Client always shows the System State as Inactive (when duplicate users exist in ePolicy Orchestrator)

Technical Articles ID: KB85677
Last Modified: 2023-04-12 09:05:13 Etc/GMT

Environment

Drive Encryption (DE) 7.1.x

For details of DE 7.1.x supported environments, see KB79422 - Supported platforms for Drive Encryption 7.x.

Problem 1

Some systems fail to activate after installing DE.

Client side:
The user sees the following in the Encryption System Status window, even though the encryption policy is activated in ePolicy Orchestrator (ePO):

System State	Inactive
Volume Status	No volume information
Progress	Progress bar shows no encryption activity

ePO Console:
The administrator sees the Client System Details showing for DE:

State

In-Active

Selecting More, Disks shows the following message:

No details available, as Drive Encryption is not Active

Problem 2

MfeEpe.log on the client records the following errors:

ERROR	MfeEpeStatusService	Failed to add Endpoint Encryption users
WARNING	MfeEpeGenEncryptionProviderPlugin	..\..\..\Src\EpeGenActivationHandler.cpp: EPE_gen_activation_handler::send_activate_exception: 719: [0xEE050006] Following exceptions were raised when processing user list class EPE_user_exists_exception: [0xEE050001] The user User1 already exists: Code :3993305089
ERROR	EpoPlugin	UserHandler: failed to process batched user data response: [0xEE050006] [0xEE050006] Following exceptions were raised when processing user list class EPE_user_exists_exception: [0xEE050001] The user User1 already exists: Code :3993305089
ERROR	MfeEpeStatusService	Failed to process a batch of user data receive

Cause

Duplicate users can be created if multiple entry points exist to the same Active Directory (AD) forest or if ePO is able to query the same user objects from two different ePO-Registered LDAP Servers. This duplication often occurs when two Registered LDAP servers are pointed to the same domain, but it can also occur if multiple Registered LDAP Servers are pointed to child domains and the Global Catalog or Chase Referrals options is enabled. DE allows duplicate users if the same domain is registered twice with different Registered LDAP Servers.

Solution

Remove all duplicate user entries to allow the systems to activate.

IMPORTANT: A new query (Drive Encryption – Duplicate Users) is included in DE 7.1 Update 3 (7.1.3) to locate and remove duplicate users. Duplicate users can be created when AD Servers have been misconfigured or when you have used LDAP chase referrals. ePO also allows you to register the same AD Server multiple times, which leads to duplicate users being created.

For deatils, see KB84531 - How to identify and remove Drive Encryption duplicate users and groups.

Related Information

KB76111 - Duplicate Drive Encryption users shown after running the query 'DE: Users' or 'EE: Users'

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

Client always shows the System State as Inactive (when duplicate users exist in ePolicy Orchestrator)

Environment

Problem 1

Problem 2

Cause

Solution

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Client always shows the System State as Inactive (when duplicate users exist in ePolicy Orchestrator)

Environment

Problem 1

Problem 2

Cause

Solution

Related Information

Affected Products

Languages:

Choose your region

Title

Title