2541 Considerations When Performing Major Windows Version Updates on Encrypted devices

  • Published on Feb 10, 2026
  • 1 minute(s) read
  • VN
 Prev Next

Considerations for Upgrading Windows Version on Encrypted devices

(Note: this article does not apply to regular Windows updates, only when performing a major version upgrade (e.g. from W10 1709 to 1903))

When planning to upgrade a device that is already encrypted with SecureDoc, the first thing that should be done is go to http://www.winmagic.com/support/technical-specifications#securedocforwindows and verify that the version of SecureDoc installed on the endpoint being upgraded is compatible with the version of Windows being upgraded to. If it is not, you will need to upgrade your SES and then client to the latest version before proceeding.

As part of our encryption process, SecureDoc installs Boot Logon as the first item in the device's boot order and pushes the Windows Boot Manager to Priority 2. During the Windows Feature update, it re-writes the boot order, placing Windows Boot Manager back to the original location (P1), and when the PC reboots, the OS upgrade fails because the files to complete the upgrade cannot be located since the encrypted disk cannot be unlocked without Boot Logon.

F,{1e4deeac-e959-4a0c-8ca0-a25aa1412d06}{35},10.41667,7.791667
The workaround is to perform the upgrade using the command line switch /ReflectDrivers and specify the path of our encryption drivers, so the Windows installer does not re-write the boot order. This is achieved by copying the file “reflect drivers command.bat” in the zip file attached to this KB to the same folder as the upgrade executable (Setup.exe) and running the batch file instead of the upgrade. If you are upgrading using a 3rd party management tool, see below for further instructions

Upgrade via SCCM
Review our KB article #1222, and at step 7 point to the batch file instead of the upgrade executable.

Upgrade via Ivanti
Review the setup instructions on the Ivanti website (https://forums.ivanti.com/s/article/How-To-Upgrade-Windows-10-Versions-Using-Ivanti-Patch-Manager) and copy the setupconfig.ini in the zip file attached to this KB to the appropriate location on the client depending on the architecture of the client machine (either “C:\Program Files (x86)\LANDesk\LDClient\W10Config” or “C:\Program Files\LANDesk\LDClient\ W10Config”).

Related articles