Symantec PGP Encryption

Greetings,

Is there a solution for doing zero touch OSD upgrades from Windows 7 to Windows 10 on SEE encrypted drives? Is there a solution for servicing the OS for encrypted drives?

Decryption is not an option unfortunately, and most of my automation attempts for a zero touch upgrade have been thwarted by the fact that I can't write the boot wim to the drive for WinPE.

Right now the only thing that works is a diskpart, cleaning the drive, repartitioning and starting the task sequence from boot media. If there is no option, is it documented somewhere so that I can share this with my team?

On the whole, the easiest method I've found of migrating OS's on encrypted machines, is to PXE Boot, completely wipe, reinstall, and push encryption afterwards (obviously, I'm accepting that any existing information is lost, and warn the users beforehand).

As you've found, anything that requires creating bootable media on an already encrypted disk (like SCCM) encounters problems.

Anyone else pull off the window 10 upgrades with the scripts yet? I have yet to get it to work

I haven't tried with the reflectdrivers option, since we're using LTSB that isn't an option from Windows 7. I think if I flipped to a current branch version I'd be rocking.

My security guy opened a call with Symantec and their only answer was "in place upgrade" or "Decrypt". I don't think our security manager or director would be too keen on that idea. I haven't given up, but I'm not exactly on the grid at this point.

I played a bit with a PE boot image with the recovery stuff added to it. I can boot into PE, and it lets me do the auth and navigate around the contents of the encrypted drive. I think the part that is wrecking my day, is the fact that I can't do the "Reboot into PE" step. My presumption is that the task sequence pulls down the boot.wim and does the equivilent of a bcdedit to direct it to there. Are there any ways to manipulate those settings on an encrypted drive, or is it locked in and sealed upon encryption?

I suspect this is the wall that breaks everything.

It sounds like you're after the same thing as the below thread, and my recommendation remains the same, I'm afraid:

https://www.symantec.com/connect/forums/bypass-preexisting-pgp-installations-during-sccm-windows-10-place-upgrade

It sounds like your task sequence tries to setup a new PE partition inside the encrypted disk, and so you're essentially trying to tell SEE to boot to WinPE instead of Windows after PBA, which seems to fail all round.

As mentioned above, I've found it far easier to just ignore everything on the disk and install Win10 as if the encrypted disk was blank, then install SEE again afterwards and encrypt.

Hello,

Any updates on this?  I’m stuck on how to integrate the upgrade script into the SCCM OSD upgrade task sequence.  

The script wants you run this cmd:  WinRS2-upgrade-SEE11.cmd Z:\        ……(Folder path to the Setup.exe file in the Windows 10 Installation Media)

While it’s tentatively possible to link the script to the  C:\_SMSTaskSequence\Packages folder, how would that work within SCCM.  Do you need to change the install cmd for SCCM to install Windows 10?  In the upgrade task sequence, there is no option for the Windows 10 OS setup.exe cmd line. 

Thanks in advance,

Brian