Client always shows the System State as Inactive (when Users contain certificates)

Technical Articles ID: KB69651
Last Modified: 2022-06-07 05:39:16 Etc/GMT

Environment

Drive Encryption (DE) 7.x

Microsoft Windows Active Directory (AD)

For details of DE 7.1.x supported environments, see KB79422 - Supported platforms for Drive Encryption 7.x.

Problem 1

Some systems fail to activate after installing DE.

Client side:
The user sees the following in the Encryption System Status window, even though the encryption policy is activated in ePolicy Orchestrator (ePO):

System State	Inactive
Volume Status	No volume information
Progress	Progress bar shows no encryption activity

ePO console:
The administrator sees the Client System Details showing for DE:

State

In-Active

Clicking More, Disks shows the following message:

No details available, as Drive Encryption is not Active

Problem 2

MfeEpe.log on the client records the following during the process of adding users to the client:

EpoPlugin [0xEE000005] Failed to deserialize type

This problem is seen after configuring a policy to add users via the Add Local Domain User or adding the users via ePO.

A check at the ePO console to verify what users are assigned to the client shows that there are no associated users. To perform this check, click Menu, Data Protection, Encryption Users, select the client, then click Actions, Endpoint Encryption, View Users.

Cause

User records that contain certificates prevent the activation from being successful.

Solution 1

As a best practice, we recommend that the LDAP synchronization task parameter User Certificates be left blank.

This configuration might not be possible in specific cases when a hardware token that stores certificates in the AD is used at preboot authentication.

From the DE 7.x Best Practices Guide (PD24868):

User Certificate
The User Certificate attribute is used by the ePO Server to determine which certificate should be sent from ePO to the client, for example, smartcard tokens. It's better to clear this attribute when you use the Password only token. Setting this attribute can accumulate a large amount of certificate data in the ePO database and impact LDAP performance; therefore, you can remove the certificate query from DE LdapSync: Sync across users from the LDAP task while using the Password only token.

To overcome this issue, implement the workaround below.

Solution 2

If Solution 1 doesn't resolve this issue, search the Knowledge Base using the following string, including the double quotes, to locate other content covering inactive issues:

"Client always shows the System State as Inactive":*/title

Workaround

Remove the certificate and verify that users are assigned to the client.

Remove the usercertificate parameter.
1. In the ePO console, select Menu, Automation, Server Tasks.
2. Locate the task used to import the LDAP structure from AD, and then click Edit.
3. Click Next or the Actions tab.
4. In the User Certificate field, delete the usercertificate parameter, and then click Save.
5. Run the LDAP import server task again.
Make sure that users are assigned to the client.
1. Click Menu, Data Protection, Encryption Users.
2. Select the client, and then click Actions, Endpoint Encryption, View Users.
  The user should now be assigned to the client.
Client checks
1. Verify that the following error isn't shown in the MfeEpe.log: error EpoPlugin [0xEE000005] Failed to deserialize type
2. Verify that users are assigned correctly. The client status should be Active on the client and the ePO server.

Related Information

See also related articles that cover the AD usercertificate attribute.

KB77576 - Failed: (E-SU) - CN=Backup oper,CN=Users,DC=sr,DC=nws,DC=xxxx,DC=gov - null

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

Client always shows the System State as Inactive (when Users contain certificates)

Environment

Problem 1

Problem 2

Cause

Solution 1

Solution 2

Workaround

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Client always shows the System State as Inactive (when Users contain certificates)

Environment

Problem 1

Problem 2

Cause

Solution 1

Solution 2

Workaround

Related Information

Affected Products

Languages:

Choose your region

Title

Title