000039276 - BSOD with NetWitness Endpoint 4.4 agent on Windows 10 build 2004

Document created by RSA Customer Support Employee on Sep 9, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039276
Applies To
RSA Product Set: NetWitness Endpoint formerly ECAT
   RSA Product/Service Type: NetWitness Endpoint
   RSA Version/Condition: 4.4.x
   Platform: Windows
IssueRSA has become aware of an issue with Windows 10 Build 2004 and the NetWitness Endpoint agent that may result in a BSOD when shutting down the endpoint or attempting to uninstall the NWE agent.  As a result, it is recommended that customers not upgrade existing agents that are installed on build 2004 to 4.4.1.2/4.4.1.3 or install the NetWitness Endpoint agent on an endpoint running Windows 10 build 2004 at this time. 
Pre-4.4.1.2 agents will not cause a BSOD but will encounter a kernel driver error (E0010014) that will result in dramatically reduced functionality of the agent.  

RSA Engineering is working with Microsoft to investigate this issue.  This KB will be updated as more information becomes available.

NOTE: Windows 10 build 2004 is NOT supported in NetWitness Endpoint 11.x 
CauseIt has been observed that the 4.4.1.2 and 4.4.1.3 agents may contribute to a BSOD on and endpoint running Windows 10 Build 2004 when that endpoint is shutdown or an uninstall of the agent is attempted.  There may be other instances that trigger the BSOD.

RSA Engineering is working with Microsoft to investigate this issue.  This KB will be updated as more information becomes available.
 
ResolutionThe endpoint must be booted into safe mode and the agent uninstalled by running the following command: msiexec /x {63AC4523-5F19-42F0-BC43-97C8B5373589}.
WorkaroundCurrently, there is no known workaround. 

RSA recommends the removal of the NetWitness Endpoint agent before updating Windows 10 to build 2004.

Attachments

    Outcomes