Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Windows Pre-install checklist for Full Disk Encryption (FDE) 6.0

    • Updated:
    • 6 Jun 2017
    • Product/Version:
    • Endpoint Encryption 6.All
    • Platform:
    • Windows 10 32-bit
    • Windows 10 64-bit
    • Windows 7 32-Bit
    • Windows 7 64-Bit
    • Windows 8 32-Bit
    • Windows 8 64-Bit
    • Windows 8.1 32-Bit
    • Windows 8.1 64-Bit
    • Windows Embedded POSReady 7 (32-bit/64-bit)
Summary

Before installing the FDE agent, the installation will verify if the endpoint has met the minimum system requirements. This article provides information on workarounds.

You may also use Encryption Management for Microsoft BitLocker, where available, to avoid any incompatibility. Encryption Management for Microsoft BitLocker manages BitLocker Drive Encryption™ (BDE) for endpoints running compatible versions of Windows 7, Windows 8 and Windows 10.

Details
Public

The endpoint must have a supported operating system installed.

How to check:

  1. Run the following on a Windows Powershell:

    PS C:\> Get-WmiObject Win32_OperatingSystem | Select-Object Version,ProductType

    Supported Operating System

    Click image to enlarge

  2. Make sure you have the supported operating system installed:

    Version = MajorVersion.MinorVersion.Build

    • MajorVersion less than 6 it is not supported.
    • Majorversion greater than or equal to 6 AND MinorVersion less than 1 is not supported.
    • ProductType not equal to 1 is not supported.

For more information, refer to this Microsoft Article: OSVERSIONINFOEX structure.

Microsoft .NET Framework 2.0 is required.

How to check:

  1. Run the following on a Windows Powershell:

    PS C:\> Get-WmiObject Win32_Directory | Where-Object {$_.Name -like "C:\Windows\Microsoft.Net\Framework\v*"} | ForEach-Object {Split-Path $_.name -Leaf} | Where-Object {$_ -like "v*"} | ForEach-Object {[System.Version]($_ -replace "^v")}

    Microsoft .NET Framework Runtime

    Click image to enlarge

    Version=Major.Minor

  2. Make sure that at least the following Microsoft .NET Framework versions are installed.

    • For Windows 7/8/10:

      • Microsoft .NET Framework 3.5 or later
    • For Windows XP:

      • Microsoft .NET Framework 2.0 SP1 or later

    For more information, refer to the Microsoft KB Article: How to determine which versions and service pack levels of the Microsoft .NET Framework are installed.

Full Disk Encryption is unable to install on endpoints where Secure Boot has been enabled. To ensure successful installation, disable Secure Boot prior to installation.

How to check:

Run the following on an elevated Windows Powershell:

PS C:\>Confirm-SecureBootUEFI

Secure Boot

Click image to enlarge

Responses:

  • True: Secure Boot is enabled.
  • False: Secure Boot is disabled
  • Cmdlet not supported on this platform: The machine may not support Secure Boot, or it may be configured in legacy BIOS mode.
  • Unable to set proper privileges. Access was denied.: Close PowerShell and reopen it as an Administrator.

Encryption Management for Microsoft BitLocker must not be installed on this endpoint. Uninstall Encryption Management for Microsoft BitLocker to install Full Disk Encryption or use Encryption Management for Microsoft BitLocker instead.

How to check:

  • Run the following on a Windows Powershell:

    PS C:\>Get-WmiObject Win32_Product | Where-Object {$_.Name -like "*Bitlocker*"} | Select-Object Name,Version

    Encryption Management already installed

    Click image to enlarge

  • Make sure that Encryption Management for Microsoft BitLocker is not installed.

The physical disk must be fixed and not removable.

How to check:

  • Run the following on a Windows Powershell:

    PS C:\>Get-WmiObject Win32_DiskDrive | Where-Object {$_.MediaType -like "*Fixed*" -and $_.DeviceID -like "*PHYSICALDRIVE*"} | Select-Object DeviceID,MediaType

    Fixed media>

    Click image to enlarge

  • Make sure that the drive is not a removable drive.

