Troubleshooting incompatibility issues between Windows 10 and Symantec Encryption Desktop

book

Article ID: 171115

calendar_today

Updated On:

Products

Drive Encryption

Issue/Introduction

This article provides information on known issues and their available workarounds when:

  • Using Symantec Encryption Desktop 10.4.2 MP3 on a client computer running Windows 10 May 2019 Update (version 1903) (RS6)
  • Using Symantec Encryption Desktop 10.4.2 MP1 on a client computer running Windows 10 October 2018 Update (version 1809) (RS5)
  • Using Symantec Encryption Desktop 10.4.2 or later on a client computer running Windows 10 April 2018 Update (version 1803) (RS4)
  • Using Symantec Encryption Desktop 10.4.1 MP2 HF2 or later on a client computer running Windows 10 Fall Creators Update (version 1709) (RS3)

Resolution

The following section lists the known issues that may occur when you install, upgrade, or use Symantec Encryption Desktop 10.4.1 MP2 HF2 or later with Windows 10 RS3, Windows 10 RS4, Windows 10 RS5, or Windows 10 RS6. To work around these issues, perform the instructions mentioned in the Workaround section for each issue.

Known issue

PGP Virtual Disk does not work on certain Windows 10 RS5 and RS6 systems after Symantec Encryption Desktop is installed: On certain systems running Windows 10 October 2018 Update (RS5) or Windows 10 May 2019 Update (RS6) enabled with Hypervisor-Enforced Code Integrity (HVCI), if you install Symantec Encryption Desktop 10.4.2 MP1 or 10.4.2 MP3, the PGP Disk driver is not loaded successfully. Also, the PGP Virtual Disk functionality does not work.

Note: This issue happens only on Windows 10 RS5 systems that meet certain hardware and firmware requirements with VBS enabled by default. For more information on the hardware and firmware requirements, see the Microsoft article available at https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs. This issue is not observed when you upgrade to Windows 10 RS5 or RS6 using the in-place upgrade scripts. For more information on the in-place upgrade, see the article https://support.symantec.com/en_US/article.HOWTO125876.html.

Workaround

To work around this issue, disable the Core isolation Memory integrity Device security feature as follows: 

1. Open Windows Security and click the Device security icon.
2. Click the Core isolation details link.
3. Toggle Off Memory integrity.
4. Restart the computer.
5. Ensure that the PGP Disk driver is loaded successfully.

Alternatively, you can perform the following steps:
1. Disable HVCI by updating the following registry setting to 0 (zero) as follows:
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
2. Restart the computer.
3. Ensure that the PGP Disk driver is loaded successfully.

Known issue

Incompatibility with Symantec Encryption Desktop when the Controlled Folder Access feature of Windows 10 RS3, RS4, or RS5 is enabled: On Windows 10 RS3, RS4, or RS5 client computers running Symantec Encryption Desktop 10.4.1 MP2 HF2 or later, when the Controlled Folder Access feature is enabled, Symantec Encryption Desktop does not work as expected.

Workaround

Disable the Controlled Folder Access feature of Windows 10 RS3, RS4, or RS5 to use Symantec Encryption Desktop. Alternatively, you can add pgpdesk.exe and pgptray.exe to the list of safe or allowed applications through Controlled folder access. For more information, see the Microsoft documentation.

Known issues

Pre-boot authentication fails: Users of Windows 10 RS3, RS4, or RS5 workgroup may not be able to authenticate at the BootGuard screen of Symantec Encryption Desktop 10.4.1 MP2 HF2 or later.

Incompatibility of the Windows Automatic Restart Sign-On (ARSO) feature of Windows 10 RS3, RS4, or RS5 with Symantec Encryption Desktop: On Windows 10 RS3, RS4, or RS5 workgroup computers running Symantec Encryption Desktop 10.4.1 MP2 HF2 or later, the Single Sign-On (SSO) feature may not work even when the policy is enabled.

Workarounds

Perform either of the following workarounds prior to installing Symantec Encryption Desktop or before auto-encryption begins on your client computer:

Workaround 1: Disable the Use my sign in info to automatically finish setting up my device after an update or restart option. To see this option, navigate to Windows Settings > Accounts > Sign-in options > Privacy. For more information, refer to the Microsoft knowledgebase article, Winlogon Automatic Restart Sign-On (ARSO).

Workaround 2: Create the following registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DisableAutomaticRestartSignOn=dword:1

Note: If you did not perform either of the workarounds before encrypting your client computer, then manually disable the Use my sign in info to automatically finish setting up my device after an update or restart option, and restart the client computer twice.

Known issue

Email communication fails after upgrading Windows 10 computers encrypted with Symantec Encryption Desktop to Windows 10 RS4:  When Windows 10 computers that use IMAP or POP3 for email communication are upgraded to Windows 10 RS4 using the in-place upgrade scripts, the email encryption does not work. Also, the IMAP or POP3 profiles cannot be created and the email communication fails. The cause of the issue is that the Layered Service Providers (LSP) feature that Symantec Encryption Desktop uses for email encryption is not upgraded in RS4. LSP is deprecated in Windows systems. 

Resolution

A fix for this issue is now available in the version 10.4.2 MP1 of Symantec Encryption Desktop for Windows release. To prevent this issue from happening, first, upgrade to Symantec Encryption Desktop 10.4.2 MP1 or later, and then upgrade to Windows 10 using the appropriate in-place upgrade script. The upgrade scripts are attached to the article, https://support.symantec.com/en_US/article.HOWTO128174.html.