Deploy or Upgrade Windows 10/11 automatically using SCCM on systems encrypted with Symantec Endpoint Encryption

Products

Endpoint Encryption Desktop Email Encryption Drive Encryption Encryption Management Server File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

Symantec Endpoint Encryption uses best-of-class encryption for the highest security possible. Once systems are encrypted, there is a preboot screen that is used to protect systems such that users must enter a passphrase before the system will even boot. Using Single-Sign On capabilities, end users can enter their Windows credentials to be able to boot the system up.

SCCM has the ability to deploy Windows 10/11 Major updates centrally and this process differs from a "Live Update" process where Windows automatically updates the system.

When unattended Windows 10/11 upgrades are required, the systems will most likely not have any users present, and the Windows upgrade process must be able to complete successfully while still encrypted. Doing so on systems with Symantec Endpoint Encryption is both easy and convenient when using SCCM. This article will guide you through the basic procedure for upgrading these Windows 10 systems encrypted with Symantec Endpoint Encryption for "Major" updates, such as going from Windows 10 1809 to Windows 10 20H2.

Important Reference Information: For help deploying Windows 10 upgrades using SCCM for systems encrypted with Symantec Encryption Desktop (PGP-Heritage products, see the following article:

213895 - Deploy or Upgrade Windows 10 automatically using SCCM on systems encrypted with Symantec Encryption Desktop.

Resolution

There are many methods to deploy Windows updates with SCCM on encrypted drives. This article will describe two methods:

Any of the updates above can be deployed to each of the endpoints in the environment. When these Windows updates are deployed, there are two files that are deployed to the machine. One is an ESD file, which contains all the actual Windows setup files, and a "windowsupdatebox.exe" file, which will kick off the Windows update process.

When the windowsupdatebox.exe file kicks off the Windows update process, it will then extract the contents of the ESD file and the Windows upgrade will then begin. These two files are deployed to the following directory as seen in the following screenshot:

C:\Windows\ccrmcache

Important note: The "ccmcache" location could be different than what is listed above. Be sure to test this and determine what location will apply for you.

Symantec Endpoint Encryption automatically creates a file used for Windows updates to ensure the process goes through successfully--this file is called "SetupConfig.ini" file with the following contents:

#####

[SetupConfig]
Priority=High
ReflectDrivers="C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption\OS Upgrade Files"
PostOobe="C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption\OS Upgrade Files\SetupComplete.cmd"  
#####

Troubleshooting tip 1: Symantec Endpoint Encryption 11.3.0 and above will automatically place this file and configure accordingly. If this file is not already here, look in the Windows registry for Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Encryption Anywhere\Hard Disk\WinSetupAutomation and make sure it is set to 1. If it is not, set to 1, and reboot, and this file will be created automatically for you.

Troubleshooting tip 2: In the above SetupConfig.ini file, you'll see Priority is set to "High". SEE does not add this parameter and will work without this value and will likely not be needed. If you find any update failures, try adding "Priority=High".

The "ReflectDrivers" option lists the location of the Symantec Endpoint Encryption drivers in order for the upgrade to complete.

The "PostOobe" option will reference the location of a custom script that Symantec Endpoint Encryption can use once the upgrade has completed.

The location of this file should be in the following directory:


%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\

When SCCM deploys the Windows update it will refer to this "SetupConfig.ini" file and it will use the "ReflectDrivers" option and location, which will point to our encryption drivers for a successful upgrade.

As mentioned, when the Windows upgrade completes, the SetupConfig.ini file should also run the script referenced as "PostOobe" and this will run any additional scripts at the end of the process that are needed. It is important to have these options included in the script in case Symantec includes any post-upgrade operations that may be needed.

Tip: Symantec recommends that you upgrade Windows 10/11 updates by themselves and if any further updates are needed, such as third-party updates, either do those updates before or after the systems have been successfully upgraded to the new version of Windows 10/11. Symantec and Microsoft recommend rebooting your system after Windows 10/11 updates have been applied for best results.

Because SCCM is being used, this process is going to be "unattended" where end users will not be present to authenticate the preboot screen. These major Windows updates typically require three reboots. There may be more or less depending on your deployment operations.

Because multiple reboots will take place, you can make use of the "Autologon" functionality built in to the Symantec Endpoint Encryption Client. Just prior to starting the Windows updates, you can enable the Autologon and then start your Windows upgrade process, this will allow the systems to automatically skip the preboot screen when Windows reboots during the upgrade process.

Once the systems have completed the Windows upgrade, you can then disable the Autologon functionality so that the next time the system is rebooted, the users will then be presented with the preboot authentication screen.

Autologon can be enabled via policy and through the command line. For these Windows Upgrades, Symantec recommends using the Advanced options (the "Client Admin Privilege AD User Group" and "Allow Autologon Management for SYSTEM user" discussed in article 213085 - Enabling or Disabling Autologon for Symantec Endpoint Encryption using Advanced Settings. When these are used, it is very easy to enable Autologon at the start of the Windows 10 deployment as well as disable Autologon at the end.

Method 2: Using SCCM Configuration Manager with /reflectdrivers option and OSD task sequence script

With this method, SCCM is used to deploy the windows update via a task sequence using a script.
The script will invoke the use of the /reflectdrivers option using a task sequence variable "OSDSetupAdditionalUpgradeOptions"

Step 1. Open your Task Sequence applicable to deploy your Windows in-place upgrade.

Step 2. Configure all tasks that you need, such as any needed pre-checks, such as if "pending reboots" may be needed, or other tasks.

Step 3. In this task sequence, configure the "OSDSetupAdditionalUpgradeOptions" variable as shown in the screenshot:

Step 4. In the "Value" field, add the /reflectdrivers option and the corresponding upgrade location:

/reflectdrivers "C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption\OS Upgrade Files"

This option will invoke the variable to allow the /reflectdrivers to know where the encryption drivers are located.

Step 5. This task sequence should be run and allow the in-place upgrade to proceed without the need to reboot.
Typically these upgrades will require 3 reboots to complete the reboot cycle. It is useful to use the "Autologon" option invoked by the SYSTEM account to skip these preboots.

For more information on how to use Autologon, see the following article:

213085 - Enabling or disabling Autologon for Symantec Endpoint Encryption using Advanced Settings

Of note, "Allow Autologon Management for SYSTEM User:" can be enabled in policy:

Step 6. You can have other tasks run after the upgrade to validate the in-place upgrade was successful and have your own tasks to collect logs.

The upgrade should now complete, all without having to decrypt, and used with the autologon command, can be completed without anyone needing to be reboot.

Reference articles:
Task sequence steps - Configuration Manager | Microsoft Learn

Task sequence variable reference - Configuration Manager | Microsoft Learn

Windows Setup Command-Line Options | Microsoft Learn

For more information about how to use Autologon and other topics related to autologon, see the Additional Information section below and if you run into any snags, contact Symantec Encryption Support for additional assistance.