Views:

Select the question to view the corresponding answer.

The following methods can identify whether a Full Disk Encryption client is fully encrypted:

  • From the local machine, double-click the Full Disk Encryption shield in the system tray.
  • Using the PolicyServer, do any of the following:
    • On the PolicyServer logs, search for "MessageID 400008" to show all the machines that are fully encrypted.
    • Run the following SQL statements on the Endpoint Encryption database to determine the status of encrypted machine. The PolicyServer should show "Device encryption complete."

      SELECT DeviceName, Other
      FROM LOG
      GROUP BY DeviceName, Other, MessageID
      HAVING (MessageID = '400008')
      ORDER BY DeviceName

    • Run the following SQL statments on the Endpoint Encryption database to show the status of encrypted machine. The MABackfile GUI should show "True," "False," or "In Progress."

      SELECT dbo.Device.DeviceName, dbo.Device.Device ID, dbo.DeviceAttributes.AttributeValue
      FROM dbo.Device INNER JOIN dbo.DeviceAttributes ON dbo.Device.DeviceIndex = dbo.DeviceAttributes.DeviceIndex
      GROUP BY dbo.Device.DeviceName, dbo.Device.DeviceID, dbo.DeviceAttributes.AttributeValue
      ORDER BY dbo.Device.DeviceName

Enabling the Always On option in the Power Management can reduce the amount of time required to encrypt the drive.

To enable the Always On option:

 
For Windows 7, 8, and 2012, go to Control Panel\System and Security\Power Options to enable the Always On option.
  1. Right-click the desktop and select Properties.
  2. Click the Screen Saver tab and select Power.
  3. On the Power Schemes options, select Always On.
  4. Click OK to exit.

This can be caused by a corrupted installation. To resolve the issue, re-image the machine or uninstall and reinstall the FDE.

The FDE can handle shutdown, restart, sleep, hibernation, power loss, or hard power off as long as these actions do not cause any problems on the Windows. The encryption or decryption process will resume from where it stopped.

The bad sector causes the FDE machine to stop encrypting at certain period. This happens because FDE encryption driver cannot read nor write on the bad sector of a drive. The issue usually occurs on machines that have an active life, which means the machine is old or frequently imaged.

Hard disk drives with bad sectors should be replaced to avoid security risk from unencrypted data that may reside on it. Disk Defragmenter displays the bad sector as a white box with a red line. This indicates that the cluster cannot be used to store data.

Windows CHKDSK and Scandisk do not always catch all bad sectors of a hard disk drive. If your disk tool is unable to detect the bad sectors on your hard disk, or if you do not run a disk tool on a regular basis, unusable sectors that are unmarked as bad may exist on the disk. Therefore, it is possible for bad sectors to appear while you are using the drive. If bad sectors begin to appear on a regular basis, repair or replace your hard disk.

As a workaround for bad sectors, do the following:

  • Run CHKDSK /R as part of the script before installing FDE. This is not a fool-proof method, but it can reduce bad sectors.
  • It is recommended to replace the hard disk drive.
Keywords: fde questions,bad sector,fde on ssd