This is apparently a known issue, but i cannot find the knowledge article whcih confirms this.
Basically, machines which install DLP either through SCCM or via the EPO, install the application successfully, error = 0, log shows successful, but following one or more reboots the policy is still not applied and the machine shows in the EPO as not being protected.
Can someone advise?
Possibly releated to this issue and the fact that for some reason DLP has trouble refreshing and applying policies.
From my findings the issue is with versions of the policy that DLP is storing/caching/enforcing. It's not correctly recognising policies from ePO and not applying the changes.
Create a duplicate of your main DLP agent configuration policy. Select your rogue system and 'modify policy on single system', override the default policy and apply the new policy and send a wake up, wait a bit and restore the original policy and DLP should appear in the 'managed features' menu.
Basically DLP is able to recognize the new policy and this is enough to kick DLP out of it's stuck phase and into a policy refresh
Thanks for taking the time to respond Tristan, however i dont think your workaround is suitable for us.
We are deploynig DLP for the first time, we have about 12,000 machines and have installed on 1000 - 50% are not protected due to these policy problems.
Additionally, we have only ever had one policy, its not like we have numerous ones and made lots of changes.
So if a completely new installation of DLP cannot download and process its INITIAL policy, there is something seriously amiss with this SECURITY software. Its certainly not secure.
One could argue that the installation package should at least contain some kind of initial policy, which would eliminate any 'in between' time where the client is active/functional but requires a policy to 'do' anything - which would effectively make this problem less serious.
It that case duplicate your main policy and assign it to the top of your System tree 'My Organization' and apply it to all machines.
It's a new policy that triggers it not the contents of the policy so you don't need to change any settings. It shouldn't be to much of an issue to re-apply the new policy to all machines working or not.