Device Guard is a security feature in Windows that protects against malware and other cybersecurity threats. It's part of Windows Defender Application Control (WDAC). Windows Defender Application Control (WDAC) can help mitigate many security threats by restricting the applications that users are allowed to run and the code that runs in the system core (kernel). 

This article provides information about Device Guard, Core Isolation, or Memory Integrity with PGP Encryption Suite (Symantec Encryption Desktop) on Windows 10 or 11.

After installing PGP Encryption Suite you get the following errors:

or

PGPdisk can't run on Windows: This app isn't compatible with Windows memory integrity.

"A driver cannot load on this device: A security setting is preventing the driver from loading."

"A driver cannot load on this device: PGPdisk.sys"

• PGP Encryption Suite 11.0.1 and above.
• Desktop Email Encryption 10.5.1 and above.
• Drive Encryption 10.5.1 and above.
• File Share Encryption 10.5.1 and above.
• Windows 10.
• Windows 11.

Microsoft Device Guard does not allow loading of these types of drivers.

The error above means that Windows will not load the driver. In order to load the driver, Windows would need to be configured to allow drivers of this level. Please reach out to Microsoft if you need these drivers to be loaded.

PGP Disk allows users to create encrypted files and mount them as virtual disk drives. If you do not need PGP Virtual Disk in your environment, you can install using msiexec with the PGP_INSTALL_VDISK=0 switch to disable Virtual Disk:

msiexec /i PGPDesktop64_en-US.msi PGP_INSTALL_VDISK=0

The above command will install PGP Encryption Suite with all components enabled, and disable PGP Virtual Disk.  For a complete list of the msiexec switches that can disable or enable components, please refer to article 171110.

Changes to installation behavior in PGP Encryption Suite 11.0.1 and above

Scenario 1: Fresh installation by double-clicking
If you install by double-clicking on the *.msi file, the PGP Virtual Disk component will now be disabled by default. In previous releases, it was enabled by default.

Scenario 2: Fresh installation using msiexec
If you are installing via the command line using msiexec and you do not include the switch PGP_INSTALL_VDISK=0 then PGP Virtual Disk will be enabled. This behavior is the same as in previous releases.

Scenario 3: Upgrading from previous releases
In previous releases, PGP Virtual Disk was enabled by default, so unless you are certain that it was disabled previously, it is safest to assume that it was enabled. If you upgrade either by double-clicking on the *.msi file or using msiexec but without the PGP_INSTALL_VDISK switch then the previous setting for Virtual Disk will be kept. Therefore, to ensure that you disable PGP Virtual Disk, upgrade using msiexec with the switch PGP_INSTALL_VDISK=0.

If you are having issues with PGP Encryption Suite with Core Isolation/Device Guard/Memory Integrity features of Windows, and you would like more information on this topic, reach out to Symantec Encryption Support for further guidance.

EPG-26268\ISFR-2102
EPG-21701
EPG-19982  
EPG-17099
EPG-19982