Systems fail to boot after installing Endpoint Encryption Removable Media Encryption with Virtualization-Based Security enabled (Device Guard\HVCI)

book

Article ID: 194755

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

After installing Endpoint Encryption Removable Media Encryption (SEE RME) 11.3.0 on systems with Virtualization-Based Security enabled, the system may not boot properly.

 

When looking at System Information (Start, Run, msinfo32), under System Summary, scroll to the bottom and look for something similar to the following:

Cause

Systems may be unable to boot due to the SEE RME 11.3.0 filter driver (eerfsfd) being blocked by Kernel Control Flow Guard (CFG) as the driver header is misaligned. 

Kernel Control Flow Guard is part of the Virtualization-Based Security for Windows and SEE 11.2.0 did not support this CFG feature so the issue does not apply to this version. 

If you are installing Symantec Endpoint Encryption 11.3 with Drive Encryption only (and not SEE RME), this issue does not occur.

If you are using Symantec Endpoint Encryption with RME only, this issue can occur.

 

After SEE RME is installed, a system will attempt to boot (post successful preboot authentication) and after three failed attempts will go to the Windows recovery screen, but will not indicate what is wrong.

 

Another symptom of this issue can be seen in the installation log (located in %tmp%) which will contain the following warning.  If this is seen, the system may not boot:

runDosCommand:  Warning: failed to ShellExecuteEx cmd.exe /c fltmc.exe load eerfsfd

 

The following is an example in the installation log that indicates the computer successfully loaded the Removable Media Encryption filter driver and that the system should boot up just fine:

runDosCommand:  'cmd.exe /c fltmc.exe load eerfsfd' return: 0

We would expect systems to boot properly when this driver is loaded.

Environment

Symantec Endpoint Encryption client 11.3.0 and 11.3.0 MP1 with Removable Media Encryption (RME) enabled.

These are some of the systems known to have observed the issue, but is not specific to model vendor:

Important Note: On HP systems, Virtualization-Based Security is enabled by default, and this is where you could run into this issue. 
Other systems, such as Dell, may not have Virtualization-Based Security enabled by default and would not run into this issue, but could later if you enable this feature.

  • HP ProDesk 600 G4 DM(TAA)
  • HP EliteBook 840 G5
  • HP EliteBook 840 G6
  • HP Elitebook x360 1030 G3
  • HP EliteBook x360 1040 G5
  • Dell Latitude 7490

Resolution

Upgrade to Symantec Endpoint Encryption 11.3.1 or above. 

If you cannot upgrade, in order to boot systems, the following options are available listed in order of preference recommended:

  • Disable Virtualization-Based Security temporarily using the Device Guard Readiness Tool

  • Disable Secure Boot in the BIOS. This issue does not occur after disabling Secure Boot and rebooting the system. After a successful reboot, re-enabling Secure Boot does not cause the appear because Virtualization-Based Security may not get re-enabled by default.  To re-enable Virtualization-Based Security, refer to the Device Guard Readiness Tool.

If you are encountering this issue on other hardware platforms, or for additional workarounds, please contact Symantec Enterprise Division Support and reference this article.

This issue has also been reviewed by HP and is documented on their Support Site:

https://support.hp.com/us-en/document/c06712907

Additional Information

Jira: EPG-19982

Attachments