Upgradation of Win 7/Win 10 systems within PGP

encryption systems

(Applicable for end users workstation (Laptop/Desktop))

Disclaimer
The content of this document is intended for COMPANY internal use only. None of this information shall be
divulged to persons other than COMPANY employees, or individuals or organizations authorized by
COMPANY in accordance with existing policy regarding release of any company information.

Page | 1
Document Information:

Document Name: Window Desktop system upgradation with PGP r

Classification: Internal

Current Version: v1.0

Function: IT Security

Document Owner: IT Security Team

First Document Release Date: 19th Sep 2017

Modification History:

Date of
Version No. Description of Change Author Approved By
Change

Page | 2
Table of Contents
1. Purpose .................................................................................................................................................................... 4

2. Scope......................................................................................................................................................................... 4

3. Responsibility ....................................................................................................................................................... 4

4. Requirement .......................................................................................................................................................... 4

5. Solution .................................................................................................................................................................... 4

6. Upgradation process – Win 7 or Win 10 ................................................................................................. 6

8. Description for Domain administrator restart bypass .......................................................................... 7

9. Upgrading your client computers manually ......................................................................................... 8

10. Upgrading Opal/hardware-encrypted client computers manually ....................................... 9

11. Upgrading your client computers using the upgrade script files ........................................ 9

12. Upgrade scripts details for Symantec Encryption..................................................................... 12

13. Troubleshooting information ................................................................................................................ 15

Windows 10 RS1, RS2, RS3, and RS4 ....................................................................................................... 15

14. COMPANY Support Information: ......................................................................................................... 16

Let us know what you think ..................................................................................................................................... 16

Page | 3
1. Purpose

To purpose of this document is to upgrade windows systems on different OS platform. So that we

will be able to migrate end user system to new version of operating system .

2. Scope

All workstations located at any geo locations.

3. Responsibility

At first level all systems team IT are held responsible for performing the script based migration
activities followed by and support required for technical aspect shall supported by Global Security
team. These activities shall be performed on high priority.
4. Requirement

This article details how to upgrade various flavor of Windows OS to next level at Win 10. This will
create complete control of endpoint security for data security and to sustain compliance.
5. Solution

Upgradation of Windows systems is not a difficult process although there are a few crucial steps
which must be completed successfully. The overall process consists of the following steps
described from point 6 and below:

Important Note :

✓ Before upgradation using below steps it is recommended to backup all your critical data.
✓ Before initiating upgradation, it is mandatory requirement to move end user system
from Daksh.local to Company.com domain and user should login-in to system using
his/her office 365 ID.
✓ System should be connected to COMPANY network before initiating migration
✓ It is strongly recommended that a data backup prior to performing migration activities.
✓ You will find and MS licensing error, Please contact Local IT support requirement.
✓ All migration and installation activities shall be performed using manage IT or end user
login only.
✓ User shall re-enroll encrypted system with single ID to avoid delicacy and conflict in token key
management.

Page | 4
Page | 5
6. Upgradation process – Win 7 or Win 10

Window operating system upgradation process under PGP encrypted system

Automatic upgrade

Automated upgrade using your custom script

• Automate the tasks mentioned in the Before you begin to upgrade section and
the Upgrading your client computers manually section, and any other tasks per
your organization’s requirement, and then deploy and upgrade using any remote
deployment software, such as Ghost Solution Suite.

Automated upgrade using the upgrade script files (attached to COMPANY

one drive)
• Perform all the pre-upgrade tasks as mentioned in the Before you begin to
upgrade section. Then using the appropriate upgrade script that is attached to
this article, perform the instructions as mentioned in the Upgrading your client
computers using the upgrade scripts section.

Before you begin to upgrade

To plan your deployment or upgrade, you must first complete the preparatory tasks
mentioned in this section before you begin the actual upgrade process.

1. Backup all your data to an external drive.

2. Extract the Windows 10 installation media (ISO) to a network shared folder.
Ensure that the folder name does not contain any spaces. For example, copy the
ISO file to \\filerserver\windows10media. To create a Windows 10 installation
media (ISO), refer to the Microsoft documentation.
3. On the Windows computer that you want to upgrade, map the shared folder to a
local drive using the command prompt with administrator privileges. For example,
to map the shared folder \\filerserver\windows10media to the drive Z, use the
following command:
net use z: \\fileserver\windows10media
4. Close Symantec Encryption Desktop. Ensure to exit PGPTray and any other
PGP service.
5. Unmount any virtual media or mounted drivers.
6. Set the computer sleep timer to one hour or more.

