Systems fail to boot after installing Endpoint Encryption Removable Media Encryption(RME) with Virtualization-Based Security enabled (Device Guard\HVCI)
Article ID: 194755
Updated On:
Products
Issue/Introduction
After installing Symantec Endpoint Encryption Removable Media Encryption (SEE RME) 11.3.0 on systems with Virtualization-Based Security enabled, the system may not boot properly.
When looking at System Information (Start, Run, msinfo32), under System Summary, scroll to the bottom and look for something similar to the following:
Environment
Symantec Endpoint Encryption client 11.3.0 and 11.3.0 MP1 with Removable Media Encryption (RME) enabled.
These are some of the systems known to have observed the issue, but it is not specific to model or vendor:
- HP ProDesk 600 G4 DM(TAA)
- HP EliteBook 840 G5
- HP EliteBook 840 G6
- HP Elitebook x360 1030 G3
- HP EliteBook x360 1040 G5
- Dell Latitude 7490
- Microsoft Surface Laptop 4
Important Note: On HP systems, Virtualization-Based Security is enabled by default.
Other systems, such as Dell, may not have Virtualization-Based Security enabled by default and would not run into this issue, but could later if you enable this feature.
Cause
Systems may be unable to boot due to the SEE RME 11.3.0 filter driver (eerfsfd) being blocked by Kernel Control Flow Guard (CFG) as the driver header is misaligned.
Kernel Control Flow Guard is part of the Virtualization-Based Security for Windows and SEE 11.2.0 did not support this CFG feature so the issue does not apply to this version.
If you are installing Symantec Endpoint Encryption 11.3 with Drive Encryption only (and not SEE RME), this issue does not occur.
If you are using Symantec Endpoint Encryption with RME only, this issue can occur.
After SEE RME is installed, a system will attempt to boot (post successful preboot authentication) and after three failed attempts will go to the Windows recovery screen, but will not indicate what is wrong.
Another symptom of this issue can be seen in the installation log (located in %tmp%) which will contain the following warning. If this is seen, the system may not boot:
runDosCommand: Warning: failed to ShellExecuteEx cmd.exe /c fltmc.exe load eerfsfd
The following is an example in the installation log that indicates the computer successfully loaded the Removable Media Encryption filter driver and that the system should therefore boot successfully:
runDosCommand: 'cmd.exe /c fltmc.exe load eerfsfd' return: 0
Resolution
To resolve this issue, upgrade to Symantec Endpoint Encryption 11.3.1 or above.
If you cannot upgrade, in order to boot systems, the following options are available listed in order of preference:
- Disable Virtualization-Based Security temporarily using the Device Guard Readiness Tool but please note that this may not work for all systems.
- Disable Secure Boot in the BIOS. This issue does not occur after disabling Secure Boot and rebooting the system. After a successful reboot, re-enabling Secure Boot does not cause the issue to reappear because Virtualization-Based Security may not get re-enabled by default. To re-enable Virtualization-Based Security, refer to the Device Guard Readiness Tool.
If you are encountering this issue on other hardware platforms, or for additional workarounds, please contact Symantec Enterprise Division Support and reference this article.
This issue has also been reviewed by HP and is documented on their Support Site:
Additional Information
EPG-19982
Feedback
