WFBS-SVC requires the following to use Full Disk Encryption.
| Item | Requirement |
|---|---|
| Operating system |
|
| System partition format |
|
| System partition size |
The system partition on the following platforms must have at least 100 MB of free space:
The system partition on the other supported platforms must have at least 250 MB of free space. |
For more information on BitLocker system requirements, see Bitlocker overview.
The following table describes the scenarios of possible encryption statuses.
| Encryption Status | SETTINGS |
|---|---|
| - | The endpoint runs an operating system that does not support encryption. |
| Decrypted (user) | At least one disk was encrypted by WFBS-SVC and then decrypted by the user. Send the encryption command again to manage the endpoint. |
| Decrypting... | BitLocker is decrypting the endpoint. |
| Decrypting... (paused) | The decryption process is paused by the user. Resume decryption from the endpoint. |
| Decrypting... (user) | At least one disk was encrypted by WFBS-SVC and then decrypted by the user. Send the encryption command again to manage the endpoint. |
| Encrypted | The endpoint is encrypted. |
| Encrypted (user) | At least one disk was encrypted by the user and not managed by WFBS-SVC. Send the encryption command to manage the endpoint. |
| Encrypting... | BitLocker is encrypting the endpoint. |
| Encrypting... (paused) | The encryption process has been paused by the user. Resume encryption from the endpoint. |
| Locked | Unable to encrypt or decrypt the endpoint. The endpoint has been locked by BitLocker. Unlock the endpoint first. |
| Not encrypted |
Possible scenarios include:
|
| Partially encrypted | New disks are added to the endpoint. Send the encryption command again to encrypt the new disks. |
| Pending | The domain that the endpoint belongs to has changed. WFBS-SVC will automatically send the encryption command again the next time the Security Agent reports to the server. |
| Suspended | BitLocker protection has been suspended by the user. Resume protection on the endpoint to encrypt or decrypt it. |
| Unable to encrypt |
WFBS-SVC cannot encrypt the endpoint. For more information, refer to Resolving Encryption Issues. |
| Unknown | WFBS-SVC cannot obtain the encryption status. The endpoint might be running a version of the Security Agent that does not support encryption. Try sending the encryption command to update the status. |
| Unsuccessful | Encryption or decryption was unsuccessful. Look up the error code in the link below to troubleshoot the issue.
For more information, Refer to the Microsoft article COM Error Codes (TPM, PLA, FVE). |
The following table describes the possible scenarios that might prevent WFBS-SVC from encrypting the endpoints.
| Issue | Description |
|---|---|
| BitLocker is not installed |
BitLocker is not installed on the endpoint. Refer to the Microsoft article: BitLocker: How to deploy on Windows Server 2012 for more information on how to install BitLocker. |
| Operating system is not supported |
The endpoint runs a version of Windows that does not support encryption. For more information, refer to the KB article: Full Disk Encryption System Requirements. |
| System partition does not exist | The system partition does not exist on the endpoint. Reinstall Windows and make sure that the system partition is created. |
| System partition format is not supported |
The startup disk and system partition must be in supported format. Reinstall Windows and format the startup disk and system partition to supported format. For more information, refer to the KB article: Full Disk Encryption System Requirements. |
| System partition is not active |
The system partition on the endpoint is not active. Use the Disk Management tool on Windows to mark the system partition as active. For more information, refer to the Microsoft Product Documentation: To mark a partition as active section. |
| System partition is too small |
The system partition does not have enough free space. For more information, refer to the KB article: Full Disk Encryption System Requirements. Possible solutions:
|
| Trusted Platform Module (TPM) compatibility issue |
The Trusted Platform Module (TPM) is not compatible with Windows. Initialize TPM to resolve the issue. For more information, refer to the Microsoft article: Initialize the TPM. |
| Trusted Platform Module (TPM) is disabled in BIOS |
TPM must be enabled in BIOS. For more information, refer to the Microsoft article: Initialize the TPM. |
| Trusted Platform Module (TPM) owner password not set |
A TPM owner password must be created. For more information, refer to the Microsoft article: Initialize the TPM. |
| Trusted Platform Module (TPM) is not initialized |
TPM must be initialized on the endpoint. For more information, refer to the Microsoft article: Initialize the TPM. |
If your endpoint is locked, use the BitLocker recovery key to unlock the endpoint.
- Navigate to Security Agents.
- Find the locked endpoint by either using the Search box or finding it manually in the Agent tree.
- Click the link in the Encryption Status column. The Encryption Status screen appears.
-
Click Get recovery key.
-
Optional step: Provide the password that protects the recovery key and click Get Key.
- To add password protection to the recovery key, click Set up a password to protect the key.
- If the customer uses the BitLocker manually, it will generate a local recovery key.
- If the encryption command was triggered from the WFBS-SVC console, it will generate a new recovery key.
- The Windows BitLocker has a list to store generated recovery keys, and all stored keys can be used to unlock BitLocker. So the local key is still valid and will not be overwritten by the newly generated recovery key.
Use a password to protect the BitLocker recovery keys. If you forget or need to reset the password, contact Trend Micro.
-
Go to Administration > Recovery Key Password.
-
Configure the password then click Save.
For more information, refer to the KB article: Frequently Asked Questions (FAQs) on Worry-Free Business Security Services (WFBS-SVC) Full Disk Encryption