After upgrading the Endpoint Protection (SEP) client to one of the SEP 14.2 versions listed in the Environment section below and rebooting to complete the upgrade, a Windows client may hang on a blank screen and not complete the boot cycle.

Windows 10

• 14.2
• 14.2 MP1
• 14.2 RU1
• 14.2 RU1 MP1
• 14.2 RU2
• 14.2 RU2 MP1

Due to a race condition, a scenario can occur where Application Control starts without loading the Application Control content on migration or upgrade and services are timing out.

This issue is fixed in Symantec Endpoint Protection (SEP) 14.3 RU1. For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec software here.

Workaround options:

1. Increase the service timeout to provide additional time for critical system services to start. This will prevent AuditBlockNonMicrosoftBinaries from creating impact to the rest of the system while it is auditing Sysfer.dll. Recommendation is to set ServicesPipeTimeout to 5 minutes (Decimal: 300000).
   
   Additional Detail: https://support.microsoft.com/en-us/help/922918/a-service-does-not-start-and-events-7000-and-7011-are-logged-in-window
   
   This can be a temporary solution until the longer-term solution is available in the product to prevent the race condition.
    
2. Uninstall the Application and Device Control feature and reboot prior to upgrading.
3. Disable sysplant as outlined in TECH252893, if the machine is already in the hung state then this can be completed in Safe Mode.
4. Uninstall SEP and reboot to complete the uninstall. Install the new version.

After using workaround 2 or 3, Application and Device Control (sysplant) can be re-enabled after completing the upgrade and ensuring that LiveUpdate has been successfully run.

ESCRT-3060

ESCRT-4552