Page | 6
 7. Enable preboot bypass on the computer that you want to upgrade. For
information on preboot bypass and how to enable it, see

Reference details for point 7 as mentioned below

8. Description for Domain administrator restart bypass

The Domain administrator restart bypass feature enables administrators to perform remote or
local software installations requiring a restart of the target computer without the need for the user
to input their passphrase at PGP BootGuard.

Windows System and Administrator account(s) may now engage a mode to bypass WDE
authentication on the next restart by utilizing the privileges of the administration account to act
as the authenticated user.
Use of this feature is logged to the Encryption Management Server\PGP Universal server.
Bypass events are displayed in the Client log of the server.

To add a Domain Administrator restart bypass use the following steps:

1. On a domain controller, open the Active Directory Users and Computers console.
(Start>All Programs>Administrative Tools>Active Directory Users and Computers)

2. Create a new Global Security Group with the name WDE-ADMIN.

3. Add the desired domain user account(s) to the WDE-ADMIN group.

4. On the client system, login with the user account added to the WDE-ADMIN group.

5. Click Start > Run, type cmd in the text field and click OK. The Windows command
prompt screen appears.

6. Switch to the following directory: C:\Program Files\PGP Corporation\PGP Desktop

7. At the command prompt, type pgpwde --add-bypass --admin-authorization --disk 0 and

press Enter.

A message displays that the bypass has been successfully completed. You can also verify the
bypass user by typing the following at the command prompt:

pgpwde --check-bypass

Page | 7
 9. Upgrading your client computers
manually
Before you perform the following steps, ensure that you have performed all the steps
mentioned in the Before you begin to upgrade section.

1. Create a local folder on the Windows computer that you want to upgrade. For
example, C:\PGPTemp.
2. Copy the following files from the client computer to the local folder (for example,
C:\PGPTemp) that you created in step 1:

• Encryption driver files: PGPwded.sys, PGPwded.inf, PGPSdk.sys, PGPSdk.inf

Note: The encryption drive files are available on the client computer at
%systemroot%\System32\drivers.
Caution: If the encryption driver files are not copied from the same client
computer, the client computer may not boot after upgrade because of missing
files or driver version mismatch.

• Symantec registry: RegisterPGPDESoftware.reg

• Batch file: setupcomplete.cmd

Note: The Symantec registry file and the batch file are present in the
compressed folder that is attached to this article. Download the compressed
folder from the Download files section on this page. To download the
appropriate compressed folder, see the table Upgrade scripts for Symantec
Encryption Desktop 10.4.x client computers to upgrade to a Windows 10
update in this article.

3. Run the following commands:

Z:\setup.exe /reflectdrivers C:\PGPTemp /postoobe

C:\PGPTemp\setupcomplete.cmd

Page | 8
 Note: During the in-place upgrade process, Windows 10 copies new files
temporarily to a staging area. As the disk is already encrypted, the files in the
staging area get encrypted. If the Windows operating system does not have
access to the encryption drivers and the encryption passphrase, the in-place
upgrade fails. Therefore, ensure to use the /reflectdrivers option of the Windows
10 setup.exe command during the in-place upgrade. The /reflectdrivers option
provides access to the encryption drivers during the in-place upgrade process.

4. The Windows 10 setup wizard is displayed. Follow the instructions on the wizard
to finish the upgrade.

10. Upgrading Opal/hardware-

encrypted client computers
manually
Caution: If your client computer is Opal/hardware-encrypted, do not use the attached
upgrade scripts to upgrade. Instead, follow these steps:

1. Decrypt the Opal drive.

2. Uninstall Symantec Encryption Desktop.
3. Use the appropriate installation media of a Windows 10 release that you want
to upgrade, and then perform the upgrade.
4. Install all the required Windows updates.
5. Re-install Symantec Encryption Desktop.

