Drive Encryption does not start automatically
search cancel

Drive Encryption does not start automatically

book

Article ID: 162094

calendar_today

Updated On:

Products

Control Compliance Suite Assessment Manager Endpoint Encryption Data Loss Prevention Endpoint Prevent

Issue/Introduction

Symantec Endpoint Encryption version 11.x Drive Encryption Client should automatically register users and initiate encryption upon installation. There are times when encryption may not automatically start.

Upon inspection of the eedservice00.log located in the Program Files\Symantec\Endpoint Encryption Clients\Management Agent\TechLogs\ directory, entries with DE error -12368 are found.

The eedservice log file may contain the following errors.

[Error when registering user: DE Error : -12368]

[HandleClientAdminPolicy: RegisterUser failed for admin user 'xxxxx' with error: -12368]

[Invalid input user or disk group. DE Error = -11984]

[Could not find the disk object. DE Error = -11984]

[*** Free space in EFI System Partition is 7MB which is less than the required 20MB.]

Cause

DE Error -12368 indicates that Symantec Endpoint Encryption has detected that the drive is already encrypted with BitLocker Drive Encryption

Some Windows systems including the Microsoft Surface Pro 3 & Surface Pro 4 can come with BitLocker pre-provisioned. A drive that has been pre-provisioned with BitLocker is already encrypted, but to a "Clear Protector" key, which does not require authentication. Since the drive is encrypted Symantec Endpoint Encryption will not be able to encrypt the drive.

Alternatively, the EFI system partition has a default size of 100mb when reimaged or installed with a standard installation of Windows 10/11. This size has proven to be too small for certain models of laptops including but not limited to HP and Dell.

Resolution

In order to decrypt the system with Bitlocker, Click the Start menu, and type "Manage Bitlocker".  If the only option for Bitlocker is to "Turn on Bitlocker" there are two methods to decrypt the system:

Method 1:
Use the following steps to manually remove BitLocker if the above steps do not work:

  1. Open the Command Prompt as an Administrator
     
  2. Type the following command:
    manage-bde -status
     
  3. Bitlocker will report the following:

    Bitlocker Drive Encryption:
    Volume C: [Windows]
    [OS Volume]


    If the "Percentage Encrypted" field shows anything between 1 and 100%, the drive will need to be decrypted before Symantec Endpoint Encryption can encrypt the drive.
     
  4. Type in the following command:
    manage-bde -off X:

    Note: In the example above, the C: drive was encrypted, so the command would be "manage-bde -off c:"
     
  5. You should see a message that indicates the decryption process has started.
     
  6. Run the status command until the "Percentage Encrypted" shows 0.0%, and once it does, reboot the system to ensure the system will boot properly:
    manage-bde -status
     
  7. Symantec Endpoint Encryption should typically then start Encryption within 10 minutes after logging in.

 

Important Note: To disable the automatic bitlocker encryption of a machine

1. Click on the following Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker

2. Once you have clicked on the Bitlocker key/folder, on the right pane, check if "PreventDeviceEncryption" is listed and set to "1".

If this is set to 1, this should prevent bitlocker from automatically encrypting systems.

3. If the "PreventDeviceEncryption" value is not created, you can create the value manually. To do so, right-click in the right pane, then select "DWORD Value 32-bit":

Once the parameter above has been set, a reboot may be needed.

This can be deployed remotely to all the systems enterprise wide, so that the SEE Client can perform the automatic encryption.

 

 

 


Method 2:

In order to remove the pre-provisioning, BitLocker must be activated, and then the drive may be decrypted. After the drive is no longer encrypted with BitLocker, Symantec Endpoint Encryption may be used to encrypt the drive.

Steps to remove BitLocker Pre-Provisioning:

  1. If any Symantec Endpoint Encryption Client packages are installed on the system, uninstall them. Reboot once all packages are removed.
  2. In Control Panel > System and Security > BitLocker Drive Encryption - "BitLocker waiting for Activation" should be seen. Click "Turn on BitLocker" to finish activating BitLocker and assign an unlock method.
  3. Reboot the system and authenticate with the BitLocker pre-boot with the above unlock method.
  4. In Control Panel > System and Security > BitLocker Drive Encryption, click "Turn off BitLocker" to decrypt the drive.
  5. After decryption has finished, reboot the system to verify that the BitLocker pre-boot is no longer in place.
  6. Install the Symantec Endpoint Encryption Management Agent Client and the Drive Encryption Client, reboot the system.
  7. After reboot, users should be registered and automatic encryption should start.

 

Important Note: If the system is not encrypted with Bitlocker, then make sure the Symantec Drive Encryption and Management Agent services are started.

 

EFI partition not large enough:

For the EFI partition too small issue, the solution requires a resizing of the EFI partition (which comes with risks of corrupting the installed OS), or a reinstall or recapture of an installation of Windows 10/11 where the EFI partition was sized manually before installation. It is recommended to size it to at least 500mb. For HP Elitebook models, the size used in their OEM installations is 1GB.