System is locked because it has been too long since the last policy update
I have serveral 7.2.6 EEPC encrypted laptops which have been giving the following message:
"This system is locked because it has been too long since the last policy update. Administrator Recovery is now required."
After searching everywhere, I'm at a loss to account for this message. In the policy settings of Drive Encryption, the policy for "Disable pre-boot authentication when not synchronized" is unchecked. So I have no idea why our systems are starting to "lock out" all of a sudden. I have gotten reports of a system working fine one day, then the next day its locked out. We do the recovery and confirm the policy sync completed, reboot and everything is working normally again. But then, a week or a few days later it happens again, even though the system has been online on the network the whole time.
To back up a little, we recently (about 4 months ago) created a new ePO server and performed the system transfer task to migrate all our systems over from the old ePO to the new ePO. The policy for "Disable pre-boot authentication when not synchronized" was enabled on the old ePO, but we turned it off on the new one.
Using Administrator Recovery sometimes is not an option as we have come to find out that the machine key is missing from ePO. I do not know if the missing machine key has anything to do with the policy lock out, but it seems that the systems with the lock out issue are all missing the machine key in ePO. How the machine key went missing is another mystery to me. My only thought is that something happened during the system transfer to the new ePO which caused it to lose the encryption, or never upload it to the new ePO.
I'd like to know if having the "Disable pre-boot authentication when not synchronized"unchecked still has some sort of default policy encforced, or if our issue is all related to the missing machine keys. The number of systems is starting to grow and we are noticing some repeat incidents on systems we already thought we fixed.
We have opened a SR but did not get an answer to root cause. Only a regedit workaround to force the systems to change thier machineID.