This could be occurring for the following reasons:
Symantec Endpoint Encryption Device Control policy GPO is not linked with the appropriate OU, which can be determined by running gpresult on the target machine, then verifying that the GPO is applied on the machine or for the user. Verify that the policy is linked with the appropriate OU where either the machine or logged on user reside. Additionally, make sure to replicate all domain controllers in case there are multiple domain controllers.
The target machine does not have sufficient privileges to read the GPO, which is determined by running gpresult on the target machine. This will show if the policy has been filtered out for the machine or the user. Make sure the user or computer on which you would like to apply the policy, has the privileges to read and apply the group policy.
The policy applied is not using the same encryption keys as they installed client. This is evident by receiving a machine policy corrupted message will appear under the protection status field of the client. Make sure to use policies created with the same server that generated the client installation files.
The Symantec Endpoint Encryption Device Control user policy cannot be applied due to a corrupt registry key. Apply the SENS registry file, log off the current user, and log on again. After you log on, make sure the latest client version is being used.
Symantec Endpoint Encryption Device Control policy applied is corrupted. This is evident by double-clicking the client icon and seeing if Policy Corrupted appears under Protection Status. Reapply the user or machine policy. After you've reapplied the policy, make sure no tampering logs have been sent to the server.