Windows 10 1703 update fails to install
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Windows 10 *UPGRADE 1703 fails to install on Windows 10. When you boot first time after shutting down and updating, Windows 10 fails to boot and shuts down. Boot again and it reverts itself to the last version. Then it will download the update and install all over again. This is why I stopped using Windows before - too much hassle and FDE is flawed (this is an example how). Anyways.
This describes the problem:
https://sourceforge.net/p/veracrypt/discussion/technical/thread/ff1a23ca/
Further explanation:
https://veracrypt.codeplex.com/workitem/290
So from what I have gathered, Windows is messed up and requires you to decrypt the system first and then update. Then you're supposed to re-encrypt? This is crazy. What's the point of encryption if, after every major update, you just write unencrypted data to the disk?
Does anyone know of a solution to this that does not involve writing unencrypted data to the disk?
If anyone finds themselves in this situation, create backups before proceeding!
Last edit: Rehaan Raja 2017-07-28
Would "optimising"/ executing the TRIM command after re-encrypting clean up unencrypted data or is there something that I'm missing? Reason I have doubt is that when VC encrypts, it tries to overwrite the data but fails (I am using an SSD - wear levelling). It also does not "delete" the data - so it fails in both overwriting the data and also doesn't mark the data for deletion.
So with this in mind, would optimising the drive after encrypting it again, clean up/delete the unencrypted data?
Good news is I'm not hiding any classified information so unencrypting won't get me shot. But for those who do happen to be using Veracrypt to encrypt sensitive information, this kind of vulnerability doesn't help.
If I had a spare HDD, I could clone the version of Windows there, perform the update, re-encrypt and transfer back to the SSD. Then securely erase the HDD. But I don't have a spare HDD and this would waste time.
Can this please get fixed? Speaking of which, this should probably get moved to the "feature requests" section forum.
I'm still interested in a solution, this will happen again in future.
Last edit: Rehaan Raja 2017-07-28
Solution:
https://github.com/th-wilde/veracrypt-w10-patcher
I'll post back my results with the above on an MBR drive.
It appears to have successfully upgraded Windows, without issue (though it created 'defaultuser0' - Windows did that). So the script does work like a charm on MBR drives.
1) download the script.
2) download an iso
3) mount iso by double clicking
4) copy iso files into any directory on drive - preferably boot drive
5) copy the "veracrypt-w10-patcher.cmd" file into the same directory where you have copied the iso files
6) run the script with Admin priveleges - if it gets blocked by windows defender smartscreen, disable smartscreen and run again with admin priveleges and follow instructions.
7) once it has finished executing, it will say something to that effect in the command line window.
8) run setup.exe - do not check the install recommended/security updates box on first screen - go for second box and click next. This process is demonstrated in the youtube vid - link in the github link.
Thanks to the guy who went through the effort of making it. It looks as if it will work on all future upgrades of Windows as well - unless the script stops working because Microsoft choose to change something critical.
A note to take into account: Sometimes the DISM program fails to dismount when the scripts run. I have found that closing explorer.exe resolves this failure .. I recommend that you ALWAYS, before run the script, close all programs, and kill the explorer.exe process. So it worked out right here without problems.
My note is about running veracrypt-w10-patcher!
I made a video walk through of all the steps for veracrypt-w10-patcher https://www.youtube.com/watch?v=B55XVjXbFLA
I do not recommend the use of VeraCrypt aware Windows upgrades. Fully decrypting before performing the upgrade is far less risky. It makes the process longer, and admitedly leaves you with an unencrypted drive for a day or two, but a couple days with an unencrypted drive should not be too much of a risk for anyone if it is well planned out. The process has the added benefit of refreshing your master key with a brand new one.
Kurt, there is no risk in trying the faster method as long as you have a full image backup like I recommended. Worst case scenario, the script completely breaks everything, you restore the image backup, decrypt, run updates, then recrypt.
Last edit: rchase 2018-01-30
I don't like to decrypt whole system, since I am using SSD harddrive. I don't want to write any more than necessary unencrypted data to it.
