Windows 10: In-place upgrade w/ PGP Desktop Encryption

Overview/ Intro

Recently, I’ve had a few customers who use full disk encryption from Symantec (Symantec PGP, Symantec Endpoint Encryption, or Symantec Desktop Encryption) on client computers instead of Microsoft BitLocker. “Why?”… well… it’s most likely that they have a really good Symantec sales rep. Either that or they implemented prior to BitLocker being ready for prime time and never bothered to change the solution. And yes, I prefer the Microsoft solution for its ease of management and integration points.

The most recent customer was running Windows 7 with Symantec Desktop Encryption (complete with the server component for management) for full disk encryption. Their goal was to upgrade all Windows 7 clients to Windows 10 (Current Branch) without decrypting the volume, if possible. They also use SCCM for endpoint management, software deployment and OSD. Our solution needs to leverage SCCM and an In-Place Upgrade Task Sequence.

To achieve the goal, we have some options available to us (there may be more than I’ve listed here, but you get it):

  1. Nuke and Pave (treat it like bare metal or replacement scenario)
    • Capture user files and data to a network location (USMT)
    • Delete all partitions on the physical disk
    • Install/ Apply Operating System
    • Install applications
    • Install drivers
    • Restore user files and data from network location (USMT)
  2. Include the encryption drivers by modifying the setup command-line
    • Leverage the “/ReflectDrivers” command-line option
  3. Suspend disk encryption
    • Suspend Bitlocker (if used)
  4. Decrypt the drive
  5. Use vendor supplied upgrade scripts
  6. Use a varying combinations of the above options

Ultimately, we chose option 6 (a combination of options 2 and 5). This was because of the following:

  • “Nuke and Pave” might take additional dev time to determine “What is user data?” for USMT to be right.
  • Symantec Encryption Server didn’t have an option to suspend encryption.
  • Decryption takes waaayyyy too long, and isn’t a valid option with the requirements given by the customer.


Based upon the customer requirements and the options chosen, we will need the following items to build our solution:

  • A healthy and functional Configuration Manager Hierarchy
  • In-Place Upgrade Task Sequence
  • Vendor supplied upgrade scripts from Symantec
    • A google search for the correct scripts for your version of PGP is needed. Simply find the version(s) you need and download the appropriate zip file(s).
    • SUGGESTED GOOGLE SEARCH TEXT: “Win10 In-Place upgrade PGP <version> “
      • <version> = the version of PGP you are using.
      • Ours was 10.4.1 located here
      • The specific zip file for version 10.4.1 is here
  • A few guinea pigs (Windows 7 machines with disk encrypted). Three (3) or Four (4) should do it.


Review the Upgrade Script(s) from Symantec

  1. Unzip the files in the package, then open the “Readme.txt” file.
  2. Look for the “Usage:” line in the readme file. It should have something like “WinRS3-upgrade-SED1041.cmd “
    • “WinRS3-upgrade-SED1041.cmd” would be the name of the upgrade script to examine (CMD file).
  3. Open the CMD file in notepad.
  4. Note the actions being performed; these will be the actions we perform using PowerShell.
    • For PGP 10.4.1 (our version), the CMD file does the following:
      1. Create a temp folder at “C:\PGPTemp”
      2. Stop running PGP processes
      3. Copy PGP Drivers from “C:\Windows\System32\Drivers” to “C:\PGPTemp” if present
      4. Copy support files from script folder to “C:\PGPTemp”
      5. Sets the upgrade command-line options “/ReflectDrivers” and “/PostOOBE”
      6. Initiate the upgrade to Windows 10

Mimic the script actions with PowerShell

Now that we know the steps (from Symantec) to perform our upgrade on an encrypted system, we can create our PowerShell script. Please note that these steps are not in the exact same order as the CMD file from Symantec; the end result is the same though.

  • We’ll start our script with a line to reference the location (path) of the current running script that will help us later on when we add it to the Task Sequence.
  • Then, we’ll stop any running PGP related processes with this bit of code..
  • We need to create the “C:\PGPTemp” folder and copy the encryption drivers next, but only if the drivers exist in the first place. Here’s how we do that…
  • Now we need to copy the support files from the script folder. We’ll add some code to our script to perform that action.
  • Since SCCM uses the “setupcompletetemplate.cmd” (located in ‘C:\Windows\CCM‘)as a template to create the “%WINDIR%\Setup\Scripts\SetupComplete.cmd” file, we will need to add the content from the PGP version of “setupcomplete.cmd” to our template. Yup… more PowerShell…
  • Since our SCCM Upgrade task sequence will set the “/PostOOBE” setup option for us, we only need to set the “/ReflectDrivers” option as our last step of the script… like this.

Here is the whole thing cleaned up as a single PowerShell script. Copy the code below and save it as “Set-PGPUpgradeDrivers.ps1


  • Set up bypass of Symantec BootGuard
    • Enable bypass for up to 4 reboots. Information on how to do this is located here.
  • Create a package in SCCM called “OSD-SetPGPUpgradeDrivers”
  • Add the step to your task sequence

Later on as time allows, I’ll try to add more information to this post about:

  • Accommodating other PGP versions
  • Adding support for upgrading from other Windows Client Operating Systems
    • Window 8, and 8.1
    • Windows 10

Leave a Reply