How to do Windows 10 OS In-place upgrade with Symantec Encryption Desktop installed using ConfigMgr (My Experience)

-
Ever since Windows 10 was released as a service ie. WaaS (Windows as a Service), it changed the way Windows versions were going to be upgraded in the future. The release cadence may have changed a couple of times from the time first Windows 10 build came out, but the basic principle remains the same. That is to keep the builds up to date in order to ensure OS remains supported for monthly security and quality updates. Something that enterprises have to take very seriously in order to safeguard their environment and data from security attacks.

Recently I worked on a project that involved upgrading Windows 10 OS version to 20H2 on devices encrypted by Symantec Encryption Desktop. Now, Microsoft security solutions like Defender, Bitlocker are natively compatible with newer Windows 10 OS versions and support In-place upgrades out of the box. However, with 3rd party security solutions, one will need to check for compatibility. This is where things get interesting. It took me some man hours to identify that SED needed to be upgraded because Windows 10 20H2 setup did not flag SED as a blocker during comaptibility scans or even during the upgrade. The resultant behavior was that the OS would just rollback after the first reboot. After analysing the setupact, setuperr, diagerr.xml logs I could see some references to WRITE action being blocked against certain sections of the DISK. This got me looking into SED and that is when I learnt that SED needed to be upgraded to version 10.4.2 and later to allow automated In-place upgrade of Windows 10 OS to take place. Since SED 10.4.2 had reached EOS, I needed to have the SED encryption server to be upgraded to 10.5. Details on EOS can be found here.

Once the SED server was upgraded, the next step was to upgrade the SED clients on endpoints. This is particularly important because not only the newer client supports Windows 10 20H2, it also copies necessary files that are needed for automatic OS upgrade.

Now that we got the requirements sorted, we will now see how to set this up in ConfigMgr. Since there are Pre-OS actions required here, I am using In-place Upgrade (IPU) to upgrade the OS. For the purpose of this blog, I will only focus on the custom actions needed for the OS upgrade.

Configure SED Application

The security team provided me with the client installation file from the SED server containing the necessary encryption server specific configuration and will enable the endpoints to communicate with the SED server easily. I used this msi to create the application.



Creating Custom package to copy Setupcomplete.cmd

SED uses its own setupcomplete.cmd file for /poostoobe. Here are the contents of the file.



As compared to the default setupcomplete.cmd file that ConfigMgr uses.


As you can see that it is nothing like the default setupcomplete.cmd file that ConfigMgr uses and it obviously interfers with the POSTOOBE process after the OS is installed. In my case, after upgrading the SED agent to 10.5 manually on few devices manually, the OS was found to be upgrading and finishing all the way as part of the OS setup.exe process. However, the ConfigMgr client was getting stuck in Provisioning mode and was leaving SMS Agent Host service Disabled, which resulted in TS never finishing the remaining steps and thus the devices never reported a successful status back to ConfigMgr against the deployment.

To get around this, I had to replace the file placed by SED 10.5 with the default version used by ConfigMgr and add a step in IPU Task sequence to take care of the action called out in the setupcomplete.cmd placed by SED 10.5.

(Special shoutout to Mike Terrill for pointing me in the right direction.)

You can pick the content of the file from the template for default setupcomplete.cmd located under %Program Files%\Microsoft Configuration Manager\OSD\bin\x64 which can then be renamed to setupcomplete.cmd later.


Or you can also copy it from C:\Windows\SMSTSPostUpgrade when the TS is running.


Next step is to create a package containing this file. No program is needed.


Creating the IPU TS

Step - Set Dynamic Variable

/noreboot /reflectdrivers "C:\Program Files\PGP Corporation\PGP Desktop\OS Upgrade Files" /Postoobe "C:\Program Files\PGP Corporation\PGP Desktop\OS Upgrade Files\setupcomplete.cmd" /ShowOOBE none



Step - SED 10.5 (Installation)
Step - Reboot



Step - Copy SetupComplete.cmd

xcopy ".\*.*" "C:\Program Files\PGP Corporation\PGP Desktop\OS Upgrade Files" /Y




Step - PGP DisableAutomaticRestartSignOn (Copied from setupcomplete.cmd placed by SED 10.5)

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableAutomaticRestartSignOn /t REG_DWORD /d 1 /f /reg:64



Step - Upgrade Operating System en-US

Condition (WMI)- SELECT OsLanguage FROM Win32_OperatingSystem WHERE OsLanguage='1033'



That's about it. There can be other ways to get around the requirement of setupcomplete.cmd, like appending the content from the template file and such, but I found the above method more to my liking.

