Trying to upgrade Windows with the DLP agent installed and the upgrade fails.

You may see errors similar to these below:

Cannot write security information for registry key HKLM\SYSTEM\CurrentControlSet\services\EDPA (error 0x00000005)[gle=0x000003f0]
Error      [0x080782] MIG    CRegistryDataStore::Create: Failed to set reflection key flags for HKLM\SYSTEM\CurrentControlSet\services\EDPA[gle=0x00000005]
Error      [0x080789] MIG    CRegistryDataStore::Create: Failed to set LUA key flags for HKLM\SYSTEM\CurrentControlSet\services\EDPA[gle=0x00000005]
 Error                 SP     Error WRITE, 0x00000005 while gathering/applying object: Registry, HKLM\SYSTEM\CurrentControlSet\services\EDPA []. Will return 0
Error                 MIG    Error 5 while applying object HKLM\SYSTEM\CurrentControlSet\services\EDPA []. Shell application requested abort
Error      [0x08097b] MIG    Abandoning apply due to error for object: HKLM\SYSTEM\CurrentControlSet\services\EDPA []
Error                        Apply failed. Last error: 0x00000000

Issue observed while upgrading from Windows 1709 to Windows 1809 and to Windows 21H2.

Windows installer cannot update registry keys that are in use and locked by the EDPA agent.

Permissions issue the service must have Local Admin privileges. 

If using SCCM be aware that service level, may or may not have the appropriate permissions.

There are several possible resolutions.

1. Lower AgentTamperProtection.ENABLE_AGENT_TAMPER_PROTECTION.int from 7 to 3 during the OS migration process, then return the value to 7.
2. Perform the upgrade in safe mode.
3. Use service_shutdown.exe which is located in the Agent Installer package that is downloaded from Symantec.
4. Shutdown the agent from the Enforce console, and reboot the endpoint to ensure the change is pushed.
5. Uninstall the Agent, perform the upgrade, and then reinstall the agent.

Microsoft is aware of the issue, but as of the time of this article does not know why the permission settings are not being set correctly.