This section covers basic troubleshooting.
CPinfo is used to collect data about components in the Full Disk Encryption environment on the client. We recommend that you send the collected data to Check Point for analysis.
If you do not enter an output folder, CPinfo collects data about components in the Full Disk Encryption Pre-boot environment on the client.
Run CPinfo if:
CPinfo gathers:
To run CPinfo:
CPinfo opens in the command prompt.
The information is collected. A window opens that shows the location of the cab file.
To Run CPinfo manually:
C:\path\>CPinfo.exe <output cab filename> <output folder name>
For example: C:\path\>CPinfo.exe SR1234 temp.
The CPinfo application stores the output to the designated folder.
CPinfoPreboot
saves the output file to the directory where the CPinfo tool is located.Run CPinfoPreboot if you cannot:
CPinfoPreboot collects the:
scan.log
).Use an external USB device to collect the Pre-boot data. The device must have at least 128 MB of free space, and sufficient storage for the output cab file. CPinfoPreboot
cannot run on boot media prepared with the Full Disk Encryption filter driver
To collect Pre-boot data:
PinfoPreboot.exe
to an external USB device.Note - Microsoft Windows does not automatically detect USB devices after boot up. The USB device must be connected while booting the computer. |
<path to CPinfoPreboot> <CPinfoPreboot.exe <output cap filename> <output folder name>.
For example: C:\path\>CPinfoPreboot.exe SR1234 temp.
CPinfoPreboot
saves the output file to the working directory on the external media. An output folder is required if the working directory is on read-only media.You can use the debug logs to examine the deployment phase or problems that occur. The information there is included in CPinfopreboot
. Send the full results of CPinfopreboot
to Technical Support for analysis.
The Client debug log is named dlog1.txt
, and found in these places on user:
Operating System |
Path to log file |
---|---|
Windows 7 and higher |
C:\ProgramData\CheckPoint\Endpoint Security\Full Disk Encryption |
Mouse or Keyboard Trouble
If users have trouble with their mice or keyboards during Pre-boot, you might need to change the setting of Enable USB device in Pre-boot environment. This setting is in the Full Disk Encryption Policy > Pre-boot Settings. You can also change this setting from the Pre-boot Customization Menu by pressing both shift keys while Full Disk Encryption is loading when the computer starts up.
Trouble with Password on First Pre-boot
When the Pre-boot window opens for the first time on a computer, users get a message to log in with their Windows password. If the Windows password does not meet the requirements configured for the Pre-boot, the authentication does not work.
To resolve this, change the password requirements in the OneCheck User Settings to match the Windows requirements. Then install the new OneCheck User Settings policy on the client.
Trouble with Smart Cards
If there are Smart Card compatibility issues, change the Legacy USB Support setting in the BIOS. If it is enabled, change it to disabled, and if disabled, enable it.
If clients have UEFI, see the UEFI Requirements in the Release Notes for your Endpoint Security client version.
Full Disk Encryption utilizes the client logger module for audit logging. Logs are created in the Pre-boot and Windows environments. Logs created in Pre-boot are cached in the Full Disk Encryption system area before they are transferred to the client logger module. Full Disk Encryption logs these operations:
FDEInsrtallDLL.dll
file creates the upgrade log: %ALLUSERSPROFILE%\Application Data\Check Point\Full Disk Encryption\FDE_dlog.txt.
Always examine the log file for possible installation errors. HELPMSG
command: C:\>net helpmsg <errorcode>
Here are some issues that can occur in the Deployment Phase and possible causes and solutions.
Problem: The deployment is stuck at the User Acquisition step.
Causes and Solutions:
If User Acquisition is not enabled, at least one user with a password must be assigned to the device.
To check the Security Package key:
HKLM\SYSTEM\CurrentControlSet\Control\LSA
eps_kerberos_proxy
eps_msv_proxy
Kerberos msv1_0,
change it to one of the correct values above.Problem: The deployment is stuck at the encryption.
Causes and Solutions:
If encryption stopped at 50%, make sure that system services are running. Make sure that the fde_srv.exe
service is running. If it is not running, start it manually (right click the service and select start in Windows Task Manager).
Problem: The deployment is slow or hanging.
Causes and Solutions: