search cancel

Troubleshooting Symantec Encryption Desktop with Windows 10 Device Guard - Memory Integrity Features


Article ID: 171115


Updated On:


Drive Encryption


This article provides information on known issues and their available workarounds when using Symantec Encryption Desktop on Windows 10 or 11 with Device Guard, or Memory Integrity.


The following section lists some known issues that may occur when you install, upgrade, or use Symantec Encryption Desktop with Windows 10 RS3 or later that use the Device Guard\Memory Integrity features.


Known issue 1 - PGP Virtual Disk may not load on certain Windows 10 systems after Symantec Encryption Desktop is installed

On certain systems running Windows 10 RS5 or later enabled with Device Guard\Hypervisor-Enforced Code Integrity (HVCI)\Memory Integrity Virtual Disk may not work.  This is because the Windows security feature is blocking the PGP binaries.  Once these features are disabled, the issue will go away.  


To work around this issue, disable the Core isolation Memory integrity Device security feature as follows: 

1. Open Windows Security and click the Device security icon.
2. Click the Core isolation details link.
3. Toggle Off Memory integrity.
4. Restart the computer.
5. Ensure that the PGP Disk driver is loaded successfully.

Alternatively, you can perform the following steps:
1. Disable HVCI by updating the following registry setting to 0 (zero) as follows:
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
2. Restart the computer.
3. Ensure that the PGP Disk driver is loaded successfully.

Known issue 2 - Symantec Encryption Desktop when the Controlled Folder Access feature of Windows 10 RS3 or later

On Windows 10 RS3 and later running Symantec Encryption Desktop 10.4.1 MP2 HF2 or later when the Controlled Folder Access feature is enabled, Symantec Encryption Desktop does not work as expected.


Disable the Controlled Folder Access feature of Windows 10 RS3, RS4, or RS5 to use Symantec Encryption Desktop. Alternatively, you can add pgpdesk.exe and pgptray.exe to the list of safe or allowed applications through Controlled folder access. For more information, see the Microsoft documentation.


Known issue 3  Windows Automatic Restart Sign-On (ARSO) causing preboot difficulties

Pre-boot authentication fails
: Users of Windows 10 RS3 or later may not be able to authenticate at the BootGuard screen of Symantec Encryption Desktop.  This issue is more rare and typically works.

Authenticating with a recovery key or Client Admin will still work.

Windows ARSO is not typically used on domain-joined systems and is typically only used for Standalone Windows client versions.  This allows MSFT to perform upgrades more easily for end users, but machines joined to a domain will not typically use this feature. 

In some very rare cases on Windows 10 RS3 or later Symantec Encryption Desktop Single Sign-On (SSO) may not work. 


Workaround 1: Disable the Use my sign in info to automatically finish setting up my device after an update or restart option. To see this option, navigate to Windows Settings > Accounts > Sign-in options > Privacy. For more information, refer to the Microsoft knowledgebase article, Winlogon Automatic Restart Sign-On (ARSO).

Workaround 2: Create the following registry:

Note: If you did not perform either of the workarounds before encrypting your client computer, then manually disable the Use my sign in info to automatically finish setting up my device after an update or restart option, and restart the client computer twice.

Symantec Encryption Engineering is currently working on improvements to each of the above items listed.  For further guidance and to be added to these improvements and to be informed of progress, reach out to Symantec Encryption Support.


Additional Information

234559 - Windows Device Guard and Symantec Encryption Desktop or PGP Desktop