Symantec Drive Encryption Incompatible with Systems that have a Windows 7 System Reserved Partition on a Secondary Drive

book

Article ID: 157816

calendar_today

Updated On:

Products

Drive Encryption

Issue/Introduction

If more than one HDD or SSD drive is present in a computer when Windows 7 is installed, a System Reserved partition may be installed on a different drive other than the Windows boot files.  For example, Windows Disk Management shows a System Reserved partition on Disk 0 with the attributes System and Active.  It shows a C drive partition on Disk 1 with the Boot attribute.
 

The system boots correctly when Symantec Drive Encryption is not installed. 

 

After encrypting the C drive partition, BootGuard fails to load and Windows fails to start with the error:

"The boot selection failed because a required device is inaccessible."
 

 

Cause

Symantec Drive Encryption is not designed to work with systems that have a Windows 7 System Reserved partition on a secondary drive.

Resolution

Use one of the following

  1. Decrypt the C drive by slaving to another computer with PGP Desktop or Symantec Encryption Desktop installed and then using WinPE disk or a PGP recovery disk. 
     
  2. After backing up the system, reinstall Windows 7 with the secondary disk disconnected.  This will force Windows 7 to place the System Reserved partition on the same disk as the Windows boot files.
     
  3. Encrypt the C drive partition using Symantec Drive Encryption.  BootGuard will load successfully and the system will boot as expected.
     

The following workaround avoids reinstalling Windows 7 on a system with 2 drives with the System Reserved partition on a different disk to the C partition.  However, it will make the System Reserved partition redundant:

  1. Run the following command as a local administrator to copy critical boot files to the C drive.  The C drive will later become the system partition:

    C:\Windows\system32>bcdboot c:\windows /s c:

    Boot files successfully created.
     
  2. Shutdown the computer and enter the BIOS.  Change the Boot settings in the BIOS so that the C drive (Disk 1) is first in the boot order.
     
  3. Reboot and check in Disk Management that the C partition now has the System attribute in addition to the Active attribute.  Note that the System Reserved
    partition will be assigned a drive letter and will no longer have the System attribute.
     
  4. Encrypt the C drive.
     
  5. Then reboot the computer. BootGuard appears as normal and the system boots correctly.

Applies To

Windows 7

Symantec Drive Encryption or PGP Whole Disk Encryption