Symantec Endpoint Encryption provides robust Drive Encryption that protects the systems at the sector and boot level. As a result, performing encryption has some protections in place to help with system stability during the install. SEE uses a "Pending Reboot" check and if there are pending reboots that haven't been cleared, this logic will prevent the install from happening with an MSI error code 1603.
If a system has entered a "Pending Reboot" state, this means the system should be restarted.
With SEE 11.4.0 MP1HF1 and older versions, Pending Reboots will occur for the following reasons:
1. Microsoft Windows updates invoking pending reboots.
2. SEE Client Installation invoking pending reboots.
3. Third-party pending reboots.
Note: Starting in SEE 11.4 MP2, pending reboots will happen for only items 1 and 2 above.
Version : 11.4.1
To resolve a "Pending Restart" message during installation, restart the computer, which typically clears the information in the "PendingFileRenameOperations" registry key.
Registry Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
Name: PendingFileRenameOperations
If this value exists, and you double-click on it, you can see which items it is pending a reboot. Make note of these values and after a reboot they should clear.
Various Windows drivers from Windows or third-party could be included here.
To prevent this error from occurring in the future, immediately restart the computer after you install an application or driver.
If the error persists after you restart the computer, follow these steps:
Open the Windows Registry using regedit.exe.
Search for the entry "PendingFileRenameOperations" in:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\BackupRestore\KeysNotToRestore
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager
If you find the entry, first back up each key, and then delete the entry in each key.
Search for the RebootRequired key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
If you find the key, first back up the key, and then remove the key.
Then reboot your machine.
Pending Reboot Detection
It is recommended that systems be rebooted if other installations of either third-party applications or Windows updates have been applied and a pending reboot status is detected. Starting with Symantec Endpoint Encryption 11.2.1, this reboot check is handled automatically. If a pending reboot is present, the SEE client install will halt, and the MSIEXEC error code will list the following reason:
"1602 - The user cancels installation"
A pending reboot check will halt the install for the following three reasons:
1. Reboot pending after Windows updates.
2. Reboot pending due to SEE Installs
3. Reboot pending due to other third-party installs
In order to force installing the SEE client even though there could be pending reboots, an optional MSIEXEC parameter can be used. This feature works only on SEE 11.2.1 and above and is not recommended by Symantec unless the system has been rebooted, but still fails (sometimes 3rd party applications produce a pending reboot scenario, but can't be cleared, and these are typically less critical. Windows OS updates require a reboot, and are critical so we do not recommend turning this off post Windows updates):
PRE_INSTALL_REBOOT_CHECK=NO
If you would like to install and bypass this "Pending Reboot" check, run the following installation option:
msiexec /i SEEClientInstaller.msi /l*vx c:\path-of-log-file\SEEInstall-PR-Bypassed-log.txt PRE_INSTALL_REBOOT_CHECK=NO
An Example of the command:
The above will also create a log file called "SEEInstall-PR-Bypassed-log.txt" which can be reviewed for installation details.
Important Note: If you have failed installs, the error code for failed installs will use the generic "1603". In order to differentiate between general install failures, and install failures due to a pending reboot scenario, we have a
Symantec Development has created an additional script that can be used to detect if the failed install was due to a pending reboot.
In order to obtain information on this, please contact support.
Historical Reference Notes:
Symantec Endpoint Encryption 11.2.0 are considered EOL\EOS and should no longer be used. Upgrade to Symantec Endpoint Encryption 11.3.1 and above. As of this writing, version 11.4.1 MP1 is the latest. The information below is provided for historical reference. Using the newer versions is the best solution for this.
Symantec Endpoint Encryption 11.2.0 included an optional MSIEXEC parameter, which can be added to the install string, which will halt the install if a system is pending a reboot. To add this check, add the following to the MSIEXEC command:
PRE_INSTALL_REBOOT_CHECK=YES
Adding the above will halt the install if a system must first be rebooted due to a previous installation such as a Windows update, or other third-party install that requires a reboot. It is always best to reboot a system to clear out this pending state for best success during an upgrade.
For more information on Best Practices and Debugging Symantec Endpoint Encryption, see the following articles:
161042 - Enabling Logging and Debug Logging in Endpoint Encryption 11
153530 - Best Practices: Symantec Endpoint Encryption and Symantec Drive Encryption
ISFR-2630 - A Feature Request has been logged to prompt end users to reboot to continue the install instead of block.
If you would like to be added to this feature request, reach out to Symantec Encryption Support and mention this KB and ISFR ID and we can provide further details.
ISFR-2303
ISFR-1736
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\BackupRestore\KeysNotToRestore