Windows PE Recovery Tools for PGP Drive Encryption 10.5 (Symantec Encryption Desktop)
search cancel

Windows PE Recovery Tools for PGP Drive Encryption 10.5 (Symantec Encryption Desktop)


Article ID: 247508


Updated On:


Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK


This article contains information on using WinPE files with Symantec Drive Encryption 10.5 (PGP Desktop) in a Windows Preinstallation Environment.

For information on Symantec Endpoint Encryption and WinPE, see the following article:

161041 - Windows PE Recovery Tools for Symantec Endpoint Encryption




Best Practices for creating Microsoft Windows Preinstallation Environment ISO for recovery

When an encrypted system fails to boot to the Windows operating system, recovery of data becomes the primary goal. Creating a customized Windows Preinstallation Environment (Windows PE) CD or UFD (USB flash drive) provides a bootable recovery tool that can be used for recovery purposes.

IMPORTANT TIP: Before attempting to fix the system, first attempt to authenticate the disk, and copy any needed data off.  Attempting to modify the disk could cause irreversible damage to the filesystem so proceed with caution.  If the data on the encrypted disk is important, we recommend first making a sector-by-sector, or 1:1 clone of the disk and work off of the copy.  Attempt to copy the data off of the disk, rather than decrypt the drive as the first step.  When in doubt, contact Symantec Encryption Support for further guidance.

You can use a customized Windows PE CD or UFD (USB drives) in the following ways:

  • To authenticate the disk and copy data off of encrypted drives to another drive to aid in recovery efforts.
  • To recover the pre-OS screen of the client computer when a user fails to authenticate at pre-OS or the pre-OS screen is unavailable.
  • To decrypt an encrypted disk using the client administrator authentication, use "Help Desk Recovery" (for connected clients), or "Advanced Help Desk Recovery" (for never-connected clients).

Best Practices

As a best practice, you must create the customized Windows PE for recovery immediately after installing the client software. A customized Windows PE CD or UFD is the only way to recover your data when you cannot start your operating system. The best practice is to create a Windows PE CD or UFD immediately after the recovery tools have been created. A Windows PE CD or UFD stores the recovery tools away from your system and proves to be an important resource for disaster recovery.




Section 1 of 4: General Information for WinPE with Symantec Encryption Desktop 10.5

Introduction to the Preinstallation Environment for WinPE

The Microsoft Windows Preinstallation Environment (PE) is widely used by IT professionals in Windows environments for installation tasks, deployment, maintenance, troubleshooting, diagnosis, recovery, and so on. For example, use Windows PE to:

  • Integrate Symantec Drive Encryption recovery with your existing IT recovery tools 
  • Create secure PE-based backup and recovery

A standard Windows PE disk without the PGP tools integrated will not work in situations where the Symantec Drive Encryption is installed on a system and the entire disk is encrypted. For Windows PE to work on a system where Symantec Drive Encryption is installed, the Symantec Drive Encryption driver (also called PGP WDE driver in earlier versions) must be pre-installed and the administrator must have authorized access to the hard disk.

You must have PGP Desktop 10.5.1 and above to use these steps for WinPE Creation.

Note: This document focuses on the instructions for creating a 64-bit Windows Pre-installation Environment, however it it also includes information to do a 32-bit version if needed.


You can add the Symantec Drive Encryption drivers in two ways so you can authenticate and perform recovery tasks on computers with Symantec Drive Encryption-encrypted disks: 

  • To the system image, to be able to select the PE option at boot.
  • To the CD/DVD/USB bootable recovery tool, to boot a system encrypted with PGP Desktop.


There are a few activities we will cover in this article:

  1. Creating a base WinPE image to be used for customization with the PGP tools.
  2. Pre-install the PGP Drive Encryption driver into a Windows PE disk.
  3. Authenticate the passphrase through the command line or use the PGP Disk Recovery Utility and provide access to the encrypted disk.

Note: To authenticate users using Windows PE, you must use passphrase users. Token or TPM users are not supported. 


Supported Versions of Windows PE

  • Windows 10
  • Windows Server 2022 (With 10.5.1)

To customize Windows PE, the tools or API for Windows Image Format is required. These can be found in Windows Automated Installation Kit (AIK).


How to Obtain Windows PE

To use Windows PE, you must obtain and install the Windows Assessment and Development Kit Windows ADK for the appropriate version you wish to use.

The following URL is a good source to download from for windows 10:

Additional information can be found here:




Section 2 of 4: Creating a Windows PE image


Before you create the Windows PE image, you must install Windows Assessment and Deployment Kit (ADK) for your Windows operating system.
Symantec recommends Windows ADK for Windows 10 or later.

For more information on installing the Windows ADK, see the topic, “Installing the Windows ADK” available on

Note: You must use the deployment tools command prompt as an administrator when creating the Windows PE image.


Create the Windows PE image

Once the Windows ADK software has been installed, we are ready to begin the process.

Step 1 - Option 1: A preferred method to navigate directly to the command line (run the command line as admin), and then run the following command if the above path is not working:

cd c:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment

You can also open the deployment tools from the command line for your specific version and below are additional options if the first option did not work:

Step 1 - Option 2:
To open the deployment tools command prompt with the correct path variables, select Start > Windows Kits > Windows ADK.

There is a shortcut to the general command line directory via the Start Menu, and looking for the "Windows Kits" from the list, then Deployment and Imaging Tools Environment:

Right click on the Deployment and Imaging tools, and run as Administrator. 

Most of the commands through this process will run as the Administrator to ensure proper permissions are available.  There are some commands that do not and will specify if so.

You will then need to navigate to the proper directory (shown in option 1) that contains the copype.cmd tools.


If you then do a directory listing, you can see the "copype.cmd" is listed here, which is one of the tools we will use going through this build:

The directory above is where we will run many of the commands to create the image.


Step 2: Once you are in the correct directory with copype.cmd available, you will run the following command to create a 64-bit WinPE image directory where all applicable files that will be used will be copied to:

copype.cmd amd64 C:\winpe


This command creates the 64-bit Windows PE image at C:\winpe

Note: Do not attempt to create the "winpe" directory on the C: drive, the command above will create it for you and will fail if it is already there.

This is the basis for the entire WinPE process and will be used to include the PGP tools inside of this image.

This should not typically be needed, but if you need to create a WinPE disk for 32-bit systems, you can do so with the command below.

Just keep in mind this document is geared to 64-bit and where "winpe" is used in the steps, substitute in "winpe_x86" instead so you don't get the two architectures mixed up:

copype.cmd x86 C:\winpe_x86

This will create all the applicable files for a 32-bit WinPE disk in the c:\winpe_x86 directory.

Step 3: Now that we have created the directory with all the applicable files, you will notice a base image file "boot.wim" was created in the c:\winpe\media\sources directory.

We will copy this "boot.wim" file to our c:\winpe directory with a new name with the following command which will will then be used for customization with the PGP tools (Our new custom winpe location in bold):

xcopy /y c:\winpe\media\sources\boot.wim c:\winpe\winpe.wim


If you get a message "Does c:\winpe\winpe.wim specify a file name or directory name on the target?"

Just type "f" for file as this is just a file and not a directory.

The above command has now copied the appropriate image file "winpe.wim" that we will then use to insert all the PGP tools/binaries.
This will be the image file that we will use going forward that will be used to create the WinPE disk to access drives encrypted with PGP.




Section 3 of 4: Customizing the Windows PE image

There are several PGP drivers/binary files that you need to copy to a new directory.

Step 1: Navigate to the C: Drive and then create a folder called "wde" and place all the below files inside.  This c:\wde directory will then be used in a future command to aid in the customization of our winpe.wim file.

Step 2: Go to a system where PGP Desktop 10.5.1 is installed and copy all of these contents into the c:\wde directory from the following list (copy bolded files):

*C:\Program Files (x86)\PGP Corporation\PGP Desktop\pgpbootb.bin
*C:\Program Files (x86)\PGP Corporation\PGP Desktop\pgpbootg.bin
*C:\Program Files (x86)\PGP Corporation\PGP Desktop\Stage1

Step 3: Next, copy all of the rest of the files into the c:\wde folder from the following directory:
C:\Program Files\PGP Corporation\PGP Desktop\WinPE

Copy all of these files into the c:\wde folder, which include the following files:


Prepare the custom image file with the PGP sdk files (This section PGP Desktop 10.5.0 only)

Note: If you are already on PGP Desktop version 10.5.1 or above, skip this section "Prepare the custom image file with the PGP sdk files" and move on to the section "Customize the image with the PGP Tools Previously copied to c:\wde".

