Recently, I’ve had a few customers who use full disk encryption from Symantec (Symantec PGP, Symantec Endpoint Encryption, or Symantec Desktop Encryption) on client computers instead of Microsoft BitLocker. “Why?”… well… it’s most likely that they have a really good Symantec sales rep. Either that or they implemented prior to BitLocker being ready for prime time and never bothered to change the solution. And yes, I prefer the Microsoft solution for its ease of management and integration points.
The most recent customer was running Windows 7 with Symantec Desktop Encryption (complete with the server component for management) for full disk encryption. Their goal was to upgrade all Windows 7 clients to Windows 10 (Current Branch) without decrypting the volume, if possible. They also use SCCM for endpoint management, software deployment and OSD. Our solution needs to leverage SCCM and an In-Place Upgrade Task Sequence.
To achieve the goal, we have some options available to us (there may be more than I’ve listed here, but you get it):
- Nuke and Pave (treat it like bare metal or replacement scenario)
- Capture user files and data to a network location (USMT)
- Delete all partitions on the physical disk
- Install/ Apply Operating System
- Install applications
- Install drivers
- Restore user files and data from network location (USMT)
- Include the encryption drivers by modifying the setup command-line
- Leverage the “/ReflectDrivers” command-line option
- Suspend disk encryption
- Suspend Bitlocker (if used)
- Decrypt the drive
- Use vendor supplied upgrade scripts
- Use a varying combinations of the above options
Ultimately, we chose option F (a combination of options B and E). This was because of the following:
- “Nuke and Pave” might take additional dev time to determine “What is user data?” for USMT to be right.
- Symanted Encryption Server didn’t have an option to suspend encryption.
- Decryption takes waaayyyy too long, and isn’t a valid option with the requirements given by the customer.
Requirements
Based upon the customer requirements and the options chosen, we will need the following items to build our solution:
- A healthy and functional Configuration Manager Hierarchy
- Skatterbrainz has a ConfigMgr Health Check PowerShell module that works exceedingly well.
- In-Place Upgrade Task Sequence
- Vendor supplied upgrade scripts from Symantec
- A google search for the correct scripts for your version of PGP is needed. Simply find the version(s) you need and download the appropriate zip file(s).
- SUGGESTED GOOGLE SEARCH TEXT: “Win10 In-Place upgrade PGP (VERSIONNUM) ”
- A few guinea pigs (Windows 7 machines with disk encrypted). Three (3) or Four (4) should do it.
Preparation
Review the Upgrade Script(s) from Symantec
- Unzip the files in the package, then open the “Readme.txt” file.
- Look for the “Usage:” line in the readme file. It should have something like “WinRS3-upgrade-SED1041.cmd ”
- “WinRS3-upgrade-SED1041.cmd” would be the name of the upgrade script to examine (CMD file).
- Open the CMD file in notepad.
- Note the actions being performed; these will be the actions we perform using PowerShell.
- For PGP 10.4.1 (our version), the CMD file does the following:
- Create a temp folder at “C:PGPTemp”
- Stop running PGP processes
- Copy PGP Drivers from “C:WindowsSystem32Drivers” to “C:PGPTemp” if present
- Copy support files from script folder to “C:PGPTemp”
- Sets the upgrade command-line options “/ReflectDrivers” and “/PostOOBE”
- Initiate the upgrade to Windows 10
- For PGP 10.4.1 (our version), the CMD file does the following:
Mimic the script actions with PowerShell
Now that we know the steps (from Symantec) to perform our upgrade on an encrypted system, we can create our PowerShell script. Please note that these steps are not in the exact same order as the CMD file from Symantec; the end result is the same though.
- We’ll start our script with a line to reference the location (path) of the current running script that will help us later on when we add it to the Task Sequence.
$ScriptPath = Split-Path -Parent $MyInvocation.MyCommand.Definition- Then, we’ll stop any running PGP related processes with this bit of code..
# Stop PGP Processes before upgrade
$Procs = Get-Process | Select *
Foreach ($Proc in $Procs) {
If ($Proc.Path -like “*PGP*”) {
$StopProc = Get-Process -Name $Proc.Name | Stop-Process -Force
}
}- We need to create the “C:PGPTemp” folder and copy the encryption drivers next, but only if the drivers exist in the first place. Here’s how we do that…
# Copy the encryption drivers if they exist
$PGPSrc = “$($env:windir)System32drivers”
$Drivers = $PGPSrc | Get-ChildItem
Foreach ($Driver in $Drivers) {
If ($Driver.Name -like “PGP*”) {
$PGPDest = “$($env:SystemDrive)PGPTemp”
# If the PGPTemp folder doesn’t exist, create it
If (-not(Test-Path $PGPDest)) {
$FSO = New-Object -ComObject Scripting.FileSystemObject
$FSO.CreateFolder(“$($PGPDest)“)
}
Copy-Item $Driver.FullName -Destination $PGPDest -Force
}
}
- Now we need to copy the support files from the script folder. We’ll add some code to our script to perform that action.
