After installing Endpoint Encryption Removable Media Encryption (SEE RME) 11.3.0 on systems with Virtualization-Based Security enabled, the system may not boot properly.
When looking at System Information (Start, Run, msinfo32), under System Summary, scroll to the bottom and look for something similar to the following:
Systems may be unable to boot due to the SEE RME 11.3.0 filter driver (eerfsfd) being blocked by Kernel Control Flow Guard (CFG) as the driver header is misaligned.
Kernel Control Flow Guard is part of the Virtualization-Based Security for Windows and SEE 11.2.0 did not support this CFG feature so the issue does not apply to this version.
If you are installing Symantec Endpoint Encryption 11.3 with Drive Encryption only (and not SEE RME), this issue does not occur.
If you are using Symantec Endpoint Encryption with RME only, this issue can occur.
After SEE RME is installed, a system will attempt to boot (post successful preboot authentication) and after three failed attempts will go to the Windows recovery screen, but will not indicate what is wrong.
Another symptom of this issue can be seen in the installation log (located in %tmp%) which will contain the following warning. If this is seen, the system may not boot:
runDosCommand: Warning: failed to ShellExecuteEx cmd.exe /c fltmc.exe load eerfsfd
The following is an example in the installation log that indicates the computer successfully loaded the Removable Media Encryption filter driver and that the system should boot up just fine:
runDosCommand: 'cmd.exe /c fltmc.exe load eerfsfd' return: 0
We would expect systems to boot properly when this driver is loaded.
Symantec Endpoint Encryption client 11.3.0 and 11.3.0 MP1 with Removable Media Encryption (RME) enabled.
These are some of the systems known to have observed the issue, but is not specific to model vendor:
Important Note: On HP systems, Virtualization-Based Security is enabled by default, and this is where you could run into this issue.
Other systems, such as Dell, may not have Virtualization-Based Security enabled by default and would not run into this issue, but could later if you enable this feature.
Symantec Enterprise Division has resolved this issue and will be included in the next major release of the Symantec Endpoint Encryption 11.3.1 software.
Until the next major version is released, in order to boot systems, the following options are available listed in order of preference recommended:
If you are encountering this issue on other hardware platforms, or for additional workarounds, please contact Symantec Enterprise Division Support and reference this article.
This issue has also been reviewed by HP and is documented on their Support Site: