Symantec Endpoint Encryption provides robust Drive Encryption that protects the systems at the sector and boot level. As a result, performing encryption has some protections in place to help with system stability during the install. SEE uses a "Pending Reboot" check and if there are pending reboots that haven't been cleared, this logic will prevent the install from happening with an MSI error code 1603.
Pending Reboot Detection
It is recommended that systems be rebooted if other installations of either third-party applications or Windows updates have been applied and a pending reboot status is detected. Starting with Symantec Endpoint Encryption 11.2.1, this reboot check is handled automatically. If a pending reboot is present, the SEE client install will halt, and the MSIEXEC error code will list the following reason:
"1602 - The user cancels installation"
A pending reboot check will halt the install for the following three reasons:
*Reboot pending after Windows updates.
*Reboot pending due to SEE Installs
*Reboot pending due to other third-party installs
In order to force installing the SEE client even though there could be pending reboots, an optional MSIEXEC parameter can be used. This feature works only on SEE 11.2.1 and above and is not recommended by Symantec unless the system has been rebooted, but still fails (sometimes 3rd party applications produce a pending reboot scenario, but can't be cleared, and these are typically less critical. Windows OS updates require a reboot, and are critical so we do not recommend turning this off post Windows updates):
If you would like to install and bypass this "Pending Reboot" check, run the following installation option:
msiexec /i SEEClientInstaller.msi /l*vx c:\path-of-log-file\SEEInstall-PR-Bypassed-log.txt PRE_INSTALL_REBOOT_CHECK=NO
The above will also create a log file called "SEEInstall-PR-Bypassed-log.txt" which can be reviewed for installation details.
If you have failed installs, the error code for failed installs will use the generic "1603". In order to differentiate between general install failures, and install failures due to a pending reboot scenario, we have a script that can be used. See the following article for more information on this topic:
Historical Reference Notes:
Symantec Endpoint Encryption 11.2.0 are considered EOL\EOS and should no longer be used. Upgrade to Symantec Endpoint Encryption 11.3.0 and above. As of this writing, version 11.3.1 is the latest. The information below is provided for historical reference. Using the newer versions is the best solution for this.
Symantec Endpoint Encryption 11.2.0 included an optional MSIEXEC parameter, which can be added to the install string, which will halt the install if a system is pending a reboot. To add this check, add the following to the MSIEXEC command:
Adding the above will halt the install if a system must first be rebooted due to a previous installation such as a Windows update, or other third-party install that requires a reboot. It is always best to reboot a system to clear out this pending state for best success during an upgrade.
For more information on Best Practices and Debugging Symantec Endpoint Encryption, see the following articles: