Showing results for 
Search instead for 
Did you mean: 

System is locked because it has been too long since the last policy update

I have serveral 7.2.6 EEPC encrypted laptops which have been giving the following message:

"This system is locked because it has been too long since the last policy update. Administrator Recovery is now required."

After searching everywhere, I'm at a loss to account for this message. In the policy settings of Drive Encryption, the policy for "Disable pre-boot authentication when not synchronized" is unchecked. So I have no idea why our systems are starting to "lock out" all of a sudden. I have gotten reports of a system working fine one day, then the next day its locked out. We do the recovery and confirm the policy sync completed, reboot and everything is working normally again. But then, a week or a few days later it happens again, even though the system has been online on the network the whole time. 

To back up a little, we recently (about 4 months ago) created a new ePO server and performed the system transfer task to migrate all our systems over from the old ePO to the new ePO. The policy for  "Disable pre-boot authentication when not synchronized" was enabled on the old ePO, but we turned it off on the new one.

Using Administrator Recovery sometimes is not an option as we have come to find out that the machine key is missing from ePO. I do not know if the missing machine key has anything to do with the policy lock out, but it seems that the systems with the lock out issue are all missing the machine key in ePO. How the machine key went missing is another mystery to me. My only thought is that something happened during the system transfer to the new ePO which caused it to lose the encryption, or never upload it to the new ePO.

I'd like to know if having the "Disable pre-boot authentication when not synchronized" unchecked still has some sort of default policy encforced, or if our issue is all related to the missing machine keys. The number of systems is starting to grow and we are noticing some repeat incidents on systems we already thought we fixed. 

We have opened a SR but did not get an answer to root cause. Only a regedit workaround to force the systems to change thier machineID. 

Labels (1)
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community