Important Note: Symantec Encryption Products no longer require using upgrade scripts and and is now fully automatic.  All Windows Automatic updates can be installed automatically via Windows Updates that are pulled down.  

If you are deploying Windows updates with a deployment solution, such as Altiris/IT Management Suite, these two articles will provide you the proper command to deploy Windows 10 updates on encrypted systems:

How to automatically upgrade Windows 10 systems encrypted with Symantec Endpoint Encryption 11
https://knowledge.broadcom.com/external/article/179265

How to automatically upgrade Windows 10 systems encrypted with Symantec Encryption Desktop 10.4.2
https://knowledge.broadcom.com/external/article/179262

Important Note: Symantec Encryption Products no longer require using upgrade scripts and and is now fully automatic.  All Windows Automatic updates can be installed automatically via Windows Updates that are pulled down.  

If you are deploying Windows updates with a deployment solution, such as Altiris/IT Management Suite, these two articles will provide you the proper command to deploy Windows 10 updates on encrypted systems:

How to automatically upgrade  Windows 10 systems encrypted with Symantec Endpoint Encryption 11
https://knowledge.broadcom.com/external/article/179265

How to automatically upgrade Windows 10 systems encrypted with Symantec Encryption Desktop 10.4.2
https://knowledge.broadcom.com/external/article/179262

#################Historical Content Below#################

Update history

Overview

This article is intended for administrators who are responsible for upgrading Symantec Encryption Desktop 10.4.x Windows client computers.

This article provides guidelines on manual and automated-with-scripts (which can be remotely deployed) in-place upgrade process for upgrading Symantec Encryption Desktop 10.4.x client computers without decrypting and re-encrypting the drives to the following Microsoft Windows 10 releases:

• Windows 10 November 2019 Update version 1909 (19H2)
• Windows 10 May 2019 Update version 1903 (19H1)
• Windows 10 October 2018 Update version 1809 (RS5)
• Windows 10 April 2018 Update version 1803 (RS4)
• Windows 10 Fall Creators Update version 1709 (RS3)
• Windows 10 Creators Update version 1703 (RS2)
• Windows 10 Anniversary Update version 1607 (RS1)

You can upgrade to the above mentioned Windows 10 release from the following Windows operating systems:

• Windows 7
• Windows 8
• Windows 8.1
• Windows 10 (Earlier versions)

This article also includes upgrade scripts that you may use to quickly upgrade your Windows client computers to one of the supported Microsoft Windows 10 releases without decrypting and re-encrypting the drives.

If you want to automatically update (feature update) your Windows 10 (1607) or later client computers encrypted with Symantec Encryption Desktop to a supported Windows 10 release without decrypting and re-encrypting the drives, see the Symantec Support article at https://support.symantec.com/us/en/article.tech255563.html.

Evaluating Symantec Encryption Desktop compatibility before upgrading to Windows 10

Ensure that you know the compatibility of your existing Symantec Encryption Desktop version with the Windows 10 release that you want to upgrade. Also, verify that your client computer meets the hardware and software requirements. The following table list the compatibility and the minimum memory requirement for an in-place upgrade.

Understanding the in-place upgrade process

Important: This article includes a limited number of upgrade scenarios. Administrators must consider customizing the procedures documented in this article to meet their organizations' requirements. This article also includes upgrade scripts that administrators may use to upgrade client computers to a Windows 10 release without decrypting and re-encrypting the drives. Symantec strongly recommends administrators to review and test the upgrade scripts and make necessary changes prior to the deployment or upgrade. This ensures that the customized upgrade script meets the needs of that business environment, including any installed third-party applications. Testing the script also confirms that all the customizations and configuration changes work as expected. Administrators must use the process described in this article as a reference point for the in-place upgrade process.

You can upgrade your Windows client computers encrypted with Symantec Encryption Desktop to a Windows 10 release without decrypting and re-encrypting the drives. To upgrade your client computers using in-place upgrade, you may choose one of the following methods:

Manual upgrade

• Perform all the pre-upgrade tasks that are mentioned in the Before you begin to upgrade section, and then perform the instructions that are mentioned in the Upgrading your client computers manually section. Both these sections are available in this article.