Until next time..

Comments

  1. pcwinSeptember 29, 2022 at 8:13 AM




    Great set of tips from the master himself. Excellent ideas. Thanks for Awesome tips Keep it up
    symantec-endpoint-protection-crack

    ReplyDelete
  2. pcwinSeptember 29, 2022 at 8:13 AM




    Great set of tips from the master himself. Excellent ideas. Thanks for Awesome tips Keep it up
    symantec-endpoint-protection-crack

    ReplyDelete
  3. SoftCrackProNovember 14, 2022 at 6:33 PM

    Excellent post, Its really friendly article... good working
    DECSOFT APP BUILDER Crack
    UnHackMe Pro Crack
    Symantec Endpoint Protection Crack
    VCE Exam Simulator Pro Crack
    iMazing Crack

    ReplyDelete
  4. SoftCrackProNovember 14, 2022 at 6:41 PM

    Excellent post, Its really friendly article... good working
    DECSOFT APP BUILDER Crack
    UnHackMe Pro Crack
    Symantec Endpoint Protection Crack
    VCE Exam Simulator Pro Crack
    iMazing Crack

    ReplyDelete
  5. ShumailaNovember 23, 2022 at 4:20 PM

    Thanks for another informative and well written article.
    https://up4tech.org/symantec-endpoint-protection/

    ReplyDelete
  6. pcwinDecember 23, 2022 at 11:14 AM



    I thought this was a pretty interesting read when it comes to this topic. Thank you
    symantec-endpoint-protection-crack

    ReplyDelete
  7. pcwinDecember 23, 2022 at 11:14 AM



    I thought this was a pretty interesting read when it comes to this topic. Thank you
    symantec-endpoint-protection-crack

    ReplyDelete
  8. Rana KanjuJanuary 4, 2023 at 5:46 PM

    Hello, Your Site is very nice, and it's very helping us this post is unique and interesting, thank you for sharing this awesome information. and visit our blog site also.. Keep it up

    kaspersky-rescue-disk

    ams-software-photoworks-crack

    ReplyDelete
  9. All type of Crack Software are available here.January 12, 2023 at 8:09 AM


    Nice post! This is a very nice blog that I will definitively come beck to moretimes this year! thanks for the informative post Download.
    VCE Exam Simulator Pro

    Daemon Tools Pro
    F-Secure Freedome VPN
    PRTG Network Monitor

    ReplyDelete
  10. Jani Jani JaniJanuary 22, 2023 at 7:08 AM

    Great work you done.
    AMS Software PhotoWorks Crack/

    ReplyDelete
  11. topcrackFebruary 23, 2023 at 11:15 AM

    Nice article and explanation Keep continuing to write an article like this you may also check my website topcrackingsite.com.
    UnHackMe crack

    ReplyDelete
  12. noorMarch 10, 2023 at 5:27 PM

    Great work you done.
    Windows 10 Manager Crack/

    ReplyDelete
  13. Winter Sale JacketsNovember 8, 2023 at 5:45 AM

    Your blogs make a simple jacket into a million-dollar dress. Your styling ideas are so keen and accurate. Winter Sale Jackets

    ReplyDelete

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){              ...
Read more

Prevent users from running certain programs or applications on Windows endpoints using Intune

-
Image
  When it comes to blocking or preventing users from running an application on Windows devices, one normally uses App locker policy, Windows Defender Application Control and not so new but pretty useful method called Defender Vulnerability management within Microsoft 365 Defender Portal. A recent question on the Tech Community Microsoft forum prompted me to look for all possible alternatives. I started reminiscing over the legacy GPO policies and that is when I stumbled upon the policy  Don’t run specified Windows applications  located under User Administrative Templates - The policy setting does come with its own caveat - " This policy setting only prevents users from running programs that are started by the File Explorer process. It does not prevent users from running programs, such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt (Cmd.exe), this policy setting does not prevent them from st...
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $P...
Read more