Print Download PDF Send Feedback

Previous

Next

Full Disk Encryption Troubleshooting

This section covers basic troubleshooting.

Using CPinfo

CPinfo is used to collect data about components in the Full Disk Encryption environment on the client. We recommend that you send the collected data to Check Point for analysis.

If you do not enter an output folder, CPinfo collects data about components in the Full Disk Encryption Pre-boot environment on the client.

Run CPinfo if:

CPinfo gathers:

To run CPinfo:

  1. In the notification area, right-click the client icon.
  2. Select Display Overview.
  3. In the right pane, click Advanced.
  4. Click Collect information for technical support.

    CPinfo opens in the command prompt.

  5. Press ENTER to start.

    The information is collected. A window opens that shows the location of the cab file.

  6. Press a key to exit CPinfo.

To Run CPinfo manually:

  1. Open a command prompt.
  2. Go to the CPinfo tool path location: cd \path\
  3. Run CPinfo with output filename and folder:

    C:\path\>CPinfo.exe <output cab filename> <output folder name>

    For example: C:\path\>CPinfo.exe SR1234 temp.

    The CPinfo application stores the output to the designated folder.

    • If no output name is specified, the output file has the same name as the output folder.
    • If no output folder is specified, CPinfoPreboot saves the output file to the directory where the CPinfo tