3 Replies Latest reply on Feb 24, 2017 11:15 AM by aaron1337

    DE 7.1.3 some issues during activation (activation aborted)

    aaron1337

      Hey guys,

       

      sometimes during activation we got the message in "drive encryption status" window, that the activation was aborted.

       

      We already have the systems, which are getting DE in ePO. To get DE they were moved to the specific group (which has a group user assigned) and run "wake up agants". Then all needed files are copied and the system asks for a restarts -> done

      After successfull boot, another wake up is sent to speed up the process. Then the state of DE is still inactive, until we add the user, which will logon to this machine later.

       

      Now there are two situations:

      1.) the user is added and after sending another wake up agent, all normal things (creating PBFS, sending encryption key to server etc.) are done and the encryption begins -> everything is fine

      2.) the user is added and after sending another wake up agent, all normal things (creating PBFS, sending encryption key to server etc.), but finally is says, that the activation was aborted. Neither sending another wake up agent nor removing and readding the user will help. We also ran the server task "DE: Force update for UBP enforcement users" again (because the group user has UBP enabled), but no change. We figgured out, that only another restart will help.

       

      I have two log files attached to this post. They are from two systems, where I've installed DE today. "Capis" was fine, whereas "Silvo" needed another restart. They are both identical (ThinkPad T460 running Windows 7 x64)

       

      Anyone an idea, what could cause this this behaviour?

       

      Thanks in advance!

        • 1. Re: DE 7.1.3 some issues during activation (activation aborted)
          jhall2

          It appears you are using Policy Assignment Rules with User Based Policies. Here is what I see in the log:

           

          2017-02-17 14:06:23,262 ERROR  EpoPlugin  userHandler: OptIn user (i.e. non-default UBP user) [1\6776dc310b394051825e3f14417c5f08] has incomplete UBP (missing UBP/Ident) which is preventing activation.

          2017-02-17 14:06:23,262 ERROR  EpoPlugin  userHandler: failing policy enforcement: assigned OptIn user(s) (i.e. non-default UBP users) are missing UBPs/Idents for activation.

           

          I wrote KB84452 to address this issue.

           

          This is the important parts of the log from Silvo:

           

          2017-02-17 15:32:03,593 INFO   AuditServiceService Started successfully

          2017-02-17 15:32:20,719 INFO   LoggingService  ===== Service Started =====

           

          2017-02-17 15:32:35,253 INFO   LoggingService  ===== Service Stopped =====

          2017-02-17 15:32:59,267 INFO   LoggingService  ===========================

          2017-02-17 15:32:59,267 INFO   LoggingService  ===== Service Started =====

           

          2017-02-17 15:33:50,406 INFO   EpoState   == Start of policy enforcement ==
          2017-02-17 15:33:50,422 ERROR  EpoPlugin  userHandler: OptIn user (i.e. non-default UBP user) [1\6776dc310b394051825e3f14417c5f08] has incomplete UBP (missing UBP/Ident) which is preventing activation.
          2017-02-17 15:33:50,422 ERROR  EpoPlugin  userHandler: failing policy enforcement: assigned OptIn user(s) (i.e. non-default UBP users) are missing UBPs/Idents for activation.

           

          2017-02-17 15:35:18,281 INFOEpoState  == Start of policy enforcement ==
          2017-02-17 15:36:04,419 INFOMfeEpeCoreEncryptionPlugin--- Activation Begins ---

          2017-02-17 15:36:05,090 ERROR   StatusService  Für das System wurden keine Benutzer ausgewählt. (No users were selected for the system.)

          2017-02-17 15:36:05,090 ERROR   StatusService  Ein empfangener Stapel von Benutzerdaten konnte nicht verarbeitet werden. (A received batch of user data could not be processed.)

          <message>User list missing from activate command</message>

          2017-02-17 15:36:05,090 INFOEpoState  == End of policy enforcement ==

           

          2017-02-17 15:36:59,017 INFOEpoState                 == Start of policy enforcement ==
          2017-02-17 15:37:55,566 ERROR   MfeEpeCoreEncryptionPlugin[0xEE000004] Failed to receive

           

          2017-02-17 15:43:31,568 INFOMfeEpeServiceLPCServer   Service Stopped Successfully
          2017-02-17 15:44:07,810 INFOLoggingService      ===========================
          2017-02-17 15:44:07,810 INFOLoggingService      ===== Service Started =====
          2017-02-17 15:44:57,800 INFOEpoState              == Start of policy enforcement ==
          2017-02-17 15:46:00,170 INFOMfeEpeCoreEncryptionPlugin --- Activation Begins ---
          2017-02-17 15:46:25,411 INFOMfeEpeCoreEncryptionPlugin --- Activation Success ---
          2017-02-17 15:46:25,411 INFOMfeEpeCoreEncryptionPlugin --- Preboot is now active ---
          2017-02-17 15:47:14,490 INFOEpoState              == End of policy enforcement ==

           

          This issue while also having the above issue as seen in the entries from 15:33 but also has additional errors. What appears to be occurring is ePO is slow to build the policy for the system. This could be because the UPB task was still running or SQL was running slow but basically, Apache generated the policy for the system but didn't contain the user list as seen in the error "No users were selected for the system". This is seen in the entries from 15:35. The next policy enforcement occurred less than a minute after the previous policy enforcement ended at 15:36:59 and because it was using the same policy as the previous activation attempt, it also failed which is to be expected.

           

          A reboot occurred at 15:43 and the subsequent activation was successful as a new policy was pulled down which contained the user list.

           

          From what I can gather two things need to be done: First, ensure that the UPB Server Task discussed in KB84452 is properly configured. Second, wait longer after running the UPB Server task to perform a Collect and Send Props (ASCI / Wakeup Call) for ePO to generate the policy.

          • 2. Re: DE 7.1.3 some issues during activation (activation aborted)
            aaron1337

            Thank you! As fas as I figgured this out, the schedule of mentioned server task have to be set to advanced and then enter a custom cron syntax.

             

            Can you please confirm, if this is the correct syntax to let the task run every 15 minutes? (with or with no spaces?)

            * 15 * * * *

            • 3. Re: DE 7.1.3 some issues during activation (activation aborted)
              aaron1337

              Instead of using cron syntax, I configured this via the reguluar schedule type:

               

              Schedule type: Daily

              Schedule: between 12:00 AM and 11:59 PM every 15 minutes