Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Managing Full Disk Encryption in Worry-Free Business Security Services (WFBS-SVC)

    • Updated:
    • 17 Aug 2017
    • Product/Version:
    • Worry-Free Business Security Services 6.1
    • Worry-Free Business Security Services 6.2
    • Platform:
    • Windows 10 32-bit
    • Windows 10 64-bit
    • Windows 2008 Server R2
    • Windows 7 32-Bit
Summary

To provide full disk encryption, WFBS-SVC utilizes Windows’ BitLocker feature. Administrators can issue an encrypt or decrypt command to BitLocker for individual Windows devices registered on the Device Tree of the Management Console.

In this article, you will learn how to manage WFBS-SVC's Full Disk Encryption feature.

Details
Public

WFBS-SVC requires the following to use Full Disk Encryption.

ItemRequirement
Operating system
  • Windows 10
  • Windows 8.1
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008 R2
System partition format
  • Legacy BIOS mode: NTFS
  • UEFI (Unified Extensible Firmware Interface) mode: NTFS, FAT, FAT32
System partition size

The system partition on the following platforms must have at least 100 MB of free space:

  • Windows 7
  • Windows Server 2008 R2

The system partition on the other supported platforms must have at least 350 MB of free space.

The following table describes the scenarios of possible encryption statuses.

Encryption StatusSETTINGS
-The endpoint runs an operating system that does not support encryption.
Decrypted (user)At least one disk was encrypted by WFBS-SVC and then decrypted by the user. Send the encryption command again to manage the endpoint.
Decrypting...BitLocker is decrypting the endpoint.
Decrypting... (paused)The decryption process is paused by the user. Resume decryption from the endpoint.
Decrypting... (user)At least one disk was encrypted by WFBS-SVC and then decrypted by the user. Send the encryption command again to manage the endpoint.
EncryptedThe endpoint is encrypted.
Encrypted (user)At least one disk was encrypted by the user and not managed by WFBS-SVC. Send the encryption command to manage the endpoint.
Encrypting...BitLocker is encrypting the endpoint.
Encrypting... (paused)The encryption process has been paused by the user. Resume encryption from the endpoint.
LockedUnable to encrypt or decrypt the endpoint. The endpoint has been locked by BitLocker. Unlock the endpoint first.
Not encrypted

Possible scenarios include:

  • The endpoint is never encrypted.
  • WFBS-SVC decrypted the endpoint.
  • The user encrypted and then decrypted the endpoint.
Partially encryptedNew disks are added to the endpoint. Send the encryption command again to encrypt the new disks.
PendingThe domain that the endpoint belongs to has changed. WFBS-SVC will automatically send the encryption command again the next time the Security Agent reports to the server.
SuspendedBitLocker protection has been suspended by the user. Resume protection on the endpoint to encrypt or decrypt it.
Unable to encrypt

WFBS-SVC cannot encrypt the endpoint. For more information, refer to Resolving Encryption Issues.

UnknownWFBS-SVC cannot obtain the encryption status. The endpoint might be running a version of the Security Agent that does not support encryption. Try sending the encryption command to update the status.
UnsuccessfulEncryption or decryption was unsuccessful. Look up the error code in the link below to troubleshoot the issue.

For more information, Refer to the Microsoft article COM Error Codes (TPM, PLA, FVE).

The following table describes the possible scenarios that might prevent WFBS-SVC from encrypting the endpoints.

IssueDescription
BitLocker is not installed

BitLocker is not installed on the endpoint.

Refer to the Microsoft article: BitLocker: How to deploy on Windows Server 2012 for more information on how to install BitLocker.

Operating system is not supported

The endpoint runs a version of Windows that does not support encryption.

For more information, refer to the KB article: Full Disk Encryption System Requirements.

System partition does not existThe system partition does not exist on the endpoint. Reinstall Windows and make sure that the system partition is created.
System partition format is not supported

The startup disk and system partition must be in supported format. Reinstall Windows and format the startup disk and system partition to supported format.

For more information, refer to the KB article: Full Disk Encryption System Requirements.

System partition is not active

The system partition on the endpoint is not active. Use the Disk Management tool on Windows to mark the system partition as active.

For more information, refer to the Microsoft Product Documentation: To mark a partition as active section.

System partition is too small

The system partition does not have enough free space.

For more information, refer to the KB article: Full Disk Encryption System Requirements.

Possible solutions:

  • Reinstall Windows
  • Use the BitLocker Drive Preparation Tool (BdeHdCfg.exe) to resolve the issue

    For more information, refer to the Microsoft article: BdeHdCfg.exe Parameter Reference for more information.

Trusted Platform Module (TPM) compatibility issue

The Trusted Platform Module (TPM) is not compatible with Windows. Initialize TPM to resolve the issue.

For more information, refer to the Microsoft article: Initialize the TPM.

Trusted Platform Module (TPM) is disabled in BIOS

TPM must be enabled in BIOS.

For more information, refer to the Microsoft article: Initialize the TPM.

Trusted Platform Module (TPM) owner password not set

A TPM owner password must be created.

For more information, refer to the Microsoft article: hInitialize the TPM.

Trusted Platform Module (TPM) is not initialized

TPM must be initialized on the endpoint.

For more information, refer to the Microsoft article: hhInitialize the TPM.

If your endpoint is locked, use the BitLocker recovery key to unlock the endpoint.

  1. Navigate to Devices.
  2. Find the locked endpoint by either using the Search box or finding it manually in the Agent tree.
  3. Click the link in the Encryption Status column. The Encryption Status screen appears.

     Encryption Status screen

    Click image to enlarge

  4. Click Get recovery key.

    Click Get recovery key

    Click image to enlarge

  5. Optional step: Provide the password that protects the recovery key and click Get Key.

    Optional step

    Click image to enlarge

 
To add password protection to the recovery key, click Set up a password to protect the key.

Use a password to protect the BitLocker recovery keys. If you forget or need to reset the password, contact Trend Micro.

  1. Go to Administration > Recovery Key Password

    Recovery Key Password

    Click image to enlarge

  2. Configure the password then click Save.

    Configure the password

    Click image to enlarge

    Click Save

 
Click Change password to update your current password. Contact Trend Micro Technical Support to reset the Recovery Key Password.
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; SPEC
Solution Id:
1118010
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.