Step 1:
First, create a folder in the c:\winpe folder and call it "BootWIM".  This will be used for the next steps.

We've now created the WinPE directory in c:\winpe.
We've now created a WIM file in this directory called "winpe.wim".
We've now created an empty folder called BootWIM under the c:\winpe directory.

Step 2: Based on these files and locations above, we'll run the following command to mount the winpe.wim file so we can add a few more files to it:

DISM /Mount-image /imagefile:C:\winpe\winpe.wim /Index:1 /MountDir:C:\winpe\BootWIM

TIP: Make sure you are not in the c:\winpe\BootWIM directory when running the above command.

You will see the following screenshot if this is successful:


If you get the following error message, this means the BootWIM directory was not created in c:\winpe:

Create the folder and try again.


Step 3: Now if you navigate to this folder, you'll see the following directory structure in c:\winpe:

Step 4: With the winpe.wim image mounted to "BootWIM", you can now copy over some of the needed files for inclusion of the PGP tools.

Copy the "pgpce.dll" and "pgpce.dll.sig" from the  c:\Windows\System32 directory into the C:\winpe\BootWim\Windows\System32 directory.  It will look like this:

You will need to unhide file extensions to see the "pgpce.dll.sig" file.

Step 5: Now we will close out of all the windows directories and then unmount the winpe.wim image with the following command, while writing the values to the image:

DISM /Unmount-Wim /MountDir:C:\winpe\BootWIM /Commit


You will see something similar to the following indicating the image file was saved and unmounted properly:

Note: It is important that the DISM command unmount properly. 

If you run into an error similar to the one below, you may need to cleanly dismount as you previously mounted with DISM:

c:\wde>pgppe /winpe c:\winpe c:\wde
 WIMMountImage failed. Error:0xc1420127 
DISM /Unmount-Wim /MountDir:C:\winpe\BootWIM /Commit

If the above does not work, run:

dism /cleanup-WIM



We are now ready to customize the winpe.wim file with the PGP files we copied above into the c:\wde directory.

Customize the image with the PGP Tools Previously copied to c:\wde
Run the following command to customize the winpe image:

Step 1: Navigate to the c: drive with the following command:

cd \   


Step 2: Once you're in the c: drive, navigate to the c:\directory with the following two commands:

cd c:\wde


Step 3: Run the following command (not as administrator via the command line) to integrate all the PGP binaries into the new winpe image

Pgppe.exe /winpe c:\winpe c:\wde


If you get the following message, open a new command line window, but not as "Administrator" and try again:

Step 4: Run the following command to copy the file you just customized:

xcopy /y c:\winpe\winpe.wim c:\winpe\media\sources\boot.wim

Now you are ready to build your ISO to create a bootable USB drive.

Section 4 of 4: Creating a bootable ISO with all the PGP tools included

Method 1 of 2:
For the next steps, you will simply open the command prompt and run the command, but do not run as administrator.

Step 1: Navigate to the following directory via the CLI by entering the following command:

cd c:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment


Step 2: Once you're in this directory, run the following command:

MakeWinPEMedia.cmd /ISO c:\winpe c:\winpe\winpe-completed.iso


Make sure you run the above command as a non-admin.  Once the command is finished you should have a new ISO file called "winpe-completed.iso"  You can use this to boot off of.




If you run into the following error message, 




Method 2 of 2:
For the next steps, you will need to run the command prompt as administrator.

You can also create a USB drive directly via the command line.

Step 1: Insert a USB Drive and make note of the drive letter.  It is important you are sure you know the drive letter because the next steps will erase the contents and format the drive.

For this example, the USB drive letter will be "D"

Step 2: Run the following command via the directory:

MakeWinPEMedia /UFD C:\winpe D:



This process could take a while to complete. Leave the USB drive plugged in until it returns to the command prompt with Success:

You can use the above two methods to boot systems using your newly-customized PGP WinPE disk.