Symantec Endpoint Encryption version 11.x Drive Encryption Client should automatically register users and initiate encryption upon installation. There are times when encryption may not automatically start.
Upon inspection of the eedservice00.log located in the Program Files\Symantec\Endpoint Encryption Clients\Management Agent\TechLogs\ directory, entries with DE error -12368 are found.
The eedservice log file may contain the following errors.
[Error when registering user: DE Error : -12368]
[HandleClientAdminPolicy: RegisterUser failed for admin user 'xxxxx' with error: -12368]
[Invalid input user or disk group. DE Error = -11984]
[Could not find the disk object. DE Error = -11984]
[*** Free space in EFI System Partition is 7MB which is less than the required 20MB.]
DE Error -12368 indicates that Symantec Endpoint Encryption has detected that the drive is already encrypted with BitLocker Drive Encryption
Some Windows systems including the Microsoft Surface Pro 3 & Surface Pro 4 can come with BitLocker pre-provisioned. A drive that has been pre-provisioned with BitLocker is already encrypted, but to a "Clear Protector" key, which does not require authentication. Since the drive is encrypted Symantec Endpoint Encryption will not be able to encrypt the drive.
Alternatively, the EFI system partition has a default size of 100mb when reimaged or installed with a standard installation of Windows 10/11. This size has proven to be too small for certain models of laptops including but not limited to HP and Dell.
In order to decrypt the system with Bitlocker, Click the Start menu, and type "Manage Bitlocker". If the only option for Bitlocker is to "Turn on Bitlocker" there are two methods to decrypt the system:
Use the following steps to manually remove BitLocker if the above steps do not work:
Bitlocker Drive Encryption:
Volume C: [Windows]
Percentage Encrypted" field shows anything between 1 and 100%, the drive will need to be decrypted before Symantec Endpoint Encryption can encrypt the drive.
manage-bde -off X:
Percentage Encrypted" shows 0.0%, and once it does, reboot the system to ensure the system will boot properly:
Important Note: To disable the automatic bitlocker encryption of a machine
1. Click on the following Registry key:
2. Once you have clicked on the Bitlocker key/folder, on the right pane, check if "PreventDeviceEncryption" is listed and set to "1".
If this is set to 1, this should prevent bitlocker from automatically encrypting systems.
3. If the "PreventDeviceEncryption" value is not created, you can create the value manually. To do so, right-click in the right pane, then select "DWORD Value 32-bit":
Once the parameter above has been set, a reboot may be needed.
This can be deployed remotely to all the systems enterprise wide, so that the SEE Client can perform the automatic encryption.
In order to remove the pre-provisioning, BitLocker must be activated, and then the drive may be decrypted. After the drive is no longer encrypted with BitLocker, Symantec Endpoint Encryption may be used to encrypt the drive.
Steps to remove BitLocker Pre-Provisioning:
Important Note: If the system is not encrypted with Bitlocker, then make sure the Symantec Drive Encryption and Management Agent services are started.
EFI partition not large enough:
For the EFI partition too small issue, the solution requires a resizing of the EFI partition (which comes with risks of corrupting the installed OS), or a reinstall or recapture of an installation of Windows 10/11 where the EFI partition was sized manually before installation. It is recommended to size it to at least 500mb. For HP Elitebook models, the size used in their OEM installations is 1GB.