Installing and Deploying Full Disk Encryption

After a package that includes Full Disk EncryptionClosed A component on Endpoint Security Windows clients. This component combines Pre-boot protection, boot authentication, and strong encryption to make sure that only authorized users are given access to information stored on desktops and laptops. Acronym: FDE. is successfully installed on a client, many requirements must be met before the Full Disk Encryption policy can be enforced. Before these requirements are met, the Pre-bootClosed Authentication before the Operating System loads. does not open. The period of time between the installation and when the policy can be enforced is called the Full Disk Encryption Deployment Phase.

To move from Deployment phase to Full Disk Encryption policy enforcement, these requirements must be met:

  • There must be communication between the client and the server.

  • The client must receive Full Disk Encryption and user policies from the server.

  • Users must be acquired according to the configured policy.

  • At least one user account must be configured.

  • The client must send a recovery file to the server.

  • The required System Area must be created and boot records must be updated according to the configuration (this includes the activation of Pre-boot).

  • The device must have the Client requirements or Full Disk Encryption.

If there is communication between the client and server and the client meets the Client requirements, all of the requirements are completed automatically. However, if these requirements are not met, Full Disk Encryption cannot protect the computer and the Pre-boot cannot open.

Client Requirements for Full Disk Encryption Deployment

Note - Not all the Full Disk Encryption (FDE) requirements are shown here. For the complete FDE requirements, see the Release Notes for your Endpoint Security client version.

Clients must have:

  • 32MB of continuous free space on the client's system volume

    Note - During deployment of the Full Disk Encryption component on the client, the Full Disk Encryption service automatically defragments the volume to create the 32MB of continuous free space, and suspends the Windows hibernation feature while the disk is encrypted.

Clients must not have:

  • RAID.

  • Partitions that are part of stripe or volume sets.

  • Hybrid Drive or other similar Drive Cache Technologies. See sk107381.

  • A compressed root directory. Subdirectories of the root directory can be compressed.

Other Requirements:

  • All disks that are encrypted by FDE must have the same format (MBR or GPT)

  • GPT-formatted disks are supported only on UEFI devices.

  • Update the BIOS on the client computer to the latest version.

  • If using the BIOS\UEFI option Fastboot, follow the precautions in sk140215.

  • If using a third-party credential provider to log in to Windows, configure FDE to use (wrap) the third-party provider. See sk118817.

Completing Full Disk Encryption Deployment on a Client

For Check Point Full Disk Encryption, users are prompted to reboot their computers twice while Full Disk Encryption deploys. One time to make sure the Pre-boot is running before Full Disk Encryption encrypts the hard drive, and one time to validate the authentication credentials.

For BitLocker Encryption, users are prompted to reboot their computers once during the installation.

Stages of the Deployment Phase

You will see the status of the Deployment phase in:

  • The Client Endpoint Security Main Page - In the Full Disk Encryption status.

  • In the Asset Management > Organization > Computers. From the View dropdown, select Full Disk Encryption. The FDE status column shows the status of the FDE deployment.

  • The debug logs

These are the statuses as shown in the Client Endpoint Security Main Page:

  • Waiting for Policy - Waiting for policy to be downloaded from server.

  • User Acquisition - Users are acquired when they log on to Windows on the computer that has Full Disk Encryption installed. The number of users that must be acquired depends on the settings configured. Full Disk Encryption can become active after all users are acquired. User accounts must have passwords and fulfill password rules to be acquired.

  • Verifying Setup - The client verifies that all of the settings are fulfilled properly and checks that users acquired are correct and fulfill password policies.

  • Deliver Recovery File - The client sends a recovery file to the server. It includes users on the computer that have permission to use the recovery media.

  • Waiting for Restart - The user must reboot the client. After it is rebooted, users will see the Pre-boot. Users get a message to log in with their Windows credentials. Then Full Disk Encryption starts to encrypt the volumes according to the policy.

  • Encryption in Progress - Full Disk Encryption is encrypting the volumes.