Upgrading Windows fails with DLP Agent installed.
search cancel

Upgrading Windows fails with DLP Agent installed.

book

Article ID: 184753

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

Trying to upgrade Windows with the DLP agent installed and the upgrade fails.

You may see errors similar to these below:

Cannot write security information for registry key HKLM\SYSTEM\CurrentControlSet\services\EDPA (error 0x00000005)[gle=0x000003f0]
Error      [0x080782] MIG    CRegistryDataStore::Create: Failed to set reflection key flags for HKLM\SYSTEM\CurrentControlSet\services\EDPA[gle=0x00000005]
Error      [0x080789] MIG    CRegistryDataStore::Create: Failed to set LUA key flags for HKLM\SYSTEM\CurrentControlSet\services\EDPA[gle=0x00000005]
 Error                 SP     Error WRITE, 0x00000005 while gathering/applying object: Registry, HKLM\SYSTEM\CurrentControlSet\services\EDPA []. Will return 0
Error                 MIG    Error 5 while applying object HKLM\SYSTEM\CurrentControlSet\services\EDPA []. Shell application requested abort
Error      [0x08097b] MIG    Abandoning apply due to error for object: HKLM\SYSTEM\CurrentControlSet\services\EDPA []
Error                        Apply failed. Last error: 0x00000000

Environment

Issue observed while upgrading from Windows 1709 to Windows 1809 and to Windows 21H2.

Cause

The in-place Windows upgrades may fail under a specific scenario, in which the DLP Agent tamper protection combines with additional OS hardening or other customizations which may have been configured on the endpoint, and which come into conflict with DLP Agent’s protection of the Registry entries related to the Agent itself. The tamper protection itself is DLP Agent’s mechanism of self-protecting itself from any end user interference (i.e. attempts to uninstall or disable the DLP Agent). It covers DLP Agent’s services, local files and libraries in the Agent’s installation directory, and Registry entries used by the DLP Agent. 

The issue described in this KB is when Windows installer cannot update registry keys that are in use and locked by the EDPA agent.

For any endpoints which see failed in-place Windows upgrades due to access issues to DLP Agent’s-related components, for example in the Registry, the below described two solutions may help complete the Windows in-place upgrade. Once the Windows upgrade is completed, you can restore the DLP Agent back to its full functionality and tamper protection levels. 

Resolution

There are several possible resolutions.

Method 1: Lower the agent tamper proofing protection

  1. Lower AgentTamperProtection.ENABLE_AGENT_TAMPER_PROTECTION.int from 7 to 3 during the OS migration process, then return the value to 7.

    • This is done via the agent configuration from within the enforce console. 

      • System - Agent - Agent Configuration. 
      • Edit the agent configuration for the users being upgraded.
      • Click on Advanced Settings tab.
      • Find setting "AgentTamperProtection.ENABLE_AGENT_TAMPER_PROTECTION.int "
      • Change the value from 7 to 3
      • Save the agent configuration
      • Click Apply Configuration
      • Update the configuration to the agent group where it was applied.  It should have a red ! mark beside the agent configuration. Once the agent configuration is applied the red ! mark should disappear.

Method 2: Uninstall the agent first

  1. Uninstall the Agent, perform the upgrade, and then reinstall the agent.

 

Powered by Wolken Software