SEP 12.1 RU1 rollback due to Base filtering engine (BFE) key missing

book

Article ID: 156518

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Unable to install Symantec Endpoint Protection (SEP) 12.1 RU1 despite use of cleanwipe. The installation rolls back.

 

Error: BFE is missing while attempting to install SEP 12.1 RU1
Another Symptom > Windows firewall cannot be restarted

Cause

As of SEP 12.1 RU1, a detection was implemented in the install process which will prohibit installation if the Base Filtering Engine service is stopped or its registry keys are missing/corrupt.

The Base Filtering Engine (BFE) is a Microsoft service that manages firewall and Internet Protocol security (IPsec) policies and implements user mode filtering. Stopping or disabling the BFE service will significantly reduce the security of the system. It will also result in unpredictable behavior in IPsec management and firewall applications. Symantec Endpoint Protection is designed to manage the Windows Firewall service and utilize the Base Filtering Engine service. Manually disabling these services is not necessary or recommended.

Intrusion Prevention in Symantec Endpoint Protection requires the Base Filtering Engine to be running. If the Base Filtering Engine is stopped, IPS cannot make detections.

Environment

This issue is known to affect both Windows Vista and Windows 7, 32-bit and 64-bit OSes.
It may also affect Windows 2008, Windows 8 and Windows Server 2012.

Resolution

The issue can be fixed by exporting BFE registry key from a known good Windows 7 system (32 / 64 bits)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE
 
Import the registry key in the affected workstation and reboot the computer.
Installation will be successful now.