Endpoint Encryption

I recently downloaded the trial of Endpoint Encryption Management Server to determine if it was suitable for our somewhat closed environment; I created a Windows installation client and deployed it to 5 workstations to see if it will meet the requirements.  Software worked great on the first five deployments, started having issues with the installer therefore I created a new Windows installation client. Deployed the new client to 10 more workstations and monitored all workstations for performance; to determine if we should procure the product. 

I currently have a workstation that will launch the Symantec Endpoint Encryption authentication page and after successful login; machine will Blue Screen with the error PAGE_FAULT_IN_NONPAGED_AREA.  I have attempted to perform a recovery of the startup which has worked on another installation that had an similar issue.  I have booted into the advanced options for Windows 10 repair ISO and at the command prompt I was able to see all of the volumes after mounting the drive and listing the volumes.  I see that the C drive is showing as being formatted as RAW instead of NTFS. 

I created the Windows PE recovery disk that I've seen in forums, has resolved this error; but the bootable ISO will not start.  I created the disk and after authenticating through the encryption I choose to boot to disk, press any key to boot to disk; then the disk just spins and never loads.  

I am in need of a resolution to this issue!!  The procurement request for the license we need has been put on hold and because the trail deployment has had 3 out of 15 problems during the monitoring phase; further deployment has been halted until resolution has been reached.  I am going to image this drive and try to recover the MBR using other methods on the image.  There is alot of data on the drive therefore your support will be much appreciated!!

I have the same exact issue with Windows 10 1709 Enterprise 64 bit.  I am running SEE 11.1.3 MP1, which is supposed to be supported.  But we have consistently had BSOD with our laptops (Dell Latitude 7280).  These things are like time bombs.  We have had some work for a few days before BSOD and we have had some for a few hours.

@ Gary Feenster

What AV product are you using?  We are using Cylance Protect Version 2.0.1420.14  I'm curious because in our troubleshooting we think it might be related to compatability with an AV product and SEEM. 

Will anyone from Symantec care to chime in?  This is a pretty big deal and there is no data on what is being done to address this. 

any new updates ? We are having the same issue with Lenova yoga y370 randomly BSOD after encryption and we are also running SEE 11.1.3.

Still an issue.  I have a support case open with Symantec.  They claim they don't support installing SEE using third party tools like SCCM.  However, it appears even doing a manual install this issue occurs.  Now, I can't get a tech on the phone since I have discoverd that.  Interesting.....  I surely hope they figure this out.

We are seeing the same exact issue with SEE 11.1.3 MP1 on 1709.  Symantec is finally acknowledging this as an issue and are saying that there may be a trend with this issue on M.2 drives.  What drive types are you seeing the BSODs on?

We are having the same issue with different type of equipment! SEE 11.1.3 MP1 on 1709.

I just had 3 Windows 10 Dell Laptops blue screen on me in the last week.  Lucky, they are the only windows 10 laptops I have with SEE.  Seems all of them blue screened after windows update KB4074588.  2018-2 Cumulative Update for Windows 10 version 1709 for x64-based systems.  All running 11.1.3 MP1.  I had to boot with a WinPE USB stick, decrypt the drive, then run system restore to a restore point before the update.  Then after a succesfull boot, re-install the windows update, then re-encrypt the drive.  WHAT A PAIN.  There is no reason why SEE shouldn't work with a non major revision update.  They all use standard 2.5" SSD drives.  All Dell Inspirons.  If SEE continues to have issues with windows 10, I;m going to need to look somewhere else.  I have over 30 devices still on Windows 7, but will be going to windows 10 soon.  But not with SEE if they can't figure out the problem.

The latest from Symantec is that this could be caused by 'Fast Startup' and/or Hibernation.  I've disable both for testing and will report back the results after a few days of running this way since my machine doesn't crash all the time.  If anyone else is making the change, please report back your results as well.  If either is determined to be the cause, this is just a temporary fix until they can code around the issue in a future release.  

Turning off Fast Startup:

https://in.answers.acer.com/app/answers/detail/a_id/37059/~/windows-10%3A-enable-or-disable-fast-startup

I spoke to soon... I thought it was the windows update... but it is not.... Also I doubt it has anything to do with 'fast startup' or hibernation.  Story line... I was working on one of the laptops that bluescreened.  I booted up with WinPE, decrypted it... did a system restore from the previous day, and booted up good.  I re-installed all windows updates.  Then I uninstalled Symantec, then re-installed.  Then encrypted the hard drive.  I did a couple of reboots to be safe.  Then I shut down the laptop systematically.  (I.e. start --> Power off).  Then I drove the laptop to the client, turned it on, then boooom blue screen.. UGGGGGGG..... SEE is being uninstalled from all Windows 10 machines until they can fix it.  If they can't, time to find a new product.

