Symantec Endpoint Encryption Device Control Policy is not applied in Windows Safe Mode with networking


Article ID: 157145


Updated On:


Symantec Products


The SEE Device Control policy does not apply to the machine or users if Windows is booted in Safe Mode (with networking).



Safe Mode allows you basic access to the system because it doesn't load any third-party software and drivers. In consequence, the SEE Device Control subsystem is not loaded nor enforced.

This is by design of the operating system. To go around this, you may want to disable Safe Mode.

Warning: Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. For more information on backing up the registry see the following article on the Microsoft support site:

How to back up and restore the registry

Open the Registry and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot.

Rename the keys "minimal" and "network" to "minimal.bak" and "network.bak".

Your Safe Mode options won't work anymore. Be sure to disallow users to modify this on their own.
If needed, you can restore the values by renaming the keys to the original name again.


Applies To

Windows 7, Windows XP in safe mode with networking, SEE-DC 8.2.2.