United Kingdom Endpoint Management User Group

 View Only
Expand all | Collapse all

Using Patch Management Solution to deploy Windows 10 Fall Creators Update with Symantec Endpoint Encryption Installed

  • 1.  Using Patch Management Solution to deploy Windows 10 Fall Creators Update with Symantec Endpoint Encryption Installed

    Broadcom Employee
    Posted Feb 14, 2018 06:56 AM

    Symantec have provide DOC9422 on how to use patch Management to deploy feature updates:

    When Symantec Endpoint Encryption (SEE) is installed there are further complications for a Windows 10 installation, described in HOWTO125875:

    It is straightforward using these two articles to work out how to use the Patch Management Solution to deploy Feature updates to SEE encrypted computers.

    Described are the changes made to upgrade Windows 10 Professional from Creators Update (1703) to Fall Creators Update (1709), with SEE 11.1.3 MP1 already installed (the prerequisite SEE version before upgrading to 1709). Additionally this is straight English US only – language issues are not dealt with, nor are enterprise/education/home editions of Windows, although this would not be too difficult to accomplish.

    Note: Once these changes are made the modified Feature Update policy will not work on devices without SEE installed – a separate policy will be required. (It would be possible to further extend the scripts to do both if that is what was required)

    First follow DOC9422 to download and setup 1709 installation

    Then download the Win8_10_Upgrade_SEE11.1.3MP1.zip file from HOWTO125875. Unzip the files and place with 1709 installation files in package location on Notification Server – same as for Windows ISO file from DOC9422.

    Next edit two files on the Notification server in package location. Symantec have used batch scripts for both of these:

    • Windows10x86Professional1703.bat (the ‘batch file)

    • WinRS3-upgrade-SE11.cmd (the ’command file)

    It helps at this point to have both files open to follow along.

    The batch file provided in Patch Management solution has the following setup.exe command (at line 161):

    "%volume%:\setup.exe" /auto upgrade %languageOption% /quiet /showoobe none /noreboot /telemetry disable /dynamicupdate disable /Postoobe %STscript%setupcomplete.cmd & SET LASTERR=!errorlevel!

    Replace this will a call to the command file that executes the script for install on SEE 11.1.3 MP1 encrypted machines. This is simply this call, passing as parameter the correct drive letter to where the installation files are located - the batch file helpfully sets a variable for this (%volume%):

    call WinRS3-upgrade-SEE11.cmd %volume%:

    Then edit the command file and update the setup.exe call. The original line in the command file is:

    call %1\setup.exe /reflectdrivers %SEETempPath% /postoobe %SEETempPath%\setupcomplete.cmd

    Pick the items from the batch file that you want in the command file setup.exe call. If you wanted the %languageOption% (Adding language packs to the installation) then you will need to pass this from the batch file on the call (as %2%). Keep all of the switches that are already in the command file as they relate to SEE , and include the last bit from the ‘&’ as this captures the exitcode needed for Patch Management Solution to identify if the upgrade was a success or not. The resulting update to the command line call will look something like this:

    call %1\setup.exe /auto upgrade /quiet /showoobe none /noreboot /telemetry disable /dynamicupdate disable /reflectdrivers %SEETempPath% /postoobe %SEETempPath%\setupcomplete.cmd & SET LASTERR=!errorlevel!

    To  deal with passing the exitcode back to the batch file, as the very last line in the command file add this line:

    EXIT /B %LASTERR%

    And finally in the batch file right after the call to the command file add this line to store the exitcode in the correct batch file variable:

    SET LASTERR=%errorlevel%

    And that’s it. The setup line is replaced in the batch file and the exitcode is correctly returned



  • 2.  RE: Using Patch Management Solution to deploy Windows 10 Fall Creators Update with Symantec Endpoint Encryption Installed

    Posted Feb 14, 2018 03:17 PM

    Make this a blog, not a forum query! It gets higher visibility as a blog.

    Thanks! 



  • 3.  RE: Using Patch Management Solution to deploy Windows 10 Fall Creators Update with Symantec Endpoint Encryption Installed

    Broadcom Employee
    Posted Feb 15, 2018 08:07 AM

    if that was an obvious slolution I might have done it. No options to create Blogs in my account that I can see