LENOVO hardware and Fall Creator/SEE issues....

1. Fresh off the shelf M710, secure boot ON. Used factory loaded OS. December Patch level of Fall Creator. NO AV. NOT ON DOMAIN

Loaded SEE 11.1.3 MP1. Encrypted fully. Performed several shutdowns and restarts. No problems.

Moved PC to another room. Blue Screen.

2. Fresh image with AND without hardware drivers on multiple hardware, Secure Boot ON. With and without the Autologon (bootguard bypass) (M900, M700, M710)

Encrypted fully. Performed several shutdowns and restarts. No problems.

Moved PC to another room. Blue Screen.

3. M710, Secure Boot ON fresh image Fall Creator, NO AV, SEE 11.1.3 (NOT MP1)

Encrypted fully. Performed several shutdowns and restarts. No problems.

Moved PC to another room. Blue Screen.

4. M710, Secure Boot OFF, fresh image Fall Creator, SEP AV, SEE 11.1.3 MP1

Encrypted fully. Performed several shutdowns and restarts. No problems.

Moved PC to another room. Blue Screen.

5. T470s, Secure Boot ON fresh image Fall Creator, SEP AV, SEE 11.1.3 MP1  

Encrypted fully. Performed several shutdowns and restarts. No problems.

Moved PC to another room. DOES NOT CRASH works even with multiple room changes, Dock or no dock.

6. M710, Secure Boot ON fresh image Creator (NOT FALL CREATOR), SEP AV, SEE 11.1.3 MP1  

Encrypted fully. Performed several shutdowns and restarts. No problems.

Moved PC to another room. DOES NOT CRASH works even with multiple room changes

We are testing more laptops as it appears the problem is confined maybe to the desktop models running Fall Creator. 

So far my device and another with frequent BSOD issues have been stable after disabling Fast Startup (see my previous post).  The theory is that the SEE driver/s are not given enough time to load with FS enabled and will result in an unstable Windows session if you even get that far.  If anyone else wants to disable Fast Startup and see if it helps, it may go a long way in solving this issue.  Symantec is having trouble reprducing this issue on their end (supposedly), so perhaps we can help them along. 

All,

 It appears this has been handed over to a Senior Engineer. I expect a hotfix or new release is coming asap.

Hi 

I have similar case with HP Elitebook 820 G4. but my problem aside from the Bluscreen, the OS is already now currpted then when I try to Decrcypt using WinPE an multiple error Appears, I try also to decrypt the files by slaving the hard Disk to Another unti but still my Proble did not resolve.

Hi all,

Try this. This seems to have resolved the issue until a new encryption client is released. We sent this out to target boxes and so far no issues. Bear in mind that once MS does an OS upgrade the setting may revert back. This has been our experience in testing when upgrading from Creator to Fall Creator. OS Upgrades were perfomed with the Symantec Scripts. We reran the script below to disable hibernation and fastboot.

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f
powercfg /h off

.

.

edited to fix spelling errors and update our findings with upgrading OS.

 Have you decrypted and tried fixing the MBR? What errors exactly are you seeing?

I thought I had resolved this issue on my Dell Latitude 7280 models.  The BSOD still occured for me without Symantec installed.  My main issue was that the BSOD was not producing a MEMORY.DMP file so I could see what the crash was related to.  I was finally able to get one generated and found that the page fault BSOD error was related to the intel 8265 wireless adapter.  So I updated that per Intel's instructions.  Everything worked fine on 13 test machines with SEE installed.  I thought it was fixed.  I was wrong.  Boom today rebuilt 2 machines and BSOD, no MEMORY.DMP file again and I'm back to square 1.  

I'm going to rebuild a machine and see if disabling fastboot and hybernate is a thing.  But jeez this sucks.  I wish SEE would be fixed.  I'm testing Bitlocker now as a backup if we need to move away from this POS. 

Try my script posted above. We are seeing the BSOD issue primarily with desktops, and can easily reproduce it. 

we are having the same issue.  we opened a ticket with symantec support and they said they know of the issue but dont have any workarounds or scheduled fix.  they said this post is not officially supported.

VERY FRUSTRATING!!!

 Interesting because the senior engineer working with my case recommended turning off Fast Boot. You must be getting those responses from first level support.

To quote Symantec Senior Level support ". In a number of other customer cases, we have seen the fast boot disablement be effective in avoiding these bluescreens."

Bottom line... it stops the problem until an update is released.

Try it. You can't hurt anything and you can always revert the settings.

we disabled fast boot and still get the BSOD errors.....

 Did you disable it in Windows or the BIOS? What PC model? Did you try the script I posted?

Try the following:

-Change Boot order to boot to a UBS w/ WinPE.

-Run the following:

eedAdminCli --status --disk 0 

eedAdminCli --decrypt --disk 0 --au <admin> --ap <password>

This will Decrypt the device.

Boot back into WinPE and run: ChkDsk /f /r

Get a Win10 Pro Install USB and use repair option

-Attempt StartUp and Repair if fails try Restore then Rollback.

disabled it in windows and used your script in a GPO

we opened a case with microsoft and they confirmed the BSOD was due to symantec 

​when will the patch be released?

@Joseph Gilchrist,

How were you able to get the MEMORY.DMP file to generate as I have no such luck and this makes it nearly impossible to troubleshoot BSOD?

Thanks,

Angel 

@Angel Gerado

Well, it was a bit tricky.  I actually have the BSOD occuring even SEE was not installed.  because of the intel 8265 wireless driver from dell.  So when I unisntalled SEE I was able to get a dump file then.  My concerns here are that I can't get one when SEE is installed.

Is Symantec still working on this?

I just had a Lenovo T450 bluescreen and I had to re-image it.  I was able to shutdown/reboot several times and it wasn't until I completely removed power and added additional RAM, that it corrupted the disk on the next boot.  Fast boot was enabled, so I'm turning it off in hopes that this will not happen again.

I'm using Symantec Encryption Desktop so this is a problem for SED as well as SEE.

Hi Sir.

we have similar issue here on our HP Laptop, iside from we also encounter new issue. when Our users change thier password, upon rebooting the unit password did not sync with the symantec boot gourd we aleady try to check in several times but still the new password did not Sync, still the old password was recognize by the Symantec boot gourd, and upon typing the old password upon log log a strange Log on screen appeare (PGP SSO) see the attachment upon exploring we try to type into the PGP SSO password the users new Password it accept. the question is why is this happening 

Also having the same error with the trial version of disk encryption (stand alone) on Windows 10. Am following the following document

https://symwisedownload.symantec.com//resources/sites/SYMWISE/content/live/SOLUTIONS/223000/TECH223783/en_US/symcEE_11.1.0_WinPE_TechNote.pdf?__gda__=1522282695_087546c894f86a159697260c856ba461

So can create the win PE file and get to copy the files from the symantec folders on another PC with Drive Encryption installed. However the symantec folders do not exist just PGP ones. And they don't correlate to the document.

So how do you get to run the eedadmincli commands mentioned at the beginning of this post????

Please help as Symantec won't as it's only the trial version. Version is 10.4.1

Figured how to fix this for the trial software install Symantec Endpoint Encryption Desktop

Followed this article

https://support.symantec.com/en_US/article.HOWTO95227.html

Please note that the location of the PGP files are not as stated. Most are in a winpe folder within the PGP folder structure on program files. Teh rest are in teh PGP folder structure under Program Files (x86)

Then followed this link

https://www.symantec.com/connect/articles/how-decrypt-drive-windows-pe-symantec-encryption-desktop-10x

but basically

pgpwde --enum

pgpwde --disk-status --disk 0

pgpwde --decrypt --disk 0 --interactive

Mine took around 2.5 hours to decrypt keep entering

pgpwde --disk-status --disk 0

until you get a message to say its finished...... Hopefully this will help someone else as all the docs I found related to V10 and were really old docs they took a lot of google searches to find!!

Hi all ,

Please try to disable fast boot option in windows 10 , it solved it for us .

you can only apply it before the BSOD .

https://lifehacker.com/enable-this-setting-to-make-windows-10-boot-up-faster-1743697169

Good luck .

Hi all,

To share what we have tested and work  with symantec support
Lenovo T460 running on SSD with upgraded Windows 10.0.16299 ,  SEP 12.1.6  MP9 . This laptop getting  the BSOD errors and have tried on below steps from the support :

- Disable fast boot option in windows 10
- Sent Minidump to the support
- upgrade to SEE 11.1.3 MP1
- upgrade to latest windows Build 1709 (previously this laptop running on Windows 10.0.14393 and encountered BSOD ,  support advise to upgrade to latest patch and build )
- run driver verifier  and cause the system crash.

