Symantec Endpoint Encryption has the ability to manage Bitlocker Recovery Keys when using the SEE Bitlocker client. As part of this functionality SEE Bitlocker has the ability to modify local GPO in order to enforce encryption policies making it extremely easy to deploy. There is no need to configure any actual MSFT GPOs for Bitlocker as SEE Bitlocker will do all of this for you. In order to do this, the SEE Bitlocker client must be able to modify the local GPO. There may be some times when the local GPO is corrupted, and when this happens, it is not possible for neither Windows nor SEE Bitlocker to update these policies.
SEE Bitlocker 11.3.1 MP1 and above will no longer crash so Symantec Enterprise Division recommends you upgrade to that build to avoid this issue. We also recommend to correct the issue that is causing the local GPO to be corrupted. In these cases, consider the following scenarios:
Scenario 1: SEE Bitlocker has already been deployed, and has encrypted the systems. In this scenario, recovery keys would have already have been sent to the server. Once 11.3.1 MP1 has been deployed, even if the local GPO is corrupted, the client will continue to send recovery keys to the SEE Management Server.
Scenario 2: SEE Bitlocker has not yet been installed on the system. If the local GPO has been corrupted and SEE Bitlocker is then installed, it will not be able to invoke Bitlocker encryption because it can't modify the local GPO. In these cases, you should then see that encryption did not happen and take corrective action. Once you get the local GPO to be fixed and corruption is no longer a concern, SEE Bitlocker will then be able to encrypt the system and send up the recovery keys to the SEE Management Server.
Although the cause of a corrupted Active Directory GPO could have many reasons, Microsoft recommends deleting the local GPO file and re-synchronizing the domain controller policy with the system. This will re-create the local GPO file and should pull down a clean copy and will avoid the issue altogether.
In order to re-synchronize, ensure you have a connection to the Domain Controller to fix this issue.
If you are working from home, you will need to VPN to your internal network to reach the domain controller to perform a gpupdate.
There are a few ways you can check if the local GPO file may be corrupted:
Method 1: Check the Event Viewer
Symantec Endpoint Encryption 11.3.1 MP1 and above will create the following event in the Windows event logs if it detects a potentially corrupted local GPO file:
"Event ID 2216 : Failed to access the local machine GPO on this computer."
Method 2: Launch gpedit.msc which should display an error when you do on one of these affected systems.
Method 3: Try to open the registry.pol file with the Registry.pol Viewer Utility, which will display an error.
Step 1: Run the following command to ensure you are able to get a gpupdate:
The command prompt should return "Updating policy..." as it is refreshing the GPO on the machine. This may take several minutes.
Note: If unsuccessful in running the gpupdate, make sure you're on VPN or can reach the domain controller and try again until successful.
Step 2: Navigate to the following location:
Step 3: Rename the Registry.pol file to "registry.pol-date-here". This is useful for the future reference in case you run into this issue again.
Step 4: Reboot the machine and run the following command again:
Notice the "registry.pol" file should have been recreated and the following message should appear when successful:
Computer Policy update has completed successfully.
User Policy update has completed successfully.
Step 5: Reboot the system again once you have done this and confirm that the SEE BL client no longer crashes.
Please check back with this article for future updates and if you are running into this issue, contact Symantec Support for more assistance.