000039276 - BSOD with RSA NetWitness Endpoint 4.4 agent on Windows 10 build 2004

Document created by RSA Customer Support Employee on Sep 9, 2020Last modified by RSA Customer Support Employee on Jan 12, 2021
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000039276
Applies To
RSA Product Set: NetWitness Endpoint formerly ECAT
   RSA Product/Service Type: NetWitness Endpoint
   RSA Version/Condition: 4.4.x
   Platform: Windows
IssueRSA has become aware of an issue with Windows 10 Build 2004 and the NetWitness Endpoint agent that may result in a BSOD when shutting down the endpoint or attempting to uninstall the NWE agent.  As a result, it is recommended that customers not upgrade existing agents that are installed on build 2004 to or install the NetWitness Endpoint agent on an endpoint running Windows 10 build 2004 at this time. 
Pre- agents will not cause a BSOD but will encounter a kernel driver error (E0010014) that will result in dramatically reduced functionality of the agent.  

RSA Engineering has released an updated ECAT-Packager bundle that resolves this issue.  Contact support for the updated packager.

NOTE: Windows 10 build 2004 is NOT supported in NetWitness Endpoint 11.x until version
CauseIt has been observed that the and agents may contribute to a BSOD on and endpoint running Windows 10 Build 2004 when that endpoint is shutdown or an uninstall of the agent is attempted.  There may be other instances that trigger the BSOD.

RSA Engineering has built an updated version of the agent building utility "ECAT-Packager" that includes support for build 2004.  Contact support for the updated packager.
ResolutionBefore the updated packager became available, the endpoint needed to be booted into safe mode and the agent uninstalled by running the following command: msiexec /x {63AC4523-5F19-42F0-BC43-97C8B5373589}.  This is no longer necessary provided you build and deploy agents using the updated ECAT-Packager.