  The reboots happen automatically, so pay attention to the process and when you need to upgrade. The process takes less than 30 minutes to complete, ensure that the process completes successfully, and that the system is not shut down. This completes the Windows 10 upgrade.

If you get stuck while performing these steps, it is best to backtrack to see if any steps may have been missed. For further assistance, contact Symantec Support.

For information on how to upgrade Symantec Encryption Desktop 10 Standalone systems, see article HOWTO128505
 

Keywords:
Windows 10 upgrade SEE
Windows 10 upgrade SEE
Upgrade Encrypted Drives
Upgrade SEE Encrypted Drives
Upgrade SEE-Encrypted Drives
 

Attachments

Win8_10_Upgrade_SEE11.2.zip get_app