Install Windows Feature Updates on Devices with Third Party Disk Encryption
This article refers to installing Windows Upgrades (e.g. feature update Windows 10, version 22H2, etc.) to devices where the disk is encrypted by third party vendors like Veracrypt, ESET or McAfee. No action is required if the disk is encrypted using Windows BitLocker.
When deploying a Windows feature update on a computer with third party disk encryption, Patch Management passes the SetupConfig.ini location to Windows. Windows then uses the ReflectDrivers information in the SetupConfig.ini file to access the encryption drivers and retrieve the required drive details to perform the upgrade.
Most third-party vendors use Microsoft’s default SetupConfig.ini folder, but some products apply a custom location.
The use of custom locations can lead to potential feature update installation failures where Windows is not passed the custom SetupConfig.ini location.
Where Windows is unable to access the encryption drivers and install the feature update, it writes the following error message to the SetupDiag logs:
0xC1900101 - 0x20017 - The installation failed in the SAFE_OS phase with an error during BOOT operation
Configure Custom SetupConfig.ini Location
To support those products that use a custom SetupConfig.ini folder, we have included the option to insert the SetupConfig.ini location in the FeatureUpdateConfigFilePath node of the Patch Management PmeConfig.xml configuration file.
Patch Management will only use the FeatureUpdateConfigFilePath node where populated, otherwise, it will query Microsoft’s default SetupConfig.ini location: %systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini.
To configure the custom SetupConfig.ini location:
Log in to the target computer.
Navigate to the PmeConfig.xml location: %programdata%\MspPlatform\PME\config\PmeConfig.xml.
Open PmeConfig.xml in a text editor.
Insert the custom location of the SetupConfig.ini file in the FeatureUpdateConfigFilePath node. For example:
Save the file.
Third-party vendors are responsible for managing and maintaining their SetupConfig.ini files. We recommend reviewing the vendor's full-disk encryption documentation and SetupConfig.ini file location before making changes to PmeConfig.xml.
Please validate the custom location of the SetupConfig.ini file on the computer before adding it in PmeConfig.xml. If the entered location is incorrect, Patch Management will be unable to pass the SetupConfig.ini information to Windows.