Symantec Endpoint Encryption version 11.x Drive Encryption Client should automatically register users and initiate encryption upon installation. There are times when encryption may not automatically start.
Upon inspection of the eedservice00.log located in the Program Files\Symantec\Endpoint Encryption Clients\Management Agent\TechLogs\ directory, entries with DE error -12368 are found.
The eedservice log file may contain the following errors.
[Error when registering user: DE Error : -12368]
[HandleClientAdminPolicy: RegisterUser failed for admin user 'xxxxx' with error: -12368]
[Invalid input user or disk group. DE Error = -11984]
[Could not find the disk object. DE Error = -11984]
DE Error -12368 indicates that Symantec Endpoint Encryption has detected that the drive is already encrypted with BitLocker Drive Encryption
Some Windows systems including the Microsoft Surface Pro 3 & Surface Pro 4 can come with BitLocker pre-provisioned. A drive that has been pre-provisioned with BitLocker is already encrypted, but to a "Clear Protector" key, which does not require authentication. Since the drive is encrypted Symantec Endpoint Encryption will not be able to encrypt the drive.
In order to decrypt the system with Bitlocker, Click the Start menu, and type "Manage Bitlocker". If the only option for Bitlocker is to "Turn on Bitlocker" there are two methods to decrypt the system:
Method 1:
Use the following steps to manually remove BitLocker if the above steps do not work:
manage-bde -status
Bitlocker Drive Encryption:
Volume C: [Windows]
[OS Volume]
Percentage Encrypted
" field shows anything between 1 and 100%, the drive will need to be decrypted before Symantec Endpoint Encryption can encrypt the drive.manage-bde -off X:
Percentage Encrypted
" shows 0.0%, and once it does, reboot the system to ensure the system will boot properly:manage-bde -status
Method 2:
In order to remove the pre-provisioning, BitLocker must be activated, and then the drive may be decrypted. After the drive is no longer encrypted with BitLocker, Symantec Endpoint Encryption may be used to encrypt the drive.
Steps to remove BitLocker Pre-Provisioning:
Important Note: If the system is not encrypted with Bitlocker, then make sure the Symantec Drive Encryption and Management Agent services are started.