I used this script and successfully upgradet Windows to version 1709. But now VeraCrypt doesn't mount the system favorites automatically at start, although I select the option. Does anyone has an idea to deal with this problem?
Regards
DJ Bonez
Ensure that fast startup is still disabled after the upgrade. Then reboot PC.
https://www.tenforums.com/tutorials/4189-turn-off-fast-startup-windows-10-a.html
Thank you! Everything is running fine now. :-)
I would like to use the above script, but I'm facing the following issue:
When I run the Windows 10 setup.exe, I get asked to enter a product key. The problem is that I didn't get a product key when I made the free upgrade from Windows 7 to Windows 10 and the old Windows 7 key got lost. I have reinstalled Windows 10 multiple times by booting from a USB stick install medium and the activation always worked fine without entering a key. Unfortunately, it seems like I can't skip the step when I use the setup.exe instead of booting from a boot medium. Reading out the product key with third party software didn't help, either. It just shows a generic code because I upgraded from Windows 7 and never had an actual Win 10 product key. Another generic code isn't working as well.
Any help would be really appreciated!
Last edit: Benedikt H 2018-03-21
What we will do when windows won't update. A lot of people think this question and want to know the answer of it. The solution of this problem is very simple. 1) You can Run the Windows Update Troubleshooter. Open control panel > Icons > Troubleshooting > View all > Click on Windows update. 2) Make sure the all services which are related to Windows Update are Running.
Competition figured it out, so can VeraCrypt
https://www.jetico.com/upgrade-windows-10-creators-update-rs2-system-encrypted-bestcrypt-volume-encryption
Automatically via setupconfig.ini
Manually via /ReflectDrivers
Thank you Taciturne for sharing this method.
By looking at Microsoft documentation, I see that it was introduced in
Windows 10 version 1607 and for some reason I failed to notice its
addition
(https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-command-line-options#23)
I will work on adapting VeraCrypt installer in order to be compatible
with this approach so that future upgrades will work out of the box.
Can you give an estimate when this feature will be included? The update cycle is quite annoying.
I am not an IT person, we had VeraCrypt downloaded and due to the issue with Microsoft we uninstalled the Vera Crypt and did the updates.
My question is; Is this going to happen every time Microsoft has a new update or was this just a one time thing? I am trying to figure out if we should find another encryption program because I do not have the time to unencrypt and encrypt 7 computers every time Microsoft does an update.
Any help with be greatly appreciated! :) Thank you! Jodi
As posted above, the problem should be fixed when Mounir IDRASSI modified the software successfully.
I have implemented compatibility with Windows 10 upgrades through SetupConfig.ini and ReflectDrivers mechanisms and I have uploaded installer for version 1.23-BETA0 that contains this to https://sourceforge.net/projects/veracrypt/files/VeraCrypt%20Nightly%20Builds/
Now automatic upgrades will work out of the box when system encryption is on and manual upgrades can be performed by typing:
I have done tests using upgrades from 1703 to 1709. The only issue I encountered is if the system is partially encrypted in UEFI case but this is a marginal case and it should never happen in practice.
I am looking to users who are willing to test this version in order to confirm its reliability before rolling it out. Thank you.
This worked perfectly. I only tested the manual one though and from 1703 to 1709 a well.
When 1803 comes out I'll test the automatic upgrade as wel (on about 10 systems) and I'll let you know.
Does using the Windows 10 Update Assistant tool count as automatic? As that would make it a lot easier to predict when these upgrades drop.
Just a heads up, the Windows upgrade location is at:
The 1.23 beta didn't fix the upgrade issue for me (my drive uses EFI) so I had to manually execute the command you provided. Hopefully this saves someone having to look up where the upgrade files are stored.
Last edit: Terrobility 2018-04-27
Just want to thank you, I successfully upgraded 3 encrypted Windows 10 installations to 1803 with VC 1.23-BETA0 without the need to decrypt! That is really a great improvment. In my case
Additionally used "/ResizeRecoveryPartition Disable" to avoid the creation of an additional partition.