ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Symantec Endpoint Encryption for Bitlocker conflicts with Active Directory Bitlocker GPO causing excessive CPU utilization on the domain controller

book

Article ID: 200413

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

Symantec Endpoint Encryption for Bitlocker (SEE BL) manages all Bitlocker recovery keys and will enforce Bitlocker policy automatically.  This means that no Bitlocker policy needs to be configured on the Active Directory Domain Controller for the domain\GPO. 

In fact, because the SEE BL will manage all Bitlocker recovery and policy, if Active Directory Bitlocker GPOs have been configured on the Domain Controller this will cause competing policies to conflict and will cause the endpoint to make constant connections to the domain controller.  This can cause high CPU utilization on the domain controller itself that the Windows client is communicating with.

Cause

The reason for this competing policy is the Windows client has policy that is enforced on a domain controller level, and the SEE BL client enforces policy on the application level.  Both are trying to do the same thing and running into conflicts.

Resolution

I order to avoid this behavior, ensure that all machines that have SEE BL installed are not part of a GPO that have Active Directory GPOs enabled.  If so, disable them.

Symantec Encryption Development is aware of this issue and is currently reviewing the behavior.  To obtain more information on this, please contact Symantec Support.

Additional Information

Etrack: 4203970, 4219975

 

Keywords: SEE BL high CPU utilization