Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Windows Pre-install checklist for Full Disk Encryption (FDE)

    • Updated:
    • 3 Aug 2016
    • Product/Version:
    • Endpoint Encryption 5.0
    • Platform:
    • Windows 10 32-bit
    • Windows 10 64-bit
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows 8 32-bit
    • Windows 8 64-bit
    • Windows 8.1 32-bit
    • Windows 8.1 64-bit
    • Windows Vista SP1 32-bit / 64-bit
    • Windows XP SP3 32-bit
Summary

Before installing the FDE agent, the installation will verify if the endpoint has met the minimum system requirements. This article provides information on workarounds.

You may also use Encryption Management for Microsoft BitLocker, where available, to avoid any incompatibility. Encryption Management for Microsoft BitLocker manages BitLocker Drive Encryption™ (BDE) for endpoints running compatible versions of Windows 7, Windows 8 and Windows 10.

Details
Public

The endpoint must have a supported operating system installed.

How to check:

Run the following on a Windows Powershell:

PS C:\> Get-WmiObject Win32_OperatingSystem | Select-Object Version,ProductType

Supported OS

Click image to enlarge.

Make sure you have the supported operating system installed:

Version = MajorVersion.MinorVersion.Build

  • MajorVersion is less than 4 it is not supported.
  • Majorversion is greater than or equal to 5 and MinorVersion x is not supported.
  • ProductType not equal to 1 is not supported.

For more information, refer to this Microsoft Article: OSVERSIONINFOEX structure.

Encryption Management for Microsoft BitLocker must not be installed on this endpoint. Uninstall Encryption Management for Microsoft BitLocker to install Full Disk Encryption or use Encryption Management for Microsoft BitLocker instead.

How to check:

Run the following on a Windows Powershell:

PS C:\>Get-WmiObject Win32_Product | Where-Object {$_.Name -like "*Bitlocker*"} | Select-Object Name,Version

Encryption Management for MS Bitlocker

Click image to enlarge.

Make sure that Encryption Management for Microsoft BitLocker is not installed.

The physical disk must be fixed and not removable.

How to check:

Run the following on a Windows Powershell:

PS C:\>Get-WmiObject Win32_DiskDrive | Where-Object {$_.MediaType -like "*Fixed*" -and $_.DeviceID -like "*PHYSICALDRIVE*"} | Select-Object DeviceID,MediaType

Fixed Media

Click image to enlarge.

Make sure that the drive is not a removable drive.

Multiple disk environments are not supported. Remove all physical hard disks except the system drive.

How to check:

Run the following on a Windows Powershell:

PS C:\>Get-WmiObject Win32_DiskDrive | Where-Object {$_.MediaType -like "*Fixed*" -and $_.DeviceID -like "*PHYSICALDRIVE*"} | Select-Object Model,DeviceID,MediaType

Multiple Disk Environment

Click image to enlarge.

Make sure to install TMFDE on a single drive device.

The drive must have at least 256 MB of free disk space.

How to check:

Run the following on a Windows Powershell:

PS C:\>Get-WmiObject Win32_LogicalDisk | Where-Object {$_.DeviceID -like "C:"} | Select-Object Deviceid,FreeSpace,Size

Free Space

Click image to enlarge.

As a workaround, free space until it reaches the minimum requirement of 256 MB (256000000 bytes).

The disk space for each device must be no more than 2 TB.

How to check:

Run the following on a Windows Powershell:

PS C:\>Get-WmiObject Win32_LogicalDisk | Where-Object {$_.DeviceID -like "C:"} | Select-Object Deviceid,FreeSpace,Size

Disk Size

Click image to enlarge.

Make sure that the disk space for each device is not more than 2 TB (2000000000000 bytes).

The endpoint must have at least 512MB of RAM.

How to check:

Run the following on a Windows Powershell:

PS C:\> Get-WmiObject Win32_ComputerSystem | Select-Object TotalPhysicalMemory

Memory

Click image to enlarge.

Make sure that the system has at least 512MB of total physical memory.

The drive must not have more than 25 partitions.

How to check:

Run the following on a Windows Powershell:

PS C:\> Get-WmiObject Win32_DiskDrive | Select-Object Name,Partitions

Partition Count

Click image to enlarge.

