Views:

The endpoint must have a supported operating system installed.

How to check:

  1. Run the following on a Windows Powershell:

    PS C:\> Get-WmiObject Win32_OperatingSystem | Select-Object Version,ProductType

    Supported Operating System

    Click image to enlarge

  2. Make sure you have the supported operating system installed:

    Version = MajorVersion.MinorVersion.Build

    • MajorVersion less than 6 it is not supported.
    • Majorversion greater than or equal to 6 AND MinorVersion less than 1 is not supported.
    • ProductType not equal to 1 is not supported.

For more information, refer to this Microsoft Article: OSVERSIONINFOEX structure.

Microsoft .NET Framework 2.0 is required.

How to check:

  1. Run the following on a Windows Powershell:

    PS C:\> Get-WmiObject Win32_Directory | Where-Object {$_.Name -like "C:\Windows\Microsoft.Net\Framework\v*"} | ForEach-Object {Split-Path $_.name -Leaf} | Where-Object {$_ -like "v*"} | ForEach-Object {[System.Version]($_ -replace "^v")}

    Microsoft .NET Framework Runtime

    Click image to enlarge

    Version=Major.Minor

  2. Make sure that at least the following Microsoft .NET Framework versions are installed.

    • For Windows 7/8/10:

      • Microsoft .NET Framework 3.5 or later

    • For Windows XP:

      • Microsoft .NET Framework 2.0 SP1 or later

    For more information, refer to the Microsoft KB Article: How to determine which versions and service pack levels of the Microsoft .NET Framework are installed.

Encryption Management for Microsoft BitLocker must not be installed on this endpoint. Uninstall Encryption Management for Microsoft BitLocker to install Full Disk Encryption or use Encryption Management for Microsoft BitLocker instead.

How to check:

  • Run the following on a Windows Powershell:

    PS C:\>Get-WmiObject Win32_Product | Where-Object {$_.Name -like "*Bitlocker*"} | Select-Object Name,Version

    Encryption Management already installed

    Click image to enlarge

  • Make sure that Encryption Management for Microsoft BitLocker is not installed.

The physical disk must be fixed and not removable.

How to check:

  • Run the following on a Windows Powershell:

    PS C:\>Get-WmiObject Win32_DiskDrive | Where-Object {$_.MediaType -like "*Fixed*" -and $_.DeviceID -like "*PHYSICALDRIVE*"} | Select-Object DeviceID,MediaType

    Fixed media>

    Click image to enlarge

  • Make sure that the drive is not a removable drive.

The drive must have at least 256 MB of free disk space.

  • How to check:

    Run the following on a Windows Powershell:

    PS C:\>Get-WmiObject Win32_LogicalDisk | Where-Object {$_.DeviceID -like "C:"} | Select-Object Deviceid,FreeSpace,Size

    Free space

    Click image to enlarge

  • Workaround:

    Free space until it reaches the minimum requirement of 256 MB (256000000 bytes).

The endpoint must have at least 512MB of RAM.

How to check:

  • Run the following on a Windows Powershell:

    PS C:\> Get-WmiObject Win32_ComputerSystem | Select-Object TotalPhysicalMemory

    Memory

    Click image to enlarge

  • Make sure that the system has at least 512MB of total physical memory.

The drive must not have more than 25 partitions.

How to check:

  • Run the following on a Windows Powershell:

    PS C:\> Get-WmiObject Win32_DiskDrive | Select-Object Name,Partitions

    Partition Count

    Click image to enlarge

  • Make sure that there are 25 partitions or less.

The drive must be bootable.

How to check:

  • Run the following on a Windows Powershell:

    PS C:\> Get-WmiObject Win32_DiskPartition | Select-Object Name,BootPartition,Bootable

    Physical Drive is Bootable

    Click image to enlarge

  • Make sure that the drive is bootable.

SCSI drives are not supported.

  • How to check:

    Run the following on a Windows Powershell:

    PS C:\> Get-WmiObject Win32_DiskDrive | Select-Object Name,InterfaceType

    SCSI Disk

    Click image to enlarge

  • Workaround:

    Switch to a IDE/SATA disk.

The installer checks that the hard disk has SED hardware compatibility.

  • How to check:

    Run the following on a Windows Powershell:

    PS C:\> Get-WmiObject Win32_DiskDrive | Select-Object Manufacturer,Model

    SED Hardware Compatibility

    Click image to enlarge

  • Workaround:

    Refer to manufacturer for the particular model number SED details are not given. We only support the following SED drives:

    • Seagate DriveTrust drives
    • Seagate OPAL and OPAL 2 drives
    • SanDisk self-encrypting solid-state drives

Microsoft BitLocker must not be enabled. Two full disk encryption solutions cannot run on the same drive.

  • How to check:

    Run the following on a Windows Powershell:

    PS C:\>manage-bde -status

    BitLocker is Enabled

    Click image to enlarge

  • Workaround:

    Make sure that you have decrypted the drive and removed BitLocker protection. To turn off BitLocker Drive Encryption:

    1. Go to Start > Control Panel > System and Security > BitLocker Drive Encryption.
    2. Find the drive on which you want BitLocker Drive Encryption turned off, and click Turn Off BitLocker.
    3. A message is displayed, informing you that the drive will be decrypted and that decryption may take some time. Click Decrypt the drive to continue

Drives using Intel Rapid Storage Technology with mSATA caches are not supported.

