Upgrading Windows from 1709 to 1809 Fails with DLP Agent installed

book

Article ID: 184753

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

Trying to upgrade to windows from 1709 to 1809 with DLP agent installed the upgrade fails

You see errors in the install log such as

Cannot write security information for registry key HKLM\SYSTEM\CurrentControlSet\services\EDPA (error 0x00000005)[gle=0x000003f0]
Error      [0x080782] MIG    CRegistryDataStore::Create: Failed to set reflection key flags for HKLM\SYSTEM\CurrentControlSet\services\EDPA[gle=0x00000005]
Error      [0x080789] MIG    CRegistryDataStore::Create: Failed to set LUA key flags for HKLM\SYSTEM\CurrentControlSet\services\EDPA[gle=0x00000005]
 Error                 SP     Error WRITE, 0x00000005 while gathering/applying object: Registry, HKLM\SYSTEM\CurrentControlSet\services\EDPA []. Will return 0
Error                 MIG    Error 5 while applying object HKLM\SYSTEM\CurrentControlSet\services\EDPA []. Shell application requested abort
Error      [0x08097b] MIG    Abandoning apply due to error for object: HKLM\SYSTEM\CurrentControlSet\services\EDPA []
Error                        Apply failed. Last error: 0x00000000

Cause

Windows installer cannot update registry keys that are in use and locked by the EDPA agent.

Permissions issue the service must have Local Admin privileges. 

If using SCCM be aware that service level, may or may not have the appropriate permissions.

Resolution

There are several possible resolutions.

  1. Lower AgentTamperProtection.ENABLE_AGENT_TAMPER_PROTECTION.int from 7 to 3 during the OS migration process, then return the value to 7. 
  2. Perform the upgrade in safe mode.
  3. Use service_shutdown.exe which is located in the Agent Installer package that is downloaded from Symantec.
  4. Shutdown the agent from the Enforce console, reboot the endpoint to ensure the change is pushed.
  5. Uninstall the Agent, perform the upgrade, and then reinstall the agent.

Microsoft is aware of the issue, but as of the time of this article does not know why the permission settings are not being set correctly.