When Symantec Endpoint Protection (SEP) is installed with Early Launch Anti-Malware (ELAM) enabled, the computer encounters a blue screen upon reboot. This persists across multiple reboots.
Computers joined to a domain with GPO enforcement of DriverLoadPolicy set to "8"
Windows' ELAM policy has been configured for "Good Only" and a critical driver on the system is not meeting that criteria.
This issue is fixed in Symantec Endpoint Protection 14.3.3384.1000 (RU1). For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec Endpoint Protection.
Adjust the policy from "8" (known Good drivers only) to "1" (Good and unknown drivers), or locate and correct the offending driver.
Once you have the BSOD, if you reboot and BSOD again, the next reboot should start the computer in recovery mode. From there, open a command prompt, start regedit, load the SYSTEM hive from C:, and edit HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch - DriverLoadPolicy. Change the value to 1, and exit, committing the change. On the next reboot the system should boot normally.
Note: Once the system boots normally, it will apply the GPO again and revert the DriverLoadPolicy. You will need to adjust the policy, temporarily disable ELAM, or resolve the driver issue to allow subsequent reboots to not result in a BSOD.