Make sure that there are 25 partitions or less.

The drive has an incompatible partition type.

How to check:

Run the following on a Windows Powershell:

PS C:\>Get-WmiObject Win32_DiskDrive | Where-Object {$_.Signature -eq $null} | Select-Object Name,Signature

Partition Type

Click image to enlarge.

Value of Signature should not be null. GPT does not have a Signature value as it is a GUID (which does not fit in WMI).

Workaround:

GUID partition table (GPT) disks use unified extensible firmware interface (UEFI). Most new systems ship with UEFI as the default configuration. UEFI utilizes the partitioning scheme called GUID Partition Table (GPT) which is currently not supported.

After converting to master boot record disk, you will need to switch to Legacy BIOS mode to be able to install the TMFDE agent on the system. This requires a reinstallation of the operating system. Part of Microsoft’s hardware requirements for Windows 10 has made this switch optional to computer manufacturers.

 
Back up or move all volumes on the basic GUID partition table (GPT) disk you want to convert into a master boot record (MBR) disk.

If the pre-install check fails the partition type check, follow the steps in this KB article: Converting GUID Partition Table (GPT) disk to Master Boot Record (MBR) disk in Endpoint Encryption.

The drive must be bootable.

How to check:

Run the following on a Windows Powershell:

PS C:\> Get-WmiObject Win32_DiskPartition | Select-Object Name,BootPartition,Bootable

Physical Drive is Bootable

Click image to enlarge.

Make sure that the drive is bootable.

SCSI drives are not supported.

How to check:

Run the following on a Windows Powershell:

PS C:\> Get-WmiObject Win32_DiskDrive | Select-Object Name,InterfaceType

SCSI Disk

Click image to enlarge.

As a workaround, switch to a IDE/SATA disk.

Microsoft .NET Framework is required.

How to check:

Run the following on a Windows Powershell:

PS C:\> Get-WmiObject Win32_Directory | Where-Object {$_.Name -like "C:\Windows\Microsoft.Net\Framework\v*"} | ForEach-Object {Split-Path $_.name -Leaf} | Where-Object {$_ -like "v*"} | ForEach-Object {[System.Version]($_ -replace "^v")}

Microsoft .NET Framework Runtime

Click image to enlarge.

Version=Major.Minor

Make sure that at least the following Microsoft .NET Framework versions are installed.

The installer checks that the hard disk has SED hardware compatibility.

How to check:

Run the following on a Windows Powershell:

PS C:\> Get-WmiObject Win32_DiskDrive | Select-Object Manufacturer,Model

SED Hardware Compatibility

Click image to enlarge.

Workaround:

Search the Internet for the particular model number if manufacturer details are not given. We only support the following SED drives:

  • Seagate DriveTrust drives
  • Seagate OPAL and OPAL 2 drives
  • SanDisk self-encrypting solid-state drives

Microsoft BitLocker must not be enabled. Two full disk encryption solutions cannot run on the same drive.

How to check:

Run the following on a Windows Powershell:

PS C:\>manage-bde -status

BitLocker is Enabled

Click image to enlarge.

Workaround:

Make sure that you have decrypted the drive and removed BitLocker protection. To turn off BitLocker Drive Encryption:

  1. Go to Start > Control Panel > System and Security > BitLocker Drive Encryption.
  2. Find the drive on which you want BitLocker Drive Encryption turned off, and click Turn Off BitLocker.
  3. A message is displayed, informing you that the drive will be decrypted and that decryption may take some time. Click Decrypt the drive to continue and turn off BitLocker on the drive.

How to check:

Run the following on a Windows Powershell:

PS C:\Users\markse> Get-WmiObject Win32_Product | Where-Object {$_.Name -like "*Rapid Storage*"} | Select-Object Name,Version,InstallState

Intel Rapid Storage Technology Detected

Click image to enlarge.

ValueMeaning
-6Bad Configuration
-2Invalid Argument
-1Unknown Package
1Advertised
2Absent
5Installed

As a workaround, switch to ATA in the BIOS. This may make the device not bootable. RAID is not supported.

Premium
Internal
Rating:
Category:
Install
Solution Id:
1111423
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.