Symantec Endpoint Encryption for Bitlocker (SEE BL) manages all Bitlocker recovery keys and will enforce Bitlocker policy automatically.  This means that no Bitlocker policy needs to be configured on the Active Directory Domain Controller for the domain\GPO. 

In fact, because the SEE BL will manage all Bitlocker recovery and policy, if Active Directory Bitlocker GPOs have been configured on the Domain Controller this will cause competing policies to conflict and will cause the endpoint to make constant connections to the domain controller.  This can cause high CPU utilization on the domain controller itself that the Windows client is communicating with.

The reason for this competing policy is the Windows client has policy that is enforced on a domain controller level, and the SEE BL client enforces policy on the application level.  Both are trying to do the same thing and running into conflicts.

I order to avoid this behavior, ensure that all machines that have SEE BL installed are not part of a GPO that have Active Directory GPOs enabled.  If so, disable them.

Symantec Encryption Development is aware of this issue and is currently reviewing the behavior.  To obtain more information on this, please contact Symantec Support.

Etrack: 4203970, 4219975

Keywords: SEE BL high CPU utilization