Important Note: Symantec Encryption Products no longer require using upgrade scripts and and is now fully automatic. All Windows Automatic updates can be installed automatically via Windows Updates that are pulled down.
If you are deploying Windows updates with a deployment solution, such as Altiris/IT Management Suite, these two articles will provide you the proper command to deploy Windows 10 updates on encrypted systems:
How to automatically upgrade Windows 10 systems encrypted with Symantec Endpoint Encryption 11
https://knowledge.broadcom.com/external/article/179265
How to automatically upgrade Windows 10 systems encrypted with Symantec Encryption Desktop 10.4.2
https://knowledge.broadcom.com/external/article/179262
Important Note: Symantec Encryption Products no longer require using upgrade scripts and and is now fully automatic. All Windows Automatic updates can be installed automatically via Windows Updates that are pulled down.
If you are deploying Windows updates with a deployment solution, such as Altiris/IT Management Suite, these two articles will provide you the proper command to deploy Windows 10 updates on encrypted systems:
How to automatically upgrade Windows 10 systems encrypted with Symantec Endpoint Encryption 11
https://knowledge.broadcom.com/external/article/179265
How to automatically upgrade Windows 10 systems encrypted with Symantec Encryption Desktop 10.4.2
https://knowledge.broadcom.com/external/article/179262
#################Historical Content Below#################
Update history
Update |
Version |
Date |
Added compatibility with the following operating systems:
|
Symantec Encryption Desktop 10.4.2 MP4 | December 2019 |
Added compatibility with the following operating systems:
|
Symantec Encryption Desktop 10.4.2 MP3 | July 2019 |
Added compatibility with the following operating systems:
|
Symantec Encryption Desktop 10.4.2 MP1 | November 2018 |
Added compatibility with the following operating system:
|
Symantec Encryption Desktop 10.4.2 |
May |
Added compatibility with the following operating system:
|
Symantec Encryption Desktop 10.4.1 MP2 HF2 or later |
February 2018 |
Added compatibility with the following operating system:
|
Symantec Encryption Desktop 10.4.1 MP1 or later |
May |
Added compatibility with the following operating system:
|
Symantec Encryption Desktop 10.4.0 MP1 or later |
September 2016 |
Overview
This article is intended for administrators who are responsible for upgrading Symantec Encryption Desktop 10.4.x Windows client computers.
This article provides guidelines on manual and automated-with-scripts (which can be remotely deployed) in-place upgrade process for upgrading Symantec Encryption Desktop 10.4.x client computers without decrypting and re-encrypting the drives to the following Microsoft Windows 10 releases:
You can upgrade to the above mentioned Windows 10 release from the following Windows operating systems:
This article also includes upgrade scripts that you may use to quickly upgrade your Windows client computers to one of the supported Microsoft Windows 10 releases without decrypting and re-encrypting the drives.
If you want to automatically update (feature update) your Windows 10 (1607) or later client computers encrypted with Symantec Encryption Desktop to a supported Windows 10 release without decrypting and re-encrypting the drives, see the Symantec Support article at https://support.symantec.com/us/en/article.tech255563.html.
Evaluating Symantec Encryption Desktop compatibility before upgrading to Windows 10
Ensure that you know the compatibility of your existing Symantec Encryption Desktop version with the Windows 10 release that you want to upgrade. Also, verify that your client computer meets the hardware and software requirements. The following table list the compatibility and the minimum memory requirement for an in-place upgrade.