# Copy the encryption drivers if they exist
$PGPSrc = “$($env:windir)System32drivers”
$Drivers = $PGPSrc | Get-ChildItem
Foreach ($Driver in $Drivers) {
If ($Driver.Name -like “PGP*”) {
$PGPDest = “$($env:SystemDrive)PGPTemp”
# If the PGPTemp folder doesn’t exist, create it
If (-not(Test-Path $PGPDest)) {
$FSO = New-Object -ComObject Scripting.FileSystemObject
$CMDFiles = “$($ScriptPath)“ | Get-ChildItem
Foreach ($CMDFile in $CMDFiles) {
Copy-Item “$($CMDFile.FullName)“ -Destination $PGPDest -Force
}
$FSO.CreateFolder(“$($PGPDest)“)
}
Copy-Item $Driver.FullName -Destination $PGPDest -Force
}
}
- Since SCCM uses the “setupcompletetemplate.cmd” (located in ‘C:WindowsCCM‘)as a template to create the “%WINDIR%SetupScriptsSetupComplete.cmd” file, we will need to add the content from the PGP version of “setupcomplete.cmd” to our template. Yup… more PowerShell…
If (Test-Path -Path $PGPDest){
$PGPFile = Get-Content -Path “$($PGPDest)SetupComplete.cmd”
$CCMTemplate = “$($env:windir)CCMSetupCompleteTemplate.cmd”
Copy-Item -Path $CCMTemplate -Destination “$($env:windir)CCMSetupCompleteTemplate.bak” -Force
Add-Content -Path $CCMTemplate -Value $PGPFile
}- Since our SCCM Upgrade task sequence will set the “/PostOOBE” setup option for us, we only need to set the “/ReflectDrivers” option as our last step of the script… like this.
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment
$tsenv.Value(“OSDSetupAdditionalUpgradeOptions”) = “/ReflectDrivers $($PGPDest)”Here is the whole thing cleaned up as a single PowerShell script. Copy the code below and save it as “Set-PGPUpgradeDrivers.ps1“
$ScriptPath = Split-Path -Parent $MyInvocation.MyCommand.Definition
# Copy the encryption drivers if they exist
$PGPSrc = “$($env:windir)System32drivers”
$Drivers = $PGPSrc | Get-ChildItem
Foreach ($Driver in $Drivers) {
If ($Driver.Name -like “PGP*”) {
$PGPDest = “$($env:SystemDrive)PGPTemp”
If (-not(Test-Path $PGPDest)) {
$FSO = New-Object -ComObject Scripting.FileSystemObject
$FSO.CreateFolder(“$($PGPDest)“)
}
# Stop PGP Processes before upgrade
$Procs = Get-Process | Select *
Foreach ($Proc in $Procs) {
If ($Proc.Path -like “*PGP*”) {
$StopProc = Get-Process -Name $Proc.Name | Stop-Process -Force
}
}
Copy-Item $Driver.FullName -Destination $PGPDest -Force
# Copy PGP Script Files
# Set the OSDSetupAdditionalUpgradeOptions task sequence variable
$CMDFiles = “$($ScriptPath)Win7″ | Get-ChildItem
Foreach ($CMDFile in $CMDFiles) {
Copy-Item “$($CMDFile.FullName)“ -Destination $PGPDest -Force
}
$tsenv = New-Object -COMObject Microsoft.SMS.TSEnvironment
$tsenv.Value(“OSDSetupAdditionalUpgradeOptions”) = “/ReflectDrivers $($PGPDest)“
}
}
If (Test-Path -Path $PGPDest){
$PGPFile = Get-Content -Path “$($PGPDest)SetupComplete.cmd”
$CCMTemplate = “$($env:windir)CCMSetupCompleteTemplate.cmd”
Copy-Item -Path $CCMTemplate -Destination “$($env:windir)CCMSetupCompleteTemplate.bak” -Force
Add-Content -Path $CCMTemplate -Value $PGPFile
}Implementation
- Set up bypass of Symantec BootGuard
- Enable bypass for up to 4 reboots.
- Create a package in SCCM called “OSD-SetPGPUpgradeDrivers”
- Add the step to your task sequence
