Video Screencast Help

Deploying an OS to an encrypted machine using MS System Center Config Manager

Created: 24 Jul 2013 | 8 comments

This might have the simple answer of "can't be done" due to the encryption, but our Project guys are looking at migrating to Windows 7 from XP and have the following concerns:

How can we deploy an operating system task sequence via MS System Center 2012 Config Manager onto an XP machine encrypted with PGP WDE?

What methods have other customers used?

We would be looking to use USMT (User State Migration Tool).

As I have little knowledge of USMT or MS System Center so I don't actually know how they work, hence asking here. Any thoughts? Any had a similar issue?

Thanks in advance

Operating Systems:

Comments 8 CommentsJump to latest comment

Tom Mc's picture

For a WDE encrypted boot disk, the disk needs to be decrypted before updating that operating system.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Alex_CST's picture

can you not use pgpwde to bypass the bootguard then proceed as normal?

Please mark posts as solutions if they solve your problem!

James Hawk's picture

That has crossed my mind, but I didn't know how USMT etc works to know if that is possible.

If using the bypass option, run prior to any reboots of course, isn't that just a 1 off bypass?

Alex_CST's picture

If its encrypted to a disk administrator passphrase, you can do it as many times as you want. 

Please mark posts as solutions if they solve your problem!

Mike Ankeny's picture

Please don't do it.  It will not end well.  It will break.  How have other customers done it?  They have decrypted beforehand.  If they haven't, they call tech support, and find out that what they were attempting is unsupported.  We will give it our best effort, but there is only so much we can do.  I strongly recommend that you decrypt before upgrading your operating system.  And just in case you were looking for one, here is a document that says so:

James Hawk's picture

I was thinking as much, going to be the safest option, especially when they don't intend on keeping PGP WDE afterwards anyway (good ol' budget cuts), so it would have to be formatted and/or decrypted anyway even if an upgrade to an encrypted disk succeeded...

Flash824's picture

All information I've read and understand states that you must decrypt the drive first. You can use System Center bootable media or pxe boot to boot and bypass the decryption process; however, this is primarily used for formatting the drive and then installing the OS. With the drive still encrypted, I haven't tested so not certain whether USMT would work in this scenario.

I, too, am looking for alternative options. I'd be happy to entertain any other ideas.    

James Hawk's picture

It looks like we're going down the route of decrypting each laptop as they come in to be migrated. Unencrypted desktops can be migrated over the network, but due to the encryption it looks like users will have to bring them in to us to process.

We've got a script to start the decryption and regularly check the status so we know when it's completed as to automate the whole process, so hopefully this will make things a little easier.

At the end of the day they've decided to ditch PGP/Symantec WDE anyway, so a decryption was going to be required regardless. Fun fun...