Exploit Prevention is disabled due to a conflict with Microsoft Device Guard

Technical Articles ID: KB92318
Last Modified: 2021-12-08 18:08:34 Etc/GMT

Environment

Endpoint Security (ENS) Threat Prevention 10.7.0, 10.6.1 July Update Repost (and earlier)
Microsoft Windows 10 version 1809 (October 2018 Update)
Microsoft Device Guard

Summary

In Windows 10 version 1709 (Fall Creators Update), Microsoft introduced Device Guard. Device Guard is designed to prevent malicious code from running by making sure that only known good code can run. For more information, see this Microsoft article on Device Guard.

Problem

In a rare scenario, there’s a conflict between Device Guard and Exploit Prevention that prevents the driver mfeepmpk.sys from being loaded on boot.

The main symptom of this issue is that McAfee Agent, View Security Status states: Exploit Prevention is disabled.

From the EndpointSecurityPlatform_Debug.log (McAfee Tray reports that Exploit Prevention is disabled):

McTray(15808.3884) <xxx> McTray.McTrayUPC.Debug: UpdateMcTrayStatus: Issue: Exploit Prevention is disabled.
McTray(15808.17140) <xxx> McTray.McTrayUPC.Debug: CheckTechnologyState: boName: BO, enabledState: 0, desiredState: 1

From the EndpointSecurityPlatform_Errors.log:

mfetp(7956.10664) <SYSTEM> TmpLogger.Gbop.Error (Gbop.cpp:3843): Failed to activate Exploit Prevention engine: 0x13
mfetp(7956.10664) <SYSTEM> TmpLogger.Gbop.Error (Gbop.cpp:1451): Load Exploit Prevention engine failed: 0x13
mfetp(7956.10664) <SYSTEM> TmpLogger.BoBl.Error (BoBl.cpp:1685): Exploit Prevention enabling technology failed.

From the EndpointSecurityPlatform_Debug.log:

McTray(15808.3884) <xxx> McTray.McTrayUPC.Debug: CheckTechnologyState: boName: BO, enabledState: 0, desiredState: 1
McTray(15808.3884) <xxx> McTray.McTrayUPC.Debug: UpdateMcTrayStatus: Issue: Exploit Prevention is disabled.

From the ExploitPrevention_Activity.log:

mfetp(7956.10664) <SYSTEM> TmpLogger.Gbop.Activity: Failed to activate Exploit Prevention engine: 0x13
mfetp(7956.10664) <SYSTEM> TmpLogger.Gbop.Activity: Load Exploit Prevention engine failed: 0x13
mfetp(7956.10664) <SYSTEM> TmpLogger.BoBl.Activity: Exploit Prevention enabling technology failed.

From the ExploitPrevention_Debug.log:

mfetp(7956.10664) <SYSTEM> TmpLogger.Gbop.Debug: Gbop::Init Called
mfetp(7956.10664) <SYSTEM> TmpLogger.Gbop.Debug: Gbop::ApplyConfiguration Called
mfetp(7956.10664) <SYSTEM> TmpLogger.Gbop.Debug: Gbop::LazyLoadBOEngine Called
mfetp(7956.10664) <SYSTEM> TmpLogger.Gbop.Debug: Gbop::LoadBOEngine Called
mfetp(7956.10664) <SYSTEM> TmpLogger.Gbop.Debug: HipShield debug value set to 1
mfetp(7956.10664) <SYSTEM> TmpLogger.Gbop.Activity: Failed to activate Exploit Prevention engine: 0x13
mfetp(7956.10664) <SYSTEM> TmpLogger.Gbop.Error: Failed to activate Exploit Prevention engine: 0x13
mfetp(7956.10664) <SYSTEM> TmpLogger.Gbop.Debug: Gbop::UnloadBOEngine Called
mfetp(7956.10664) <SYSTEM> TmpLogger.BoBl.Debug: About to delete all registered Content
mfetp(7956.10664) <SYSTEM> TmpLogger.Gbop.Debug: Gbop::UnloadBOEngine All registered content were succesfully removed
mfetp(7956.10664) <SYSTEM> TmpLogger.Gbop.Debug: Gbop::UnLoadBOEngine Call completed
mfetp(7956.10664) <SYSTEM> TmpLogger.Gbop.Activity: Load Exploit Prevention engine failed: 0x13
mfetp(7956.10664) <SYSTEM> TmpLogger.Gbop.Error: Load Exploit Prevention engine failed: 0x13
mfetp(7956.10664) <SYSTEM> TmpLogger.Gbop.Debug: Gbop::Init Called ended
mfetp(7956.10664) <SYSTEM> TmpLogger.BoBl.Debug: Setting BOP status: 3
mfetp(7956.10664) <SYSTEM> TmpLogger.BoBl.Debug: Set requested setting: 2
mfetp(7956.10664) <SYSTEM> TmpLogger.BoBl.Debug: Setting current state: 3
mfetp(7956.10664) <SYSTEM> TmpLogger.BoBl.Activity: Exploit Prevention enabling technology failed.
mfetp(7956.10664) <SYSTEM> TmpLogger.BoBl.Error: Exploit Prevention enabling technology failed.
mfetp(7956.10664) <SYSTEM> TmpLogger.BoBl.Debug: Failed to enable BOP

Cause

The Exploit Prevention driver mfeepmpk.sys doesn’t correctly pass Microsoft page hash signing.

Solution

This issue is resolved in ENS 10.6.1 December Update and ENS 10.7.0 February 2020 Update.

Our product software, upgrades, maintenance releases, and documentation are available on the Product Downloads site.

NOTE: You need a valid Grant Number for access. See KB56057 - How to download product updates and documentation for more information about the Product Downloads site, and alternate locations for some products.

Workaround

Disable Device Guard.

NOTE: We don't recommend disabling this system functionality.

Download the Device Guard and Credential Guard hardware readiness tool.
Run PowerShell as an administrator and execute the following command:

DG_Readiness.ps1 -Disable
Reboot the system.

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

Exploit Prevention is disabled due to a conflict with Microsoft Device Guard

Environment

Summary

Problem

Cause

Solution

Workaround

Affected Products

Languages:

Title

Title

Knowledge Center

Exploit Prevention is disabled due to a conflict with Microsoft Device Guard

Environment

Summary

Problem

Cause

Solution

Workaround

Affected Products

Languages:

Choose your region

Title

Title