Symantec Endpoint Encryption for Bitlocker may crash when Active Directory domain policy is corrupted

book

Article ID: 206408

calendar_today

Updated On:

Products

Endpoint Encryption

Issue/Introduction

Symantec Endpoint Encryption for Bitlocker (SEE BL) may crash on some systems if the system has a corrupted Active Directory GPO.  The SEE BL client will check the policy to ensure there are no conflicting policies for Bitlocker and if the local GPO is corrupted, this could cause the SEE BL client to crash.  As part of SEE Bitlocker's functionality, it will modify the Bitlocker GPO in order to ensure proper policies are in effect and if the local GPO is corrupted, these policies will not be successful. 

 

Resolution

Symantec Endpoint Encryption Development has fixed this issue and will be included in the next release of SEE 11.3.1 due first quarter of 2021.

Although the cause of a corrupted Active Directory GPO could have many reasons, Microsoft recommends deleting the local GPO file and re-synchronizing the domain controller policy with the system.  This will re-create the local GPO file and should pull down a clean copy and will avoid the issue altogether.

 

In order to re-synchronize, ensure you have a connection to the Domain Controller to fix this issue. 

If you are working from home, you will need to VPN to your internal network to reach the domain controller to perform a gpupdate.  

 

Troubleshooting:

There are a few ways you can check if the gpo file is corrupted:

1. Launch gpedit.msc which should display an error when you do on one of these affected systems.

2. Try to open the registry.pol file with the Registry.pol Viewer Utility, which will display an error.


Workaround:

Step 1: Run the following command to ensure you are able to get a gpupdate:

gpupdate /force

The command prompt should return "Updating policy..." as it is refreshing the GPO on the machine.  This may take several minutes.

Note: If unsuccessful in running the gpupdate, make sure you're on VPN or can reach the domain controller and try again until successful.

Step 2: Navigate to the following location:
C:\Windows\System32\GroupPolicy\Machine 

Step 3: Rename the Registry.pol file to "registry.pol-date-here".  This is useful for the future reference in case you run into this issue again.

Step 4: Reboot the machine and run the following command again:
gpupdate /force

Notice the "registry.pol" file should have been recreated and the following message should appear when successful:

Computer Policy update has completed successfully.
User Policy update has completed successfully.

 

Step 5: Reboot the system again once you have done this and confirm that the SEE BL client no longer crashes.

 

Please check back with this article for future updates and if you are running into this issue, contact Symantec Support for more assistance.