On Windows 10 (1607), we're required to set the following group policy:
Computer Configuration \ Policies \ Administrative Templates \ System \ Early Launch Antimalware \ Boot-Start Driver Initialization Policy to Enabled (Good Only).
In 12.1.6 RU6 MP5, I've also set "Enable Symantec early launch anti-malware" as ticked, and also "Use the default Windows action for the detection."
When I do this, the machine doesn't boot, and I get a INACCESSIBLE_BOOT_DEVICE blue screen.
I've changed the setting to "Log the detection as unknown so that Windows allows the driver to load", and change group policy to allow All, and verified that machines can then boot.
The question is: where are the detections logged? I want to determine which driver is causing the issue. I've checked this one:
https://www.symantec.com/connect/ideas/early-launch-anti-malware-issue-secure-boot-enabled
.. but that file appears to be signed.
Any ideas how to troubleshoot this further?