Windows 10 Version |
Compatible Windows Operating Systems |
Compatible Symantec Encryption Desktop version |
Minimum Disk Space Required |
November 2019 Update (1909) (19H2) | Windows 7, 8, 8.1, 10, November 2015 update, Anniversary Update, Creators Update, Fall Creators Update, April 2018 Update, October 2018 Update, and May 2019 Update | 10.4.2 MP4 | |
May 2019 Update (v1903) (19H1) | Windows 7, 8, 8.1, 10, November 2015 update, Anniversary Update, Creators Update, Fall Creators Update, April 2018 Update, and October 2018 Update | 10.4.2 MP3 |
|
October 2018 Update (v1809) (RS5) | Windows 7, 8, 8.1, 10, November 2015 update, Anniversary Update, Creators Update, Fall Creators Update, and April 2018 Update | 10.4.2 MP1 | |
April 2018 Update (v1803) (RS4) |
Windows 7, 8, 8.1, 10, November 2015 update, Anniversary Update, Creators Update, and Fall Creators Update |
10.4.2 or later |
|
Fall Creators Update (v1709) (RS3) |
Windows 7, 8, 8.1, 10, November 2015 update, Anniversary Update, and Creators Update |
10.4.1 MP2 HF2 or later |
|
Creators Update (v1703) (RS2) |
Windows 7, 8, 8.1, 10, November 2015 update, and Anniversary Update |
10.4.1 MP1 or later |
|
Anniversary Update (v1607) (RS1) |
Windows 7, 8, 8.1, 10, and November 2015 update |
10.4.0 MP1 or later |
Understanding the in-place upgrade process
Important: This article includes a limited number of upgrade scenarios. Administrators must consider customizing the procedures documented in this article to meet their organizations' requirements. This article also includes upgrade scripts that administrators may use to upgrade client computers to a Windows 10 release without decrypting and re-encrypting the drives. Symantec strongly recommends administrators to review and test the upgrade scripts and make necessary changes prior to the deployment or upgrade. This ensures that the customized upgrade script meets the needs of that business environment, including any installed third-party applications. Testing the script also confirms that all the customizations and configuration changes work as expected. Administrators must use the process described in this article as a reference point for the in-place upgrade process.
You can upgrade your Windows client computers encrypted with Symantec Encryption Desktop to a Windows 10 release without decrypting and re-encrypting the drives. To upgrade your client computers using in-place upgrade, you may choose one of the following methods:
Manual upgrade
Upgrade with scripts
Automated upgrade using your custom script
Automated upgrade using the upgrade script files (attached to this article)
Before you begin to upgrade
To plan your deployment or upgrade, you must first complete the preparatory tasks mentioned in this section before you begin the actual upgrade process.
Upgrading your client computers manually
Before you perform the following steps, ensure that you have performed all the steps mentioned in the Before you begin to upgrade section.
Note: The encryption drive files are available on the client computer at %systemroot%\System32\drivers.
Caution: If the encryption driver files are not copied from the same client computer, the client computer may not boot after upgrade because of missing files or driver version mismatch.
Note: The Symantec registry file and the batch file are present in the compressed folder that is attached to this article. Download the compressed folder from the Download files section on this page. To download the appropriate compressed folder, see the table Upgrade scripts for Symantec Encryption Desktop 10.4.x client computers to upgrade to a Windows 10 update in this article.
Z:\setup.exe /reflectdrivers C:\PGPTemp /postoobe C:\PGPTemp\setupcomplete.cmd
Note: During the in-place upgrade process, Windows 10 copies new files temporarily to a staging area. As the disk is already encrypted, the files in the staging area get encrypted. If the Windows operating system does not have access to the encryption drivers and the encryption passphrase, the in-place upgrade fails. Therefore, ensure to use the /reflectdrivers option of the Windows 10 setup.exe command during the in-place upgrade. The /reflectdrivers option provides access to the encryption drivers during the in-place upgrade process.
Upgrading Opal/hardware-encrypted client computers manually
Caution: If your client computer is Opal/hardware-encrypted, do not use the attached upgrade scripts to upgrade. Instead, follow these steps:
Upgrading your client computers using the upgrade script files
About the upgrade script files
The upgrade script files are compressed and attached to this article for download. You may use the upgrade script files to upgrade your 32-bit and 64-bit Symantec Encryption Desktop client computers to one of the supported Microsoft Windows 10 releases without decrypting and re-encrypting the drives. You can download the compressed archive of your choice, depending on the currently installed version of Windows and Symantec Encryption Desktop, and the version of Windows 10 to which you want to upgrade.
To download the upgrade script files
To upgrade your client computers using the upgrade script files
Important: The following in-place upgrade steps are provided for reference only. Administrators should use this procedure as a guideline and customize the steps and the script to suit their organization’s environment and requirements. Symantec strongly recommends administrators to review and test the upgrade scripts and make necessary changes prior to the upgrade. This ensures that the customized upgrade script meets the needs of the business environment, including any installed third-party applications. Testing the script also confirms that all the customizations and configuration changes work as expected.
Scenario: As an administrator, you want to perform an in-place upgrade on Windows client computers that are encrypted with Symantec Encryption Desktop. You want to automate the in-place upgrade process without user intervention and run the upgrade process in the background using the /auto upgrade and /quiet switches.
