search cancel

A BSOD occurs if ELAM is enabled on Windows 10

book

Article ID: 175658

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

When Symantec Endpoint Protection (SEP) is installed with Early Launch Anti-Malware (ELAM) enabled, the computer encounters a blue screen upon reboot. This persists across multiple reboots.

Known BSODs:

Bugcheck 50
Bugcheck D1

Environment

Computers joined to a domain with GPO enforcement of DriverLoadPolicy set to "8"

Cause

Windows' ELAM policy has been configured for "Good Only" and a critical driver on the system is not meeting that criteria.

Resolution

This issue is fixed in Symantec Endpoint Protection 14.3.3384.1000 (RU1). For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec Endpoint Protection.

Workaround:

Adjust the policy from "8" (known Good drivers only) to "1" (Good and unknown drivers), or locate and correct the offending driver.

Once you have the BSOD, if you reboot and BSOD again, the next reboot should start the computer in recovery mode. From there, open a command prompt, start regedit, load the SYSTEM hive from C:, and edit HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch - DriverLoadPolicy. Change the value to 1, and exit, committing the change. On the next reboot the system should boot normally.

Note: Once the system boots normally, it will apply the GPO again and revert the DriverLoadPolicy. You will need to adjust the policy,  temporarily disable ELAM, or resolve the driver issue to allow subsequent reboots to not result in a BSOD.