This article provides information for when your agent deployment of Full Disk Encryption client through the Endpoint Encryption Deployment Tool plugin of Apex One is unsuccessful.
- Apex One client is 'Online' and has working connection to the Apex One server. For more information, see Verifying server-client communication.
- Endpoints meet the minimum system requirements. For more information, see Full Disk Encryption System Requirements.
- For FDE deployment, the Windows Pre-install checklist for FDE is satisfied. For more information, see Windows Pre-install Checklist.
If the installation error is still not clear and it does not fall in the common error codes mentioned above, you may check the following:
The timeout period for agent deployment is 30 minutes. In some cases, AddonClientToolBox.loc does not exist in the folder: [C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Download\Product\enu].
This results to the following entries in the agent update log (Tmudump.txt) on Apex One endpoint:
Inf 20200623 15:41:06 7888 9764 Downloading local sig [http://:8080/officescan/ download/product/enu/AddonClientToolBox.loc] to [C:\Program Files (x86)\ Trend Micro\OfficeScan Client\AU_Data\AU_Temp\7888_9764\AU_Down\product\enu\ AddonClientToolBox.loc]... Err 20200623 15:41:06 7888 9764 HttpConnection: Client Error: HTTP 404 Not Found
To resolve this issue:
- Set the registry key:
- Restart the Apex One Master Service.
- Check if the AddonClientToolBox.loc has been generated:
[C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Download\Product\enu\AddonClientToolBox.loc]
- Retry the deployment.
The error may occur if the partition type is GUID Partition Table (GPT), which is not supported by FDE.
From Preinstall Check Report.txt:
Name: Partition Type Description: The drive has an incompatible partition type. Status: Fail
To check if the disk uses GPT, open the command prompt as an administrator and type the following commands:
You will see a (*) symbol below GPT.
To resolve the issue, see Converting GUID Partition Table (GPT) Disk to Master Boot Record (MBR) disk in Endpoint Encryption.
This error may show if the disk is a Self-Encrypting Drive (SED). SEDs provide "hardware-based encryption", as opposed to the type of encryption that Full Disk Encryption provides, which is referred to as "software-based encryption".
If this line exist in tmfdeinstall.log, machine is properly encrypted:
[Server]:[Engineering]:detail detectDiskTable: ErrorCode=0, DiskName=sda, DiskIndex=0, Caption=SanDisk SD7TN3Q-256G-1006, DiskID=cd8b11e1-71c3-5905-8d0b-16444815d2e1, SerialNumber=161388406092, Model=, Role=System, Type=SED, Encryption=Hardware, ScratchSpace=Full
We only support the following SED drives:
- Seagate DriveTrust drives
- Seagate OPAL and OPAL 2 drives
- SanDisk self-encrypting solid-state drives
If you want to use software encryption using FDE, proceed with manual deployment by adding FORCESOFTWARE parameter during installation. For more information, see Full Disk Encryption Manual Deployment.
The issue happens because the "File system " Requirements – two partitions: a boot partition and a system partition - are not met:
Error code -17
Installation is unable to continue. Encryption Management for Microsoft BitLocker requires two partitions: a boot partition and a system partition. Endpoint Encryption will encrypt the boot partition. The system partition will remain unencrypted to allow Windows to start. For more information, refer to the documentation of your Windows operating system.
"BitLocker requires two partitions that meet the following requirements:" https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies
"File system " Requirement mentioned in https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-basic-deployment
To resolve the issue, create partition manually. Refer to How to prepare a single partition drive for BitLocker (MBAM) or other Microsoft documents.
If Error code -19: TPM is not initialized to windows or any disk on the device has been encrypted, please see Initializing Trusted Platform Module (TPM) for Encryption Management for Microsoft BitLocker installation.
The error -35 is Upgrade_UnsupportedVersion. Check if you are installing on a server platform. TMEE agents doesn't support server platforms. Please review the System Requirements.
[TB_CMDHO2][TmeeDepService.exe]CClientSync::ClientDataWithOSCallBack2 - Sever platform
To view the deployment status, open the log files at:
C:\PreInstall Check Report.txt
C:\TMFDEUpgradeLog.txt or TMFDEInstall.log
C:\Program Files\Trend Micro\Full Disk Encryption\log\fdedebug.log
If the issue still persists, please submit the mentioned logs (if existing) to Trend Micro Technical Support.