How to do Windows 10 OS In-place upgrade with Symantec Encryption Desktop installed using ConfigMgr (My Experience)

Ever since Windows 10 was released as a service ie. WaaS (Windows as a Service), it changed the way Windows versions were going to be upgraded in the future. The release cadence may have changed a couple of times from the time first Windows 10 build came out, but the basic principle remains the same. That is to keep the builds up to date in order to ensure OS remains supported for monthly security and quality updates. Something that enterprises have to take very seriously in order to safeguard their environment and data from security attacks.

Recently I worked on a project that involved upgrading Windows 10 OS version to 20H2 on devices encrypted by Symantec Encryption Desktop. Now, Microsoft security solutions like Defender, Bitlocker are natively compatible with newer Windows 10 OS versions and support In-place upgrades out of the box. However, with 3rd party security solutions, one will need to check for compatibility. This is where things get interesting. It took me some man hours to identify that SED needed to be upgraded because Windows 10 20H2 setup did not flag SED as a blocker during comaptibility scans or even during the upgrade. The resultant behavior was that the OS would just rollback after the first reboot. After analysing the setupact, setuperr, diagerr.xml logs I could see some references to WRITE action being blocked against certain sections of the DISK. This got me looking into SED and that is when I learnt that SED needed to be upgraded to version 10.4.2 and later to allow automated In-place upgrade of Windows 10 OS to take place. Since SED 10.4.2 had reached EOS, I needed to have the SED encryption server to be upgraded to 10.5. Details on EOS can be found here.

Once the SED server was upgraded, the next step was to upgrade the SED clients on endpoints. This is particularly important because not only the newer client supports Windows 10 20H2, it also copies necessary files that are needed for automatic OS upgrade.

Now that we got the requirements sorted, we will now see how to set this up in ConfigMgr. Since there are Pre-OS actions required here, I am using In-place Upgrade (IPU) to upgrade the OS. For the purpose of this blog, I will only focus on the custom actions needed for the OS upgrade.

Configure SED Application

The security team provided me with the client installation file from the SED server containing the necessary encryption server specific configuration and will enable the endpoints to communicate with the SED server easily. I used this msi to create the application.



Creating Custom package to copy Setupcomplete.cmd

SED uses its own setupcomplete.cmd file for /poostoobe. Here are the contents of the file.



As compared to the default setupcomplete.cmd file that ConfigMgr uses.


As you can see that it is nothing like the default setupcomplete.cmd file that ConfigMgr uses and it obviously interfers with the POSTOOBE process after the OS is installed. In my case, after upgrading the SED agent to 10.5 manually on few devices manually, the OS was found to be upgrading and finishing all the way as part of the OS setup.exe process. However, the ConfigMgr client was getting stuck in Provisioning mode and was leaving SMS Agent Host service Disabled, which resulted in TS never finishing the remaining steps and thus the devices never reported a successful status back to ConfigMgr against the deployment.

To get around this, I had to replace the file placed by SED 10.5 with the default version used by ConfigMgr and add a step in IPU Task sequence to take care of the action called out in the setupcomplete.cmd placed by SED 10.5.

(Special shoutout to Mike Terrill for pointing me in the right direction.)

You can pick the content of the file from the template for default setupcomplete.cmd located under %Program Files%\Microsoft Configuration Manager\OSD\bin\x64 which can then be renamed to setupcomplete.cmd later.


Or you can also copy it from C:\Windows\SMSTSPostUpgrade when the TS is running.


Next step is to create a package containing this file. No program is needed.


Creating the IPU TS

Step - Set Dynamic Variable

/noreboot /reflectdrivers "C:\Program Files\PGP Corporation\PGP Desktop\OS Upgrade Files" /Postoobe "C:\Program Files\PGP Corporation\PGP Desktop\OS Upgrade Files\setupcomplete.cmd" /ShowOOBE none



Step - SED 10.5 (Installation)
Step - Reboot



Step - Copy SetupComplete.cmd

xcopy ".\*.*" "C:\Program Files\PGP Corporation\PGP Desktop\OS Upgrade Files" /Y




Step - PGP DisableAutomaticRestartSignOn (Copied from setupcomplete.cmd placed by SED 10.5)

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableAutomaticRestartSignOn /t REG_DWORD /d 1 /f /reg:64



Step - Upgrade Operating System en-US

Condition (WMI)- SELECT OsLanguage FROM Win32_OperatingSystem WHERE OsLanguage='1033'



That's about it. There can be other ways to get around the requirement of setupcomplete.cmd, like appending the content from the template file and such, but I found the above method more to my liking.

Until next time..

Comments




  1. Great set of tips from the master himself. Excellent ideas. Thanks for Awesome tips Keep it up
    symantec-endpoint-protection-crack

    ReplyDelete



  2. Great set of tips from the master himself. Excellent ideas. Thanks for Awesome tips Keep it up
    symantec-endpoint-protection-crack

    ReplyDelete
  3. Thanks for another informative and well written article.
    https://up4tech.org/symantec-endpoint-protection/

    ReplyDelete


  4. I thought this was a pretty interesting read when it comes to this topic. Thank you
    symantec-endpoint-protection-crack

    ReplyDelete


  5. I thought this was a pretty interesting read when it comes to this topic. Thank you
    symantec-endpoint-protection-crack

    ReplyDelete
  6. Hello, Your Site is very nice, and it's very helping us this post is unique and interesting, thank you for sharing this awesome information. and visit our blog site also.. Keep it up

    kaspersky-rescue-disk

    ams-software-photoworks-crack

    ReplyDelete

  7. Nice post! This is a very nice blog that I will definitively come beck to moretimes this year! thanks for the informative post Download.
    VCE Exam Simulator Pro

    Daemon Tools Pro
    F-Secure Freedome VPN
    PRTG Network Monitor

    ReplyDelete
  8. Nice article and explanation Keep continuing to write an article like this you may also check my website topcrackingsite.com.
    UnHackMe crack

    ReplyDelete
  9. Your blogs make a simple jacket into a million-dollar dress. Your styling ideas are so keen and accurate. Winter Sale Jackets

    ReplyDelete

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

Intune: Configure Printers for Non-Administrative Users

Intune: UAC Elevation Prompt Behavior for Standard Users