Symantec Endpoint Encryption version 11.x Drive Encryption Client should automatically register users and initiate encryption upon installation. There are times when encryption may not automatically start.

Upon inspection of the eedservice00.log located in the Program Files\Symantec\Endpoint Encryption Clients\Management Agent\TechLogs\ directory, entries with DE error -12368 are found.

The eedservice log file may contain the following errors.

[Error when registering user: DE Error : -12368]

[HandleClientAdminPolicy: RegisterUser failed for admin user 'xxxxx' with error: -12368]

[Invalid input user or disk group. DE Error = -11984]

[Could not find the disk object. DE Error = -11984]

DE Error -12368 indicates that Symantec Endpoint Encryption has detected that the drive is already encrypted with BitLocker Drive Encryption

Some Windows systems including the Microsoft Surface Pro 3 & Surface Pro 4 can come with BitLocker pre-provisioned. A drive that has been pre-provisioned with BitLocker is already encrypted, but to a "Clear Protector" key, which does not require authentication. Since the drive is encrypted Symantec Endpoint Encryption will not be able to encrypt the drive.

In order to decrypt the system with Bitlocker, Click the Start menu, and type "Manage Bitlocker".  If the only option for Bitlocker is to "Turn on Bitlocker" there are two methods to decrypt the system:

Method 1:
Use the following steps to manually remove BitLocker if the above steps do not work:

1. Open the Command Prompt as an Administrator
    
2. Type the following command:
   manage-bde -status
    
3. Bitlocker will report the following:
   
   Bitlocker Drive Encryption:
Volume C: [Windows]
[OS Volume]
   
   If the "Percentage Encrypted" field shows anything between 1 and 100%, the drive will need to be decrypted before Symantec Endpoint Encryption can encrypt the drive.
    
4. Type in the following command:
   manage-bde -off X:
   
   Note: In the example above, the C: drive was encrypted, so the command would be "manage-bde -off c:"
    
5. You should see a message that indicates the decryption process has started.
    
6. Run the status command until the "Percentage Encrypted" shows 0.0%, and once it does, reboot the system to ensure the system will boot properly:
   manage-bde -status
    
7. Symantec Endpoint Encryption should typically then start Encryption within 10 minutes after logging in.

Method 2:

In order to remove the pre-provisioning, BitLocker must be activated, and then the drive may be decrypted. After the drive is no longer encrypted with BitLocker, Symantec Endpoint Encryption may be used to encrypt the drive.

Steps to remove BitLocker Pre-Provisioning:

1. If any Symantec Endpoint Encryption Client packages are installed on the system, uninstall them. Reboot once all packages are removed.
2. In Control Panel > System and Security > BitLocker Drive Encryption - "BitLocker waiting for Activation" should be seen. Click "Turn on BitLocker" to finish activating BitLocker and assign an unlock method.
3. Reboot the system and authenticate with the BitLocker pre-boot with the above unlock method.
4. In Control Panel > System and Security > BitLocker Drive Encryption, click "Turn off BitLocker" to decrypt the drive.
5. After decryption has finished, reboot the system to verify that the BitLocker pre-boot is no longer in place.
6. Install the Symantec Endpoint Encryption Management Agent Client and the Drive Encryption Client, reboot the system.
7. After reboot, users should be registered and automatic encryption should start.

Important Note: If the system is not encrypted with Bitlocker, then make sure the Symantec Drive Encryption and Management Agent services are started.