Anyone has better solution on this ?

What is working for us.

New installs:

PC/Laptop - Windows 10 Fall Creator WITH either the "out of band patch" from March 16299.334 or the newest April revision of 16299.371

Fast Start and Hibernation turned OFF (this is fixed with the above releases but we turned this off anyway)

Then we load SEE 11.1.3 MP1 (we have not tested 11.2 yet)

Upgrades:

We are mostly Lenovo with a few Panasonic and Dell rugged laptops. 2000 clients running Windows 10. 75% of those machines have been upgraded to Fall Creator in the last few weeks. ZERO BSOD.....

For the upgrades we use the Symantec scripts and also turn off Fast Start as part of the post install.

This is a completely separate issue and should have been a new thread.  Failure to Sync with the Bootguard is typically due to changing the password in AD directly or using a tool to do so instead of using ctrl+alt+delete locally to change password.  It can't sync until it is used for a login.  Use the old password at boot, then when the login screen comes up, the new password will work.  After that, next reboot, it should be synced.  If not, then start a new thread, or call support.

Hi 

We also done same on our HP laptop (G4) but one thing I notice when we disable Fasboot both on Bios and windows power option. prior to encryp the unit itakes time to encrypt the unit (10 to 24hrs) compare when we never diasbale the fastboot on Bios and windows.

We do NOT turn off fast BOOT in the BIOS... We turn off Fast START in windows. Encryption time is not affected. Are you using spinning drives? SSD? What size?

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f
powercfg /h off

Pretty similar boat as everyone else still having issues.  One thing I'll note is I've seen two different scenarios.

Case 1)  Imaged with Win10 1703, SEE installs then encrypts.  System will randomly blue screen.

Tried all the things listed but the BSOD's persisted.  Started looking to upgrade to SEE 11.2 and Win10 1803 (RS4).

I had to decrypt in order to update to 1803...  A few days later.. crashed.. pointing to the Intel RST driver.  After upgrading to 1803, the Intel RST driver reverted to a 2005 version.  The current version provided by HP is 15.9.0.1015 (Dell's is also older), but Intel's site has a 16.0.2.1086 release:  https://downloadcenter.intel.com/product/55005/Intel-Rapid-Storage-Technology-Intel-RST-

Testing this on devices now but not holding my breath.

Case 2)  Imaged with Win10 1703, SEE installs then encrypts.  System will instantly blue screen after login at the SEE splash screen.

It looks like the drives in this case were being encrypted with both SEE and BitLocker.  Booted to Symantec's WinPE recovery, decrypted, successfully logged into windows.  Ran manage-bde -status in an elevated command prompt which returned BitLocker drive encryption at 100%.  If TPM, EUFI, and secure boot are enabled, the drives will auto-encrypt.  If this was causing a race condition issue at boot I can see why that would make sense.  If you adjust your unattend file to prevent the "feature" you may have better luck moving forward.

Unattend file excerpt:

<settings pass="oobeSystem">
    <component name="microsoft-windows-securestartup-filterdriver-" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
        <PreventDeviceEncryption>true</PreventDeviceEncryption>
    </component>

Auto-encryption was also causing issues when creating the image.  Sysprep would fail because the device had begun encrypting even though BitLocker was turned off.  Sorry if this is already common knowledge to everyone - I only play an IT Professional on TV.

I didn't see it posted to this thread yet, but there's an article to track this bug: https://support.symantec.com/en_US/article.TECH249397.html

It doesn't provide any further info that we have discussed.

Furthermore, If you have chosen to disable "Fast Boot" OR "Hibernation", please be aware, I have also seen this bug with just Hibernation enabled (on Windows 10 v1709).  It occurred when the laptop entered critical battery stage and Hibernated automatically.  My recommendation is to disable both until Symantec releases an update.

Hi all,

To share what we have tested and work  with symantec support
1. Lenovo T440/T450/T460/X1 Carbon running on SSD with Windows 10 Version 1803/1709

2. Installed with SEE 11.2 Build 356 Since early June 2018

So far is 0 BSOD till date

 No one should be seeing this issue any more. This issue was a Microsoft issue that was resolved a few months ago.

This is still an issue, what patch are  you reffering to, I would like to see if we have that patch in our enviornment. we are having intermitant issues with blue screens.