Symantec Endpoint Encryption uses best-of-class encryption for the highest security possible. Once systems are encrypted, there is a preboot screen that is used to protect systems such that users must enter a passphrase before the system will even boot. Using Single-Sign On capabilities, end users can enter their Windows credentials to be able to boot the system up.
SCCM has the ability to deploy Windows 10 Major updates centrally and this process differs from a "Live Update" process where Windows automatically updates the system.
When unattended Windows 10 upgrades are required, the systems will most likely not have any users present, and the Windows upgrade process must be able to complete successfully while still encrypted. Doing so on systems with Symantec Endpoint Encryption is both easy and convenient when using SCCM. This article will guide you through the basic procedure for upgrading these Windows 10 systems encrypted with Symantec Endpoint Encryption for "Major" updates, such as going from Windows 10 1809 to Windows 10 20H2.
Important Reference Information: For help deploying Windows 10 upgrades using SCCM for systems encrypted with Symantec Encryption Desktop (PGP-Heritage products, see the following article:
213895 - Deploy or Upgrade Windows 10 automatically using SCCM on systems encrypted with Symantec Encryption Desktop.
The UI within SCCM is seen in this screenshot to illustrate that SCCM can include many different updates centrally:
Any of the updates above can be deployed to each of the endpoints in the environment. When these Windows updates are deployed, there are two files that are deployed to the machine. One is an ESD file, which contains all the actual Windows setup files, and a "windowsupdatebox.exe" file, which will kick off the Windows update process.
When the windowsupdatebox.exe file kicks off the Windows update process, it will then extract the contents of the ESD file and the Windows upgrade will then begin. These two files are deployed to the following directory as seen in the following screenshot:
Important note: The "ccmcache" location could be different than what is listed above. Be sure to test this and determine what location will apply for you.
Symantec Endpoint Encryption automatically creates a file used for Windows updates to ensure the process goes through successfully--this file is called "SetupConfig.ini" file with the following contents:
ReflectDrivers="C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption\OS Upgrade Files"
PostOobe="C:\Program Files\Symantec\Endpoint Encryption Clients\Drive Encryption\OS Upgrade Files\SetupComplete.cmd"
Troubleshooting tip 1: Symantec Endpoint Encryption 11.3.0 and above will automatically place this file and configure accordingly. If this file is not already here, look in the Windows registry for Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Encryption Anywhere\Hard Disk\WinSetupAutomation and make sure it is set to 1. If it is not, set to 1, and reboot, and this file will be created automatically for you.
Troubleshooting tip 2: In the above SetupConfig.ini file, you'll see Priority is set to "High". SEE does not add this parameter and will work without this value and will likely not be needed. If you find any update failures, try adding "Priority=High".
The "ReflectDrivers" option lists the location of the Symantec Endpoint Encryption drivers in order for the upgrade to complete.
The "PostOobe" option will reference the location of a custom script that Symantec Endpoint Encryption can use once the upgrade has completed.
The location of this file should be in the following directory:
When SCCM deploys the Windows update it will refer to this "SetupConfig.ini" file and it will use the "ReflectDrivers" option and location, which will point to our encryption drivers for a successful upgrade.
As mentioned, when the Windows upgrade completes, the SetupConfig.ini file should also run the script referenced as "PostOobe" and this will run any additional scripts at the end of the process that are needed. It is important to have these options included in the script in case Symantec includes any post-upgrade operations that may be needed.
Tip: Symantec recommends that you upgrade Windows 10 updates by themselves and if any further updates are needed, such as third-party updates, either do those updates before or after the systems have been successfully upgraded to the new version of Windows 10. Symantec and Microsoft recommend rebooting your system after Windows 10 updates have been applied for best results.
Because SCCM is being used, this process is going to be "unattended" where end users will not be present to authenticate the preboot screen. These major Windows updates typically require three reboots. There may be more or less depending on your deployment operations.
Because multiple reboots will take place, you can make use of the "Autologon" functionality built in to the Symantec Endpoint Encryption Client. Just prior to starting the Windows updates, you can enable the Autologon and then start your Windows upgrade process, this will allow the systems to automatically skip the preboot screen when Windows reboots during the upgrade process.
Once the systems have completed the Windows upgrade, you can then disable the Autologon functionality so that the next time the system is rebooted, the users will then be presented with the preboot authentication screen.
Autologon can be enabled via policy and through the command line. For these Windows Upgrades, Symantec recommends using the Advanced options (the "Client Admin Privilege AD User Group" and "Allow Autologon Management for SYSTEM user" discussed in article 213085. When these are used, it is very easy to enable Autologon at the start of the Windows 10 deployment as well as disable Autologon at the end.
For more information about how to use Autologon and other topics related to autologon, see the Additional Information section below and if you run into any snags, contact Symantec Encryption Support for additional assistance.
How to use the Autologon Utility for Symantec Endpoint Encryption version 11.x
Symantec Endpoint Encryption Autologon disables at preboot after upgrade
Enabling or disabling Autologon for Symantec Endpoint Encryption using Advanced Settings
Symantec Endpoint Encryption Autologon client included by default in version 11.3.1 and above
Uninstalling the legacy Autologon client for Symantec Endpoint Encryption after upgrading to 11.3.1 and above
194755 - Systems fail to boot after installing Endpoint Encryption Removable Media Encryption with Virtualization-Based Security enabled (Device Guard\HVCI)
162486 - Systems unable to boot properly after Encrypting disk with Symantec Drive Encryption when BIOS set to RAID On
179265 - How to automatically upgrade Windows 10 systems encrypted with Symantec Endpoint Encryption 11
179262 - How to automatically upgrade Windows 10 systems encrypted with Symantec Encryption Desktop 10.4.2.x and 10.5.x