  • How to check:

    Run the following on a Windows Powershell:

    PS C:\ > Get-WmiObject Win32_Product | Where-Object {$_.Name -like "*Rapid Storage*"} | Select-Object Name,Version,InstallState

    Intel Rapid Storage Technology Detected

    Click image to enlarge

    ValueMeaning
    -6Bad Configuration
    -2Invalid Argument
    -1Unknown Package
    1Advertised
    2Absent
    5Installed

  • Workaround:

    Switch to ATA in the BIOS. This may make the device not bootable. RAID is not supported.

The drive must have a standard Windows MBR. Drives with alternative preboot software, such as other encryption programs, are not supported.

How to check:

  1. Run the following on a Windows Powershell:

    PS C:\>Get-WmiObject Win32_DiskDrive | Where-Object {$_.Signature -eq $null} | Select-Object Name,Signature

    Windows MBR

    Click image to enlarge

    Value of Signature should not be null. GPT does not have a Signature value as it is a GUID (which does not fit in WMI).

  2. Check with disk management UI:

    disk management UI

    properties

    Click image to enlarge

The Full Disk Encryption Preboot supports the current keyboard layout.

How to check:

The Full Disk Encryption Preboot supports the system Network Interface Controller (NIC) and WiFi hardware.

How to check:

Run the following on a Windows Powershell:

PS C:\> Get-WmiObject Win32_NetworkAdapter | Where-Object {$_.PNPDeviceID -like "PCI*" -or $_.PNPDeviceID -like "USB*"} | Select-Object Name,PNPDeviceID

WiFi_NIC

Click image to enlarge

  • PCI ID = VendorID:DeviceID

  • Under PNPDeviceID:

    PCI\VEN_<four digit VendorID>&DEV_<four digit DeviceID>

In the sample image above, these are:

PCI\VEN_8086&DEV_15A2&… PCI ID is 8086:15A2 = Intel Corporation Ethernet Connection (3) I218-LM
PCI\VEN_8086&DEV_095B&… PCI ID is 8086:095B = Intel Corporation Wireless 7265

For more information on supported network cards, refer to this KB article: Supported Network Card list in Endpoint Encryption 5.0.

Disks on this device are with unique hardware property - SerialNumber and Model

How to check:

  • Run the following on a Windows Powershell:

    PS C:\> Get-WmiObject Win32_Diskdrive | ft model,serialnumber

    Disks are distinguishable

    Click image to enlarge

  • Make sure that there are no duplicate hard disk drive models or serial numbers.

There are one or more disks which are not initialized. Open Disk Management to initialize.

How to check:

  • Run the following on a Windows Powershell:

    PS C:\> Get-WmiObject Win32_DiskDrive | where partitions –eq 0 | ft

    Check Not Initialized Disk

    Click image to enlarge

  • If the partition number of a disk is 0, it means the disk is not initialized.

Check the first usable LBA and partition size

How to check:

Open sector 1 of the system disk. To do this, refer to the KB article Exporting sectors from a disk using the HxD tool in Endpoint Encryption.

Open sector 1

Click image to enlarge

Sector 0 has the protective MBR. Following this is sector 1 which contains the GPT Header.

In this example, here are the values:

Sample values

Click image to enlarge

The following conditions must be met:

  • The GPT Header must have the EFI Signature string: "45 46 49 20 50 41 52 54" which is equal to ASCII: "EFI PART"

  • If Number of Partitions = 128,
    StartingLBA + (Number of Partitions/4) = FirstUsableLBA
    In the example, 2+(128/4)=34

  • If Number of Partitions < 128,
    StartingLBA + (Number of Partitions/4) + 2 = FirstUsableLBA

The endpoint must not have incompatible software installed. We currently check HP Drive Encryption and Dell Backup Recovery.

How to check:

Run the following on a Windows Powershell:

PS C:\>get-itemproperty "hklm:\SOFTWARE\WinMagic\HPSecureDoc\ProductCode"
PS C:\>get-itemproperty "hklm:\Software\WOW6432Node\WinMagic\HPSecureDoc\ProductCode"
PS C:\>get-itemproperty "hklm:\Software\Microsoft\Windows\CurrentVersion\Uninstall\{HP Product Code}\InstallLocation"
PS C:\>get-itemproperty "hklm:\Software\DellBackupandRecovery\InstallPath"
PS C:\>get-itemproperty "hklm:\SOFTWARE\WinMagic\HPSecureDoc\ProductCode"
PS C:\>get-itemproperty "hklm:\Software\\DellBackupandRecovery\InstallPath"
PS C:\>get-itemproperty "hklm:\Software\WOW6432Node\DellBackupandRecovery\InstallPath"

Software compatibility

Click image to enlarge

It should say that it does not exist. Uninstall if it exists.

Keywords: preinstall check,secure boot,fde,endpoint encryption