Performing major Windows OS version upgrades on Encrypted devices

Overview

This article provides guidance for customers performing major Windows OS version upgrades (e.g., from Windows 10 20H2 to Windows 10 22H2/Windows 11 24H2). It does not apply to regular incremental Windows updates.

There are three supported methods for upgrading Windows OS on an encrypted device:

• SDWin10Update.exe
• setup.exe with /ReflectDrivers switch
• Windows Update

Prerequisites

Before upgrading, ensure the device already has a supported SecureDoc version installed. Refer to the following resources:

• SecureDoc for Windows System Requirements
• KB 1831 – SecureDoc for Windows System Client Requirements
• KB 1914 – Tested and Supported Combinations of SecureDoc for Windows 11 Versions

Upgrades are required only if one of the following encryption deployments is in use:

• Systems encrypted with SecureDoc Software Encryption
• Systems encrypted with Microsoft BitLocker

Notes

• OPAL/Self-Encrypted Drives (SEDs):
  • System update via Windows Control Panel
  • Running the installation DVD within Windows OS
  • Running setup.exe without /ReflectDrivers switch
• BitLocker Encryption:
  • Can run setup.exe without /ReflectDrivers switch

Upgrade Methods

Method 1: Using SDWin10Update.exe

1. Perform a full data backup of encrypted endpoints.
2. Download Windows 10 22H2/Windows 11 24H2 ISO image.
   • We recommend copying the ISO contents to a secondary drive or locally on the device.
3. Run SDWin10Update.exe with administrator rights from:
   C:\Program Files\WinMagic\SecureDoc-NT
4. Follow the prompts:
   • Click Yes → Click OK on the notification → Select the Windows 10/11 Setup.exe file.

Method 2: Using setup.exe with /ReflectDrivers switch

1. Verify the following WinMagic system files exist:
   • SDDisk2K and SDDToki in C:\Windows\System32\Drivers
   • SDDisk2K and SDDToki in C:\Program Files\WinMagic\SecureDoc-NT\ReflectDrivers
2. Run the command: D:\Win11\setup.exe /ReflectDrivers "C:\Program Files\WinMagic\SecureDoc-NT\ReflectDrivers"

Method 3: Using Windows Update

If the update is delivered via Windows Update, Windows Setup searches for a setupconfig.ini file in the default location:

%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini

Example SetupConfig.ini:

[SetupConfig]

ResizeRecoveryPartition=Disable

ReflectDrivers="C:\Program Files\WinMagic\SecureDoc-NT\ReflectDrivers"

Special Instructions for BitLocker Environments

Step 1: Update Profile Settings

Ensure the following features are disabled in the current profile:

• Prevent unmanaged decryption
• Prevent volume protection suspension
• Disable BitLocker management application

Step 2: Suspend BitLocker Using PowerShell

1. Open Start, search for PowerShell, right-click the result, and select Run as administrator.
2. Enter the following command:
3. Suspend-BitLocker -MountPoint "C:" -RebootCount 0

Note: Running setup.exe with /reflectdrivers switch is not required in BitLocker environments.

After the upgrade, re-push the profile to re-enable BitLocker Tamper Protection settings.

Current Limitations

Be aware of the following limitations when upgrading:

1. Upgrading to Windows 10 with SFE enabled is not supported unless the device already has SD 9.0 SR1.
2. Using SD Credential Provider with Windows 10 may occasionally present the SecureDoc logon screen unless the device already has SD 9.0 SR1.
3. RMCE (Removable Media Container) may fail to unmount under Windows 10.
4. Windows 10 may fail to resume from Hibernation in BIOS Legacy mode.

✅ Result: Following these methods ensures a successful major Windows OS upgrade on encrypted devices while maintaining SecureDoc compatibility.