Symantec Encryption Desktop uses best-of-class encryption for the highest security possible. Once systems are encrypted, there is a preboot screen that is used to protect systems such that users must enter a passphrase before the system will even boot. Using Single-Sign On capabilities, end users can enter their Windows credentials to be able to boot the system up.
SCCM has the ability to deploy Windows 10 Major updates centrally and this process differs from a "Live Update" process where Windows automatically updates the system.
When unattended Windows 10 upgrades are required, the systems will most likely not have any users present, and the Windows upgrade process must be able to complete successfully while still encrypted. Doing so on systems with Symantec Encryption Desktop is both easy and convenient when using SCCM. This article will guide you through the basic procedure for upgrading these Windows 10 systems encrypted with Symantec Encryption Desktop for "Major" updates, such as going from Windows 10 1809 to Windows 10 20H2.
Important Reference Information: For help deploying Windows 10 upgrades using SCCM for systems encrypted with Symantec Endpoint Encryption see the following article:
The UI within SCCM is seen in this screenshot to illustrate that SCCM can include many different updates centrally:
Any of the updates above can be deployed to each of the endpoints in the environment. When these Windows updates are deployed, there are two files that are deployed to the machine. One is an ESD file, which contains all the actual Windows setup files, and a "windowsupdatebox.exe" file, which will kick off the Windows update process.
When the windowsupdatebox.exe file kicks off the Windows update process, it will then extract the contents of the ESD file and the Windows upgrade will then begin. These two files are deployed to the following directory as seen in the following screenshot:
Important note: The "ccmcache" location could be different than what is listed above. Be sure to test this and determine what location will apply for you.
Symantec Encryption Desktop automatically creates a file used for Windows updates to ensure the process goes through successfully--this file is called "SetupConfig.ini" file with the following contents:
ReflectDrivers="C:\Program Files\PGP Corporation\PGP Desktop\OS Upgrade Files"
PostOobe="C:\Program Files\PGP Corporation\PGP Desktop\OS Upgrade Files\SetupComplete.cmd"
Troubleshooting tip 1: Symantec Encryption Desktop 10.4.2 and above will automatically place this file and configure accordingly. If this file is not already here, look in the Windows registry for Computer\HKEY_LOCAL_MACHINE\SOFTWARE\PGP Corporation\PGP\WinSetupAutomation and make sure it is set to 1. If it is not, set to 1, and reboot, and this file will be created automatically for you.
Troubleshooting tip 2: In the above SetupConfig.ini file, you'll see Priority is set to "High". SEE does not add this parameter and will work without this value and will likely not be needed. If you find any update failures, try adding "Priority=High".
The "ReflectDrivers" option lists the location of the Symantec Encryption Desktop drivers in order for the upgrade to complete.
The "PostOobe" option will reference the location of a custom script that Symantec Encryption Desktop can use once the upgrade has completed.
The location of this file should be in the following directory:
Important Note: If the WSUS folder does not exist, create it and place this SetupConfig.ini file inside. If you have the newer versions of Symantec Encryption Desktop, this file should be getting created automatically. If it is not, check the registry for the following value and ensure it is set to 1. If it is not, set to 1 and reboot, and this file should get created: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\PGP Corporation\PGP\WinSetupAutomation
When SCCM deploys the Windows update it will refer to this "SetupConfig.ini" file and it will use the "ReflectDrivers" option and location, which will point to our encryption drivers for a successful upgrade.
As mentioned, when the Windows upgrade completes, the SetupConfig.ini file should also run the script referenced as "PostOobe" and this will run any additional scripts at the end of the process that are needed. It is important to have these options included in the script in case Symantec includes any post-upgrade operations that may be needed.
Tip: Symantec recommends that you upgrade Windows 10 updates by themselves and if any further updates are needed, such as third-party updates, either do those updates before or after the systems have been successfully upgraded to the new version of Windows 10. Symantec and Microsoft recommend rebooting your system after Windows 10 updates have been applied for best results.
Because SCCM is being used, this process is going to be "unattended" where end users will not be present to authenticate the preboot screen. These major Windows updates typically require three reboots. There may be more or less depending on your deployment operations.
Because multiple reboots will take place, you can make use of the "Bypass" functionality part of the Symantec Encryption Desktop client. Just prior to starting the Windows updates, you can enable the Bypass functionality and then start your Windows upgrade process, this will allow the systems to automatically skip the preboot screen when Windows reboots during the upgrade process.
Once the systems have completed the Windows upgrade, you can then disable the Bypass functionality so that the next time the system is rebooted, the users will then be presented with the preboot authentication screen.
The Bypass feature can be enabled via the command line. For these Windows Upgrades, Symantec recommends using the Bypass feature discussed in article 155207, which also includes a script to help with SCCM.
The following articles are provided as reference to the general guidelines for upgrading Windows 10 with Symantec Encryption solutions: