Windows Feature Update with Full Disk Encryption

When deploying a Windows feature update on a computer with full disk encryption enabled, Patch Management passes the SetupConfig.ini location to Windows. Windows then uses the ReflectDrivers information in the SetupConfig.ini file to access the encryption drivers and retrieve the required drive details to perform the upgrade.

Most third-party vendors use Microsoft’s default SetupConfig.ini folder, but some products apply a custom location.

The use of custom locations can lead to potential feature update installation failures where Windows is not passed the custom SetupConfig.ini location.

Where Windows is unable to access the encryption drivers and install the feature update, it writes the following error message to the SetupDiag logs: %WinDir%\Logs\SetupDiag\SetupDiagResults.xml.

0xC1900101 - 0x20017 - The installation failed in the SAFE_OS phase with an error during BOOT operation

Configure Custom SetupConfig.ini Location

To support those products that use a custom SetupConfig.ini folder, we have included the option to insert the SetupConfig.ini location in the FeatureUpdateConfigFilePath node of the Patch Management PmeConfig.xml configuration file.

Patch Management will only use the FeatureUpdateConfigFilePath node where populated, otherwise, it will query Microsoft’s default SetupConfig.ini location: %systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini.

To configure the custom SetupConfig.ini location:

  1. Log in to the target computer.

  2. Navigate to the PmeConfig.xml location: %programdata%\MspPlatform\PME\config\PmeConfig.xml.

  3. Open PmeConfig.xml in a text editor.

  4. Insert the custom location of the SetupConfig.ini file in the FeatureUpdateConfigFilePath node. For example:

  5. <FeatureUpdateConfigFilePath>C:\Progam Files\Product\Data\SetupConfig.ini</FeatureUpdateConfigFilePath>

  6. Save the file.

Third-party vendors are responsible for managing and maintaining their SetupConfig.ini files. We recommend reviewing the vendor's full-disk encryption documentation and SetupConfig.ini file location before making changes to PmeConfig.xml.

Please validate the custom location of the SetupConfig.ini file on the computer before adding it in PmeConfig.xml. If the entered location is incorrect, Patch Management will be unable to pass the SetupConfig.ini information to Windows.