The drive must have at least 256 MB of free disk space.

  • How to check:

    Run the following on a Windows Powershell:

    PS C:\>Get-WmiObject Win32_LogicalDisk | Where-Object {$_.DeviceID -like "C:"} | Select-Object Deviceid,FreeSpace,Size

    Free space

    Click image to enlarge

  • Workaround:

    Free space until it reaches the minimum requirement of 256 MB (256000000 bytes).

The endpoint must have at least 512MB of RAM.

How to check:

  • Run the following on a Windows Powershell:

    PS C:\> Get-WmiObject Win32_ComputerSystem | Select-Object TotalPhysicalMemory

    Memory

    Click image to enlarge

  • Make sure that the system has at least 512MB of total physical memory.

The drive must not have more than 25 partitions.

How to check:

  • Run the following on a Windows Powershell:

    PS C:\> Get-WmiObject Win32_DiskDrive | Select-Object Name,Partitions

    Partition Count

    Click image to enlarge

  • Make sure that there are 25 partitions or less.

The drive must be bootable.

How to check:

  • Run the following on a Windows Powershell:

    PS C:\> Get-WmiObject Win32_DiskPartition | Select-Object Name,BootPartition,Bootable

    Physical Drive is Bootable

    Click image to enlarge

  • Make sure that the drive is bootable.

SCSI drives are not supported.

  • How to check:

    Run the following on a Windows Powershell:

    PS C:\> Get-WmiObject Win32_DiskDrive | Select-Object Name,InterfaceType

    SCSI Disk

    Click image to enlarge

  • Workaround:

    Switch to a IDE/SATA disk.

The installer checks that the hard disk has SED hardware compatibility.

  • How to check:

    Run the following on a Windows Powershell:

    PS C:\> Get-WmiObject Win32_DiskDrive | Select-Object Manufacturer,Model

    SED Hardware Compatibility

    Click image to enlarge

  • Workaround:

    Refer to manufacturer for the particular model number SED details are not given. We only support the following SED drives:

    • Seagate DriveTrust drives
    • Seagate OPAL and OPAL 2 drives
    • SanDisk self-encrypting solid-state drives

Microsoft BitLocker must not be enabled. Two full disk encryption solutions cannot run on the same drive.

  • How to check:

    Run the following on a Windows Powershell:

    PS C:\>manage-bde -status

    BitLocker is Enabled

    Click image to enlarge

  • Workaround:

    Make sure that you have decrypted the drive and removed BitLocker protection. To turn off BitLocker Drive Encryption:

    1. Go to Start > Control Panel > System and Security > BitLocker Drive Encryption.
    2. Find the drive on which you want BitLocker Drive Encryption turned off, and click Turn Off BitLocker.
    3. A message is displayed, informing you that the drive will be decrypted and that decryption may take some time. Click Decrypt the drive to continue

Drives using Intel Rapid Storage Technology with mSATA caches are not supported.

  • How to check:

    Run the following on a Windows Powershell:

    PS C:\ > Get-WmiObject Win32_Product | Where-Object {$_.Name -like "*Rapid Storage*"} | Select-Object Name,Version,InstallState

    Intel Rapid Storage Technology Detected

    Click image to enlarge

    ValueMeaning
    -6Bad Configuration
    -2Invalid Argument
    -1Unknown Package
    1Advertised
    2Absent
    5Installed
  • Workaround:

    Switch to ATA in the BIOS. This may make the device not bootable. RAID is not supported.

The drive must have a standard Windows MBR. Drives with alternative preboot software, such as other encryption programs, are not supported.

How to check:

  1. Run the following on a Windows Powershell:

    PS C:\>Get-WmiObject Win32_DiskDrive | Where-Object {$_.Signature -eq $null} | Select-Object Name,Signature

    Windows MBR

    Click image to enlarge

    Value of Signature should not be null. GPT does not have a Signature value as it is a GUID (which does not fit in WMI).