Before you perform the following steps, ensure that you have performed all the steps mentioned in the Before you begin to upgrade section. If you choose to upgrade using the scripts, the steps in the Upgrading your client computers manually section are automatically performed by the upgrade script.
call %1\setup.exe /reflectdrivers %PGPTempPath% /auto upgrade /quiet /postoobe %PGPTempPath%\setupcomplete.cmd
Note: Perform the following steps on the client computer from the command prompt with administrator privileges. These steps can be combined to create a batch file and can be remotely deployed using any remote deployment software.
For example:
WinRS2-upgrade-SED1041.cmd Z:\
Table: Upgrade scripts for Symantec Encryption Desktop 10.4.x client computers to upgrade to a Windows 10 update
Windows 10 Version |
Compatible Symantec Encryption Desktop version |
Upgrade Script Name |
Description |
November 2019 Update version 1909 (19H2) | 10.4.2 MP4 | SED_Win7_Upgrade_SED_10.4.2_MP3_RS6.zip | Contains the scripts for upgrading from Windows 7 to the Windows 10 November 2019 Update (version 1909) |
SED_Win8_10_Upgrade_SED_10.4.2_MP3_RS6.zip | Contains the scripts for upgrading from Windows 8, 8.1, or an earlier version of Windows 10 to the Windows 10 November 2019 Update (version 1909) | ||
May 2019 Update (v1903) (19H1) | 10.4.2 MP3 | SED_Win7_Upgrade_SED_10.4.2_MP3_RS6.zip | Contains the scripts for upgrading from Windows 7 to the Windows 10 May 2019 Update (version 1903) |
SED_Win8_10_Upgrade_SED_10.4.2_MP3_RS6.zip | Contains the scripts for upgrading from Windows 8, 8.1, or an earlier version of Windows 10 to the Windows 10 May 2019 Update (version 1903) | ||
October 2018 Update (v1809) (RS5) | 10.4.2 MP1 |
SED_Win7_Upgrade_SED_10.4.2_MP1_RS5.zip |
Contains the scripts for upgrading from Windows 7 to the Windows 10 October 2018 Update (version 1809) |
SED_Win8_10_Upgrade_SED_10.4.2_MP1_RS5.zip
|
Contains the scripts for upgrading from Windows 8, 8.1, or an earlier version of Windows 10 to the Windows 10 October 2018 Update (version 1809) | ||
April 2018 Update (v1803) (RS4) | 10.4.2 MP1 | SED_Win7_Upgrade_SED_10.4.2_MP1.zip | Contains the scripts for upgrading from Windows 7 to the Windows 10 April 2018 Update (version 1803) with a fix for an issue related to email communication that uses IMAP/POP3 profiles. |
SED_Win8_10_Upgrade_SED_10.4.2_MP1.zip | Contains the scripts for upgrading from Windows 8, 8.1, or an earlier version of Windows 10 to the Windows 10 April 2018 Update (version 1803) with a fix for an issue related to email communication that uses IMAP/POP3 profiles. | ||
April 2018 Update (v1803) (RS4) |
10.4.2 Note: Symantec recommends you to use 10.4.2 MP1 with Windows v1803. The version 10.4.2 MP1 includes additional improvements and bug fixes. |
SED_Win7_Upgrade_SED_10.4.1_MP2HF2.zip |
Contains the scripts for upgrading from Windows 7 to the Windows 10 April 2018 Update (version 1803). |
SED_Win8_10_Upgrade_SED_10.4.1_MP2HF2.zip |
Contains the scripts for upgrading from Windows 8, 8.1, or an earlier version of Windows 10 to the Windows 10 April 2018 Update (version 1803). |
||
Fall Creators Update (v1709) (RS3) |
10.4.1 MP2 HF2 or later |
SED_Win7_Upgrade_SED_10.4.1_MP2HF2.zip |
Contains the scripts for upgrading from Windows 7 to the Windows 10 Fall Creators Update (version 1709). |
SED_Win8_10_Upgrade_SED_10.4.1_MP2HF2.zip |
Contains the scripts for upgrading from Windows 8, 8.1, or an earlier version of Windows 10 to the Windows 10 Fall Creators Update (version 1709). |
||
Creators Update (v1703) (RS2) |
10.4.1 MP1 or later |
SED_Win7_Upgrade_SED_10.4.1_MP1.zip |
Contains the scripts for upgrading from Windows 7 to the Windows 10 Creators Update or Anniversary Update. Note: This script also works while upgrading to Windows 10 RS1 or RS2. |
SED_Win8_10_Upgrade_SED_10.4.1_MP1.zip |
Contains the scripts for upgrading from Windows 8, 8.1, or an earlier version of Windows 10 to the Windows 10 Creators Update or Anniversary Update. Note: This script also works while upgrading to Windows 10 RS1 or RS2. |
||
Anniversary Update (v1607) (RS1) |
10.4.0 MP1 or later |
SED_Win7_Upgrade_SED_10.4.1_MP1.zip |
