When Symantec Endpoint Protection (SEP) is installed with Early Launch Anti-Malware (ELAM) enabled, the computer encounters a blue screen upon reboot. This persists across multiple reboots.

Known BSODs:

Bugcheck 50
Bugcheck D1

Computers joined to a domain with GPO enforcement of DriverLoadPolicy set to "8"

Windows' ELAM policy has been configured for "Good Only" and a critical driver on the system is not meeting that criteria.

If the driver in question is symefasi64.sys, this issue is fixed in Symantec Endpoint Protection 14.3.3384.1000 (RU1) and newer. For information on how to obtain the latest build of Symantec Endpoint Protection, see Download Symantec Enterprise Security software, tools, and patches (broadcom.com).

Workaround:

Adjust the policy setting in the GPO from "8" (Known good drivers only) to "1" (Good and unknown drivers) or locate and correct the offending driver.

Once you have the BSOD, if you reboot and BSOD again, the next reboot should start the computer in recovery mode. From there, open a command prompt, start regedit, load the SYSTEM hive from C:, and edit HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch - DriverLoadPolicy. Change the value to 1, and exit, committing the change. On the next reboot the system should boot normally.

Note: Once the system boots normally, it will apply the GPO again and revert the DriverLoadPolicy. You will need to adjust the policy, temporarily disable ELAM, or resolve the driver issue to allow subsequent reboots to not result in a BSOD.