Upgrade with scripts

Automated upgrade using your custom script

• Automate the tasks mentioned in the Before you begin to upgrade section and the Upgrading your client computers manually section, and any other tasks per your organization’s requirement, and then deploy and upgrade using any remote deployment software, such as Ghost Solution Suite.

Automated upgrade using the upgrade script files (attached to this article)

• Perform all the pre-upgrade tasks as mentioned in the Before you begin to upgrade section. Then using the appropriate upgrade script that is attached to this article, perform the instructions as mentioned in the Upgrading your client computers using the upgrade scripts section.

Before you begin to upgrade

To plan your deployment or upgrade, you must first complete the preparatory tasks mentioned in this section before you begin the actual upgrade process.

1. Backup all your data to an external drive.
2. Extract the Windows 10 installation media (ISO) to a network shared folder. Ensure that the folder name does not contain any spaces. For example, copy the ISO file to \\fileserver\windows10media. To create a Windows 10 installation media (ISO), refer to the Microsoft documentation.
3. On the Windows computer that you want to upgrade, map the shared folder to a local drive using the command prompt with administrator privileges. For example, to map the shared folder \\fileserver\windows10media to the drive Z, use the following command:
   net use z: \\fileserver\windows10media
4. Close Symantec Encryption Desktop. Ensure to exit PGPTray and any other PGP service.
5. Unmount any virtual media or mounted drivers.
6. Set the computer sleep timer to one hour or more.
7. Enable preboot bypass on the computer that you want to upgrade. For information on preboot bypass and how to enable it, see https://support.symantec.com/en_US/article.HOWTO42006.html.

Upgrading your client computers manually

Before you perform the following steps, ensure that you have performed all the steps mentioned in the Before you begin to upgrade section.

1. Create a local folder on the Windows computer that you want to upgrade. For example, C:\PGPTemp.
2. Copy the following files from the client computer to the local folder (for example, C:\PGPTemp) that you created in step 1:

• Encryption driver files: PGPwded.sys, PGPwded.inf, PGPSdk.sys, PGPSdk.inf

Note: The encryption drive files are available on the client computer at %systemroot%\System32\drivers.
Caution: If the encryption driver files are not copied from the same client computer, the client computer may not boot after upgrade because of missing files or driver version mismatch.

• Symantec registry: RegisterPGPDESoftware.reg
• Batch file: setupcomplete.cmd

Note: The Symantec registry file and the batch file are present in the compressed folder that is attached to this article. Download the compressed folder from the Download files section on this page. To download the appropriate compressed folder, see the table Upgrade scripts for Symantec Encryption Desktop 10.4.x client computers to upgrade to a Windows 10 update in this article.

3. Run the following commands:

 Z:\setup.exe /reflectdrivers C:\PGPTemp /postoobe C:\PGPTemp\setupcomplete.cmd

Note: During the in-place upgrade process, Windows 10 copies new files temporarily to a staging area.  As the disk is already encrypted, the files in the staging area get encrypted. If the Windows operating system does not have access to the encryption drivers and the encryption passphrase, the in-place upgrade fails. Therefore, ensure to use the /reflectdrivers option of the Windows 10 setup.exe command during the in-place upgrade. The /reflectdrivers option provides access to the encryption drivers during the in-place upgrade process.

4. The Windows 10 setup wizard is displayed. Follow the instructions on the wizard to finish the upgrade.

Upgrading Opal/hardware-encrypted client computers manually

Caution: If your client computer is Opal/hardware-encrypted, do not use the attached upgrade scripts to upgrade. Instead, follow these steps:

1. Decrypt the Opal drive.
2. Uninstall Symantec Encryption Desktop.
3. Use the appropriate installation media of a Windows 10 release that you want to upgrade, and then perform the upgrade.
4. Install all the required Windows updates.
5. Re-install Symantec Encryption Desktop.

Upgrading your client computers using the upgrade script files

About the upgrade script files

The upgrade script files are compressed and attached to this article for download. You may use the upgrade script files to upgrade your 32-bit and 64-bit Symantec Encryption Desktop client computers to one of the supported Microsoft Windows 10 releases without decrypting and re-encrypting the drives. You can download the compressed archive of your choice, depending on the currently installed version of Windows and Symantec Encryption Desktop, and the version of Windows 10 to which you want to upgrade.

To download the upgrade script files

1. Refer to the table Upgrade scripts for Symantec Encryption Desktop 10.4.x client computers to upgrade to a Windows 10 update in this article and identify the upgrade script that you want to download.
    
2. To download the identified upgrade script file, either click Download Files on the right side of the page or click the appropriate link under the Download Files section available at the bottom of the page.
    
3. To access the upgrade script file, extract the contents of the compressed folder.

To upgrade your client computers using the upgrade script files

Important: The following in-place upgrade steps are provided for reference only. Administrators should use this procedure as a guideline and customize the steps and the script to suit their organization’s environment and requirements. Symantec strongly recommends administrators to review and test the upgrade scripts and make necessary changes prior to the upgrade. This ensures that the customized upgrade script meets the needs of the business environment, including any installed third-party applications. Testing the script also confirms that all the customizations and configuration changes work as expected.
 

Scenario: As an administrator, you want to perform an in-place upgrade on Windows client computers that are encrypted with Symantec Encryption Desktop. You want to automate the in-place upgrade process without user intervention and run the upgrade process in the background using the /auto upgrade and /quiet switches.

Before you perform the following steps, ensure that you have performed all the steps mentioned in the Before you begin to upgrade section. If you choose to upgrade using the scripts, the steps in the Upgrading your client computers manually section are automatically performed by the upgrade script.

1. Extract the Windows 10 ISO to a file server and create a network share folder. For example, \\fileserver\windows10media. Make sure that the user has read access to the folder.
    
2. Download the appropriate upgrade script and extract it to a network share folder. For example, \\fileserver\In-place-upgrade-script.
    
3. From the extracted files, edit the WinRS<x>-upgrade-SED<v>.cmd file (for example: WinRS2-upgrade-SED1041.cmd) and update the following command to add /auto upgrade /quiet switches, and then save the file.

call %1\setup.exe /reflectdrivers %PGPTempPath% /auto upgrade /quiet /postoobe %PGPTempPath%\setupcomplete.cmd

Note: Perform the following steps on the client computer from the command prompt with administrator privileges. These steps can be combined to create a batch file and can be remotely deployed using any remote deployment software.

4. Enable preboot bypass as follows:
   “c:\Program Files (x86)\PGP Corporation\PGP Desktop"\pgpwde --add-bypass --count 3 –p Password
    
5. Map the network drive as follows:
   “net use z:\\fileserver\windows10media”
    
6. Copy the upgrade scripts to a local folder as follows:
   “xcopy  \\fileserver\In-place-upgrade-script c:\Symc-scripts /i /a /s /y
    
7. Make the local folder as the working directory as follows:
   cd c:\Symc-scripts
    
8. To initialize the in-place upgrade script, run the following command:
   WinRS<x>-upgrade-SED<v>.cmd [Folder path to the Setup.exe file in the Windows 10 Installation Media]\

For example:
WinRS2-upgrade-SED1041.cmd Z:\

Table: Upgrade scripts for Symantec Encryption Desktop 10.4.x client computers to upgrade to a Windows 10 update

Troubleshooting incompatibility issues between Windows 10 and Symantec Encryption Desktop

The compressed archives include a batch file (post-upgrade script) that you can run after completing the upgrade to Windows 10 Anniversary Update or later, only if you face any of the following issues that are described below. The post-upgrade script automatically applies a workaround for the following issues:

• The Hibernation feature in Windows no longer works on computers that were upgraded from Windows 7. Affected computers shut down instead of entering into the hibernation mode.
• When users change their Windows password, they are unable to use the new password to authenticate at BootGuard.
   

To run the post-upgrade script and troubleshoot issues

1. Open the administrator command prompt and navigate to the folder in which you extracted the upgrade scripts.
2. Run the Post-WinRS<x>-upgrade-SED<v>-register.bat file to apply the workaround.
   For example, run the Post-WinRS2-upgrade-SED1041-register.bat file.
3. Restart the computer.

Troubleshooting after upgrading to Windows 10 RS3, RS4, RS5, and 19H1

The compressed archives include a batch file (post-upgrade script) that you can run after completing the upgrade to the Windows 10 RS3, RS4, RS5, and 19H1 only if you face any of the issues that are described below. The post-upgrade script automatically applies a workaround for the following issues:

• Some users of Windows 10 RS3, RS4, RS5, or 19H1 workgroup may not be able to authenticate at BootGuard.
• On Windows 10 RS3, RS4, RS5, or 19H1 workgroup computers, Single Sign-On may not work even when the Single Sign-On policy is enabled.
• While viewing the "Provider Order" under "Network Connections", an error message may appear and the network provider list is not displayed.
   

To run the post-upgrade script and troubleshoot issues

1. Open the administrator command prompt and navigate to the folder in which you extracted the upgrade scripts.
2. Run the Post-WinRS<x>-upgrade-SED<v>-register.bat file to apply the workaround.
   For example, run the Post-WinRS2-upgrade-SED1041-register.bat file.
3. Restart the computer.

Note: When you run the post-upgrade script, the Use my sign in info to automatically finish setting up my device after an update or restart option is automatically disabled. To see this option, navigate to Windows Settings > Accounts > Sign-in options > Privacy. For more information, refer to the Microsoft article Winlogon Automatic Restart Sign-On (ARSO).

For information on the compatibility issues that are specific to Windows 10 October 2018 Update, April 2018 Update, and Fall Creators Update with Symantec Encryption Desktop, see the knowledgebase article, Troubleshooting compatibility issues between Windows 10 and Symantec Encryption Desktop.

Troubleshooting installation of Symantec Encryption Desktop on Windows 10 RS5 and 19H1

Known issue: PGP Virtual Disk does not work on certain Windows 10 RS5 and 19H1 systems after Symantec Encryption Desktop is installed.

On certain systems running the Windows 10 October 2018 Update (RS5)  or the Windows 10 May 2019 Update (19H1) enabled with Hypervisor-Enforced Code Integrity (HVCI), if you install Symantec Encryption Desktop 10.4.2 MP1 or 10.4.2 MP3, the PGP Disk driver is not loaded successfully. Also, the PGP Virtual Disk functionality does not work.

Note: This issue happens only on Windows 10 RS5 and 19H1 systems that meet certain hardware and firmware requirements with VBS enabled by default. For more information on the hardware and firmware requirements, see the Microsoft article available at https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs. This issue is not observed when you upgrade to Windows 10 RS5 or 19H1 using the in-place upgrade scripts. For more information on the in-place upgrade, see the article https://support.symantec.com/en_US/article.HOWTO125876.html.

Workaround

To work around this issue, disable the Core isolation Memory integrity Device security feature as follows: 

1. Open Windows Security and click the Device security icon.
2. Click the Core isolation details link.
3. Toggle Off Memory integrity.
4. Restart the computer.
5. Ensure that the PGP Disk driver is loaded successfully.

Alternatively, you can perform the following steps:
1. Disable HVCI by updating the following registry setting to 0 (zero) as follows:
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
2. Restart the computer.
3. Ensure that the PGP Disk driver is loaded successfully.

Troubleshooting email communication issue after upgrading to Windows 10 RS4

Known issue: Email communication fails after upgrading Windows 10 computers encrypted with Symantec Encrypted Desktop to Windows 10 RS4

When Windows 10 computers that use IMAP or POP3 for email communication are upgraded to Windows 10 RS4 using the in-place upgrade scripts, the email encryption does not work. Also, the IMAP or POP3 profiles cannot be created and the email communication fails. The cause of the issue is that the Layered Service Providers (LSP) feature that Symantec Encryption Desktop uses for email encryption is not upgraded in RS4. LSP is deprecated in Windows systems. 

Solution

A fix for this issue is now available in the version 10.4.2 MP1 of Symantec Encryption Desktop for Windows release. To prevent this issue from happening, first, upgrade to Symantec Encryption Desktop 10.4.2 MP1 or later, and then upgrade to Windows 10 using the appropriate in-place upgrade script.