Full Disk Encryption Troubleshooting

This section covers basic troubleshooting.

Using CPinfo

CPinfo is used to collect data about components in the Full Disk Encryption environment on the client. We recommend that you send the collected data to Check Point for analysis.

If you do not enter an output folder, CPinfo collects data about components in the Full Disk Encryption Pre-boot environment on the client.

Run CPinfo if:

Encrypting or decrypting fails on Windows.
The selected disk or volume does not encrypt or decrypt.
Full Disk Encryption related issues occur.
You experience system issues or crashes.

CPinfo gathers:

All files in the data directory.
Installation log.
File version data for executables.
Registry values for Full Disk Encryption
GinaDll, UpperFilters and ProviderOrder.
SMBios structure.
Installed application lists.
Microsoft Windows Partition list.

To run CPinfo:

In the notification area, right-click the client icon.
Select Display Overview.
In the right pane, click Advanced.
Click Collect information for technical support.
CPinfo opens in the command prompt.
Press ENTER to start.
The information is collected. A window opens that shows the location of the cab file.
Press a key to exit CPinfo.

To Run CPinfo manually:

Open a command prompt.
Go to the CPinfo tool path location: cd \path\
Run CPinfo with output filename and folder:
C:\path\>CPinfo.exe <output cab filename> <output folder name>

For example: C:\path\>CPinfo.exe SR1234 temp.

The CPinfo application stores the output to the designated folder.
- If no output name is specified, the output file has the same name as the output folder.
- If no output folder is specified, CPinfoPreboot saves the output file to the directory where the CPinfo tool is located.

Using CPinfoPreboot

Run CPinfoPreboot if you cannot:

Access the Pre-boot Logon window.
Log in to the Pre-boot Logon window.
Start encryption or decryption.
You have had a system crash- this includes a Windows or Full Disk Encryption crash.
- A Windows crash gives you a blue or black screen.
- A Full Disk Encryption crash gives you a green or red screen.

CPinfoPreboot collects the:

Readable log of all disks and volumes (scan.log).
Master Boot Record for each disk.
Partition Boot Record for each volume.
The first 100 sectors from each physical disk.
First 100 sectors from each volume.
System area data.

Use an external USB device to collect the Pre-boot data. The device must have at least 128 MB of free space, and sufficient storage for the output cab file. CPinfoPreboot cannot run on boot media prepared with the Full Disk Encryption filter driver

To collect Pre-boot data:

Copy CPinfoPreboot.exe to an external USB device.
Boot the client from the USB device.

Note - Microsoft Windows does not automatically detect USB devices after boot up. The USB device must be connected while booting the computer.

Open the command prompt and type: <path to CPinfoPreboot> <CPinfoPreboot.exe <output cap filename> <output folder name>.
For example: C:\path\>CPinfoPreboot.exe SR1234 temp.
CPinfoPreboot stores the output file to the designated folder.
- If no output name is specified, the output file has the same name as the output folder.
- If no output folder is specified, CPinfoPreboot saves the output file to the working directory on the external media. An output folder is required if the working directory is on read-only media.

Debug Logs

You can use the debug logs to examine the deployment phase or problems that occur. The information there is included in CPinfopreboot. Send the full results of CPinfopreboot to Technical Support for analysis.

The Client debug log is named dlog1.txt, and found in these places on user:

Operating System	Path to log file
Windows 7 and higher	C:\ProgramData\CheckPoint\Endpoint Security\Full Disk Encryption

Pre-boot Issues

Mouse or Keyboard Trouble

If users have trouble with their mice or keyboards during Pre-boot, you might need to change the setting of Enable USB device in Pre-boot environment. This setting is in the Full Disk Encryption Policy > Pre-boot Settings. You can also change this setting from the Pre-boot Customization Menu by pressing both shift keys while Full Disk Encryption is loading when the computer starts up.

Trouble with Password on First Pre-boot

When the Pre-boot window opens for the first time on a computer, users get a message to log in with their Windows password. If the Windows password does not meet the requirements configured for the Pre-boot, the authentication does not work.

To resolve this, change the password requirements in the OneCheck User Settings to match the Windows requirements. Then install the new OneCheck User Settings policy on the client.

Trouble with Smart Cards

If there are Smart Card compatibility issues, change the Legacy USB Support setting in the BIOS. If it is enabled, change it to disabled, and if disabled, enable it.

If clients have UEFI, see the UEFI Requirements in the Release Notes for your Endpoint Security client version.

Full Disk Encryption Logs

Full Disk Encryption utilizes the client logger module for audit logging. Logs are created in the Pre-boot and Windows environments. Logs created in Pre-boot are cached in the Full Disk Encryption system area before they are transferred to the client logger module. Full Disk Encryption logs these operations:

User acquisition
Installation and upgrade
Policy changes
Dynamic encryption
User authentication/user locked events

Upgrade Issues

The FDEInstallDLL.dll file creates the upgrade log: %ALLUSERSPROFILE%\Application Data\Check Point\Full Disk Encryption\FDE_dlog.txt. Always examine the log file for possible installation errors.
The log file sometimes contains Win32 error codes with suggested solutions. To show the Win32 error code text, run the HELPMSG command: C:\>net helpmsg <errorcode>

Full Disk Encryption Deployment Phase

Here are some issues that can occur in the Deployment Phase and possible causes and solutions.

Problem: The deployment is stuck at the User Acquisition step.

Causes and Solutions:

The User Acquisition policy might say that multiple users must log on to a computer. You can:
- Change the User Acquisition policy.
- Instruct users to log on to the computer so Full Disk Encryption can acquire them.
- Make sure that a user logs on with an account that has a password. User accounts without passwords cannot be acquired.
If User Acquisition is not enabled, at least one user with a password must be assigned to the device.
The Pre-boot password requirements must not be stricter than the Windows logon password requirements. If the password requirements of Windows and the Pre-boot do not match, change the password settings for the Pre-boot password.
Make sure that the necessary connections work and that all processes are running. Make sure that:
- The network connection is stable.
- Driver Agent is running and has a connection to the server.
- The Device Auxiliary Framework is running.
- Check the Security Package key.

To check the Security Package key:

Start Regedit.
Go to HKLM\SYSTEM\CurrentControlSet\Control\LSA
Make sure that the Security Package key starts with one of these:
- eps_kerberos_proxy
- eps_msv_proxy
If it contains the default Kerberos msv1_0, change it to one of the correct values above.

Problem: The deployment is stuck at the encryption.

Causes and Solutions:

If encryption stopped at 50%, make sure that system services are running. Make sure that the fde_srv.exe service is running. If it is not running, start it manually (right click the service and select start in Windows Task Manager).

Problem: The deployment is slow or hanging.

Causes and Solutions:

Make sure that the computer has all client requirements.
Disk fragmentation or a damaged hard drive can cause problems with Full Disk Encryption. Run disk defragmentation software on the volume to repair fragmentation and damaged sectors.
Make sure that the network connection is stable.