Symantec Endpoint Encryption uses Drive Encryption to secure systems for Data at Rest.  If a drive has been encrypted, and the machine is rebooted, in order to boot the system up, the user must supply a username and password/passphrase at the preboot screen.  Once the credentials have been provided, the system should then boot up.

After a Windows Update is performed, either a Feature Update, or a Cumulative Update in some rare situations the system may present the Preboot Screen and once the credentials have been successfully entered, the preboot screen may show up again, indicating some sort of a boot loop scenario. 

Symantec has included some improvements for this Windows Update functionality in 11.3.1 MP1HF1 and above.   

In addition to the above improvements, Symantec Encryption has a script that can help repair these "boot loop" scenarios.

For access to this utility, please reach out to Symantec Encryption Support and request the "PrebootRecovery" script and support can assist further. 

194755 - Systems fail to boot after installing Endpoint Encryption Removable Media Encryption with Virtualization-Based Security enabled (Device Guard\HVCI)

162486 - Systems unable to boot properly after Encrypting disk with Symantec Drive Encryption when BIOS set to RAID On

179265 - How to automatically upgrade Windows 10 systems encrypted with Symantec Endpoint Encryption 11

213890 - Deploy or Upgrade Windows 10 automatically using SCCM on systems encrypted with Symantec Endpoint Encryption

179262 - How to automatically upgrade Windows 10 systems encrypted with Symantec Encryption Desktop 10.4.2.x and 10.5.x

161041 - Windows PE Recovery Tools for Endpoint Encryption