Contains the scripts for upgrading from Windows 7 to the Windows 10 Anniversary Update or Creators Update. Note: This script also works while upgrading to Windows 10 RS1 or RS2. |
SED_Win8_10_Upgrade_SED_10.4.1_MP1.zip |
Contains the scripts for upgrading from Windows 8, 8.1, or an earlier version of Windows 10 to the Windows 10 Anniversary Update or Creators Update. |
Troubleshooting incompatibility issues between Windows 10 and Symantec Encryption Desktop
The compressed archives include a batch file (post-upgrade script) that you can run after completing the upgrade to Windows 10 Anniversary Update or later, only if you face any of the following issues that are described below. The post-upgrade script automatically applies a workaround for the following issues:
To run the post-upgrade script and troubleshoot issues
The compressed archives include a batch file (post-upgrade script) that you can run after completing the upgrade to the Windows 10 RS3, RS4, RS5, and 19H1 only if you face any of the issues that are described below. The post-upgrade script automatically applies a workaround for the following issues:
To run the post-upgrade script and troubleshoot issues
Note: When you run the post-upgrade script, the Use my sign in info to automatically finish setting up my device after an update or restart option is automatically disabled. To see this option, navigate to Windows Settings > Accounts > Sign-in options > Privacy. For more information, refer to the Microsoft article Winlogon Automatic Restart Sign-On (ARSO).
For information on the compatibility issues that are specific to Windows 10 October 2018 Update, April 2018 Update, and Fall Creators Update with Symantec Encryption Desktop, see the knowledgebase article, Troubleshooting compatibility issues between Windows 10 and Symantec Encryption Desktop.
Known issue: PGP Virtual Disk does not work on certain Windows 10 RS5 and 19H1 systems after Symantec Encryption Desktop is installed.
On certain systems running the Windows 10 October 2018 Update (RS5) or the Windows 10 May 2019 Update (19H1) enabled with Hypervisor-Enforced Code Integrity (HVCI), if you install Symantec Encryption Desktop 10.4.2 MP1 or 10.4.2 MP3, the PGP Disk driver is not loaded successfully. Also, the PGP Virtual Disk functionality does not work.
Note: This issue happens only on Windows 10 RS5 and 19H1 systems that meet certain hardware and firmware requirements with VBS enabled by default. For more information on the hardware and firmware requirements, see the Microsoft article available at https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs. This issue is not observed when you upgrade to Windows 10 RS5 or 19H1 using the in-place upgrade scripts. For more information on the in-place upgrade, see the article https://support.symantec.com/en_US/article.HOWTO125876.html.
Workaround
To work around this issue, disable the Core isolation Memory integrity Device security feature as follows:
1. Open Windows Security and click the Device security icon.
2. Click the Core isolation details link.
3. Toggle Off Memory integrity.
4. Restart the computer.
5. Ensure that the PGP Disk driver is loaded successfully.
Alternatively, you can perform the following steps:
1. Disable HVCI by updating the following registry setting to 0 (zero) as follows:REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
2. Restart the computer.
3. Ensure that the PGP Disk driver is loaded successfully.
Known issue: Email communication fails after upgrading Windows 10 computers encrypted with Symantec Encrypted Desktop to Windows 10 RS4
When Windows 10 computers that use IMAP or POP3 for email communication are upgraded to Windows 10 RS4 using the in-place upgrade scripts, the email encryption does not work. Also, the IMAP or POP3 profiles cannot be created and the email communication fails. The cause of the issue is that the Layered Service Providers (LSP) feature that Symantec Encryption Desktop uses for email encryption is not upgraded in RS4. LSP is deprecated in Windows systems.
Solution
A fix for this issue is now available in the version 10.4.2 MP1 of Symantec Encryption Desktop for Windows release. To prevent this issue from happening, first, upgrade to Symantec Encryption Desktop 10.4.2 MP1 or later, and then upgrade to Windows 10 using the appropriate in-place upgrade script.