11. Upgrading your client computers

using the upgrade script files
About the upgrade script files

Page | 9
The upgrade script files are compressed and attached to this article for download. You
may use the upgrade script files to upgrade your 32-bit and 64-bit Symantec Encryption
Desktop client computers automatically to one of the supported Microsoft Windows 10
releases without decrypting and re-encrypting the drives. You can download the
compressed archive of your choice, depending on the currently installed version of
Windows and Symantec Encryption Desktop, and the version of Windows 10 to which
you want to upgrade.

To download the upgrade script files

1. Refer to the table Upgrade scripts for Symantec Encryption Desktop 10.4.x client
computers to upgrade to a Windows 10 update in this article and identify the
upgrade script that you want to download.

2. To download the identified upgrade script file, either click Download Files on the
right side of the page or click the appropriate link under the Download
Files section available at the bottom of the page.

3. To access the upgrade script file, extract the contents of the compressed folder.

To upgrade your client computers using the upgrade script files

Important Note : The following in-place upgrade steps are provided for reference only.
Administrators should use this procedure as a guideline and customize the steps and the
script to suit their organization’s environment and requirements. Symantec strongly
recommends administrators to review and test the upgrade scripts and make necessary
changes prior to the upgrade. This ensures that the customized upgrade script meets the
needs of the business environment, including any installed third-party applications.
Testing the script also confirms that all the customizations and configuration changes
work as expected.

Page | 10
Scenario: As an administrator, you want to perform an in-place upgrade on Windows
client computers that are encrypted with Symantec Encryption Desktop. You want to
automate the in-place upgrade process without user intervention and run the upgrade
process in the background using the /auto upgrade and /quiet switches.

Before you perform the following steps, ensure that you have performed all the steps
mentioned in the Before you begin to upgrade section. If you choose to upgrade using
the scripts, the steps in the Upgrading your client computers manually section are
automatically performed by the upgrade script.

1. Extract the Windows 10 ISO to a file server and create a network share folder.
For example, \\fileserver\windows10media. Make sure that the user has read
access to the folder.

2. Download the appropriate upgrade script and extract it to a network share folder.
For example, \\fileserver\In-place-upgrade-script.

3. From the extracted files, edit the WinRS<x>-upgrade-SED<v>.cmd file (for

example: WinRS2-upgrade-SED1041.cmd) and update the following command
to add /auto upgrade /quiet switches, and then save the file.

call %1\setup.exe /reflectdrivers %PGPTempPath% /auto

upgrade /quiet /postoobe %PGPTempPath%\setupcomplete.cmd

Note: Perform the following steps on the client computer from the command prompt
with administrator privileges. These steps can be combined to create a batch file and
can be remotely deployed using any remote deployment software.

4. Enable preboot bypass as follows:

“c:\Program Files (x86)\PGP Corporation\PGP Desktop"\pgpwde
--add-bypass --count 3 –p Password

Page | 11
 5. Map the network drive as follows:
“net use z:\\fileserver\windows10media”

6. Copy the upgrade scripts to a local folder as follows:

“xcopy \\fileserver\In-place-upgrade-script c:\Symc-scripts /i /a /s /y

7. Make the local folder as the working directory as follows:

cd c:\Symc-scripts

8. To initialize the in-place upgrade script, run the following command:

WinRS<x>-upgrade-SED<v>.cmd [Folder path to the Setup.exe file in the
Windows 10 Installation Media]\

For example:
WinRS2-upgrade-SED1041.cmd Z:\

12. Upgrade scripts details for Symantec Encryption

Desktop 10.4.x client computers to upgrade to a Windows 10 update

Compatible
Symantec
Windows 10
Encryption Script Name Description
Version
Desktop
version
Contains the
scripts for
upgrading from
Windows 7 to
SED_Win7_Upgrade_SED_10.4.1_MP2HF2.zip
the Windows 10
April 2018 April 2018
Update
10.4.2 Update (version
(v1803) 1803).
(RS4)
Contains the
scripts for
SED_Win8_10_Upgrade_SED_10.4.1_MP2HF2.zip upgrading from
Windows 8, 8.1,
or an earlier

Page | 12
 version of
Windows 10 to
the Windows 10
April 2018
Update (version
1803).
Contains the
scripts for
upgrading from
Windows 7 to
SED_Win7_Upgrade_SED_10.4.1_MP2HF2.zip
the Windows 10
Fall Creators
Update (version
1709).
Fall Creators
Update 10.4.1 MP2 Contains the
(v1709) HF2 or later scripts for
(RS3) upgrading from
Windows 8, 8.1,
or an earlier
SED_Win8_10_Upgrade_SED_10.4.1_MP2HF2.zip version of
Windows 10 to
the Windows 10
Fall Creators
Update (version
1709).
Contains the
scripts for
upgrading from
Windows 7 to
the Windows 10
Creators Update
or Anniversary
SED_Win7_Upgrade_SED_10.4.1_MP1.zip
Creators Update.
Update 10.4.1 MP1
(v1703) or later Note: This script
(RS2) also works while
upgrading to
Windows 10
RS1 or RS2.
Contains the
SED_Win8_10_Upgrade_SED_10.4.1_MP1.zip scripts for
upgrading from
Windows 8, 8.1,

Page | 13
 or an earlier
version of
Windows 10 to
the Windows 10
Creators Update
or Anniversary
Update.

Note: This script

also works while
upgrading to
Windows 10
RS1 or RS2.
Contains the
scripts for
upgrading from
Windows 7 to
the Windows 10
Anniversary
Update or
SED_Win7_Upgrade_SED_10.4.1_MP1.zip Creators
Update.

Note: This script

also works while
upgrading to
Windows 10
Anniversary
RS1 or RS2.
Update 10.4.0 MP1
(v1607) or later Contains the
(RS1) scripts for
upgrading from
Windows 8, 8.1,
or an earlier
version of
Windows 10 to
SED_Win8_10_Upgrade_SED_10.4.1_MP1.zip the Windows 10
Anniversary
Update or
Creators
Update.

Note: This script

also works while
upgrading to

Page | 14
 Windows 10
RS1 or RS2.

13. Troubleshooting information

13.1 Windows 10 RS1, RS2, RS3, and RS4

The compressed archives include a batch file (post-upgrade script) that you can run
after completing the upgrade to Windows 10 Anniversary Update or later, only if you
face any of the following issues that are described below. The post-upgrade script
automatically applies a workaround for the following issues:
• The Hibernation feature in Windows no longer works on computers that were
upgraded from Windows 7. Affected computers shut down instead of entering
into the hibernation mode.
• When users change their Windows password, they are unable to use the new
password to authenticate at BootGuard.

To run the post-upgrade script and troubleshoot issues

1. Open the administrator command prompt and navigate to the folder in which you
extracted the upgrade scripts.
2. Run the Post-WinRS<x>-upgrade-SED<v>-register.bat file to apply the
workaround.
For example, run the Post-WinRS2-upgrade-SED1041-register.bat file.
3. Restart the computer.

Troubleshooting after upgrading to Windows 10 RS3 and RS4

The compressed archives include a batch file (post-upgrade script) that you can run
after completing the upgrade to the Windows 10 RS3 and RS4, only if you face any of
the issues that are described below. The post-upgrade script automatically applies a
workaround for the following issues:
• Some users of Windows 10 RS3 or RS4 workgroup may not be able to
authenticate at BootGuard.
• On Windows 10 RS3 or RS4 workgroup computers, Single Sign-On may not
work even when the Single Sign-On policy is enabled.

Page | 15
 • While viewing the "Provider Order" under "Network Connections", an error
message may appear and the network provider list is not displayed.

To run the post-upgrade script and troubleshoot issues

1. Open the administrator command prompt and navigate to the folder in which you
extracted the upgrade scripts.
2. Run the Post-WinRS3-upgrade-SED1041-register.bat file to apply the
workaround.
3. Restart the computer.

Note: When you run the post-upgrade script, the Use my sign in info to
automatically finish setting up my device after an update or restart option is
automatically disabled. To see this option, navigate to Windows Settings >

14. COMPANY Support Information:

Users should connect with local IT team for any issues or requiring further support
during migration or new implementation.

Let us know what you think

Please give us feedback on this learning guide, so we can provide content that’s truly useful and
helpful. Thanks!

Page | 16