Troubleshooting
Endpoints offline since August 17, 2023
You may notice that some Windows endpoints appear offline in Control Center since August 17, or the latest date a product update has been attempted. The event that led to this status is the agent update to version 7.9.5.318, released on Fast ring.
The update intends to replace the vlflt
driver file with a new version and stop the services associated with this old version. In some corner cases, this driver did not stop properly, causing loss of communication with GravityZone.
The following product versions can be affected when updating to version 7.9.5.318, on Fast ring: 7.8.4.268, 7.8.4.270, 7.9.1.280, 7.9.1.281, 7.9.1.283, 7.9.1.285, 7.9.2.289, 7.9.2.290, 7.9.3.296, 7.9.3.297, 7.9.3.298, 7.9.4.303, 7.9.4.306, and 7.9.4.313.
To check if your endpoints are offline because of this issue, you must verify the service status of epsecurityservice
and vlflt
on the affected endpoint. If epsecurityservice
is stopped and vlflt
is stopped or pending, then the endpoint is affected.
You can check the service status from an elevated command prompt, by running the following commands:
sc query epsecurityservice
sc query vlflt
To fix this issue, you must reboot the endpoint for version 7.9.5.322 to become available. After the update, you can reboot the endpoint again at your earliest convenience.
Critical error (BSOD) when ELAM is enabled on Windows 10 and Windows 11 endpoints
Issue
When Bitdefender Endpoint Security Tools (BEST) is installed on Windows 10 and Windows 11 endpoints, the security agent checks the Early Launch Anti-Malware (ELAM) policy settings.
If it is set to Good only, only drivers classified as “good“ are going to be loaded. Critical drivers that are not classified as such will be blocked causing critical errors (BSOD).
Solution
To avoid this problem, set the ELAM policy to any other option than Good only.
To fix a critical error (BSOD) when the policy was set to Good only following these steps:
Reboot your endpoint into recovery mode.
Press Win + R to open the Run window.
Type
regedit
and click Ok. This will open the Registry editor window.Go to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch
registry key.Change the value of the DriverLoadPolicy key to any option other than Good only.
Click Ok.
Reboot your endpoint.
For more information, refer to the official Microsoft ELAM Driver Requirements page.
Finding the product version of BEST in registry editor
This method helps you check the product version when BEST runs in silent mode, and the application icon is missing from the Notification area.
On the target endpoint, follow these steps:
Press Win + R to open the Run window.
Type
regedit
and click Ok to open the registry editor.Click Yes if prompted by User Account Control.
Navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Endpoint Security
.Find the
DisplayVersion
registry key. Its value displays the product version of the agent installed on the endpoint.
BEST services not running on Windows 7
BEST services might not start on Windows 7 operating systems (32-bit or 64-bit) that are not up-to-date. Trying to manually launch the Security Console results in the following crash report:
When encountering this issue, you must install Microsoft security update KB2533623 on the endpoint where the error occurs. You can download the KB2533623 from Microsoft by selecting the Windows 7 operating system and architecture.
Note
We strongly recommend that you update your operating system on a regular basis with the latest security patches, updates, and drivers.
You can download the latest KB4457144, with additional fixes including KB2533623, from Microsoft.
Details of KB4457144: September 11, 2018—KB4457144 (Monthly Rollup).
Standalone package: Microsoft Update Catalog - KB4457144.
Note
Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, visit the Microsoft website.
Preparing a Windows system with BEST for duplication without Sysprep Generalize
This article outlines the essential steps for preparing systems protected by BEST for cloning, particularly when using alternative solutions to Sysprep Generalize, such as VMware QuickPrep.
When duplicating a Windows system protected by BEST, the unique ID used by GravityZone for endpoint identification cannot be reset by any cloning solution. If you create a clone without resetting the ID, the machine will have duplicate entries in the GravityZone inventory.
To prevent issues in the GravityZone inventory, follow these steps carefully and as close to the shutdown time as possible:
Prepare Windows for cloning, opting for an alternative approach to
Sysprep /generalize
.Download this patch: Bitdefender Endpoint Security Patch for Sysprep.
Important
Do not confuse Microsoft's Sysprep with our Sysprep patch.
Run the patch. It will reset the unique ID generated by Bitdefender Endpoint Security Tools.
Shut down the machine immediately.
Now you can clone your Windows image without any problems due to the fact that BEST protects it.
Preparing for duplication a Sysprep-Generalized Windows image with BEST installed
To prepare a Windows image with BEST installed when using the Sysprep /generalize
command, follow these steps:
For environments with Active Directory
Make sure that Windows OS is up to date.
Download this patch: Bitdefender Endpoint Security Patch for Sysprep.
Create a Group Policy Object (GPO):
Open the Group Policy Management Editor.
Go to Computer Configuration > Policies > Windows Settings > Scripts (Startup/Shutdown).
Select Shutdown.
In the Shutdown Properties window, click Add.
Add the patch to be run at every shutdown.
Right-click the Organizational Unit containing the Master Machine and select Link an existing GPO.
Note
The Master Machine is the machine you will use as the image.
Select the previously created GPO.
Click OK.
From an elevated command prompt run the following command:
C:\Windows\System32\Sysprep\sysprep.exe /generalize
The System Preparation Tool window will pop up.
From the Shutdown Options drop-down, select Shutdown.
Click OK.
For environments without Active Directory
Make sure that Windows OS is up to date.
Download this patch: Bitdefender Endpoint Security Patch for Sysprep.
Modify the local policy:
Open the Local Group Policy Editor.
Go to Computer Configuration > Windows Settings > Scripts (Startup/Shutdown).
Select Shutdown.
In the Shutdown Properties window, click Add.
Add the patch to be run at every shutdown.
From an elevated command prompt run the following command:
C:\Windows\System32\Sysprep\sysprep.exe /generalize
The System Preparation Tool window will pop up.
From the Shutdown Options drop-down, select Shutdown.
Click OK.
Remove the newly added script from the newly prepared Windows image.
Note
Bitdefender Endpoint Security Patch for Sysprep is updated regularly. Before cloning the virtual machine, download the patch again to make sure that you have the latest version.
Warning
Running Sysprep /generalize
on a Windows image that has BEST installed, without first adding the Bitdefender Endpoint Security Patch for Sysprep to be run at every shutdown, may cause Sysprep to fail and the resulting system unusable.
Now you can clone your Windows image without any problems due to the fact that BEST protects it.
Related articles
Microsoft Technet articles:
Tamper Protection in Bitdefender Endpoint Security Tools for Windows
This section explains the role of Tamper Protection in Bitdefender Endpoint Security Tools for Windows.
Tamper Protection is a functionality that prevents BEST for Windows from being disabled or deleted by malicious software.
Tamper Protection prevents the following actions:
Changing or deleting the product files.
Editing or deleting the registry keys of BEST.
Stopping BEST processes.
This functionality is automatically activated in BEST.
Additionally, GravityZone administrators can configure an uninstall password via policy to prevent unauthorized removal of BEST by local administrators.