  2. Check with disk management UI:

    Disk management UI

    Properties

    Click image to enlarge

The Full Disk Encryption Preboot supports the current keyboard layout.

How to check:

The Full Disk Encryption Preboot supports the system Network Interface Controller (NIC) and WiFi hardware.

How to check:

Run the following on a Windows Powershell:

PS C:\> Get-WmiObject Win32_NetworkAdapter | Where-Object {$_.PNPDeviceID -like "PCI*" -or $_.PNPDeviceID -like "USB*"} | Select-Object Name,PNPDeviceID

WiFi_NIC

Click image to enlarge

  • PCI ID = VendorID:DeviceID
  • Under PNPDeviceID:

    PCI\VEN_<four digit VendorID>&DEV_<four digit DeviceID>

In the sample image above, these are:

PCI\VEN_8086&DEV_15A2&… PCI ID is 8086:15A2 = Intel Corporation Ethernet Connection (3) I218-LM
PCI\VEN_8086&DEV_095B&… PCI ID is 8086:095B = Intel Corporation Wireless 7265

For more information on supported network cards, refer to this KB article: Supported Network Card list in Endpoint Encryption 5.0.

Disks on this device are with unique hardware property - SerialNumber and Model

How to check:

  • Run the following on a Windows Powershell:

    PS C:\> Get-WmiObject Win32_Diskdrive | ft model,serialnumber

    Disks are distinguishable

    Click image to enlarge

  • Make sure that there are no duplicate hard disk drive models or serial numbers.

There are one or more disks which are not initialized. Open Disk Management to initialize.

How to check:

  • Run the following on a Windows Powershell:

    PS C:\> Get-WmiObject Win32_DiskDrive | where partitions –eq 0 | ft

    Check Not Initialized Disk

    Click image to enlarge

  • If the partition number of a disk is 0, it means the disk is not initialized.

Check the first usable LBA and partition size

How to check:

Open sector 1 of the system disk. To do this, refer to the KB article Exporting sectors from a disk using the HxD tool in Endpoint Encryption.

Open sector 1

Click image to enlarge

Sector 0 has the protective MBR. Following this is sector 1 which contains the GPT Header.

In this example, here are the values:

Sample values

Click image to enlarge

The following conditions must be met:

  • The GPT Header must have the EFI Signature string: "45 46 49 20 50 41 52 54" which is equal to ASCII: "EFI PART"
  • If Number of Partitions = 128,
    StartingLBA + (Number of Partitions/4) = FirstUsableLBA
    In the example, 2+(128/4)=34

  • If Number of Partitions < 128,
    StartingLBA + (Number of Partitions/4) = FirstUsableLBA

The endpoint must not have incompatible software installed. We currently check HP Drive Encryption and Dell Backup Recovery.

How to check:

Run the following on a Windows Powershell:

PS C:\>get-itemproperty "hklm:\SOFTWARE\WinMagic\HPSecureDoc\ProductCode"
PS C:\>get-itemproperty "hklm:\Software\WOW6432Node\WinMagic\HPSecureDoc\ProductCode"
PS C:\>get-itemproperty "hklm:\Software\Microsoft\Windows\CurrentVersion\Uninstall\{HP Product Code}\InstallLocation"
PS C:\>get-itemproperty "hklm:\Software\DellBackupandRecovery\InstallPath"
PS C:\>get-itemproperty "hklm:\SOFTWARE\WinMagic\HPSecureDoc\ProductCode"
PS C:\>get-itemproperty "hklm:\Software\\DellBackupandRecovery\InstallPath"
PS C:\>get-itemproperty "hklm:\Software\WOW6432Node\DellBackupandRecovery\InstallPath"

Software compatibility

Click image to enlarge

It should say that it does not exist. Uninstall if it exists.

Premium
Internal
Rating:
Category:
Install
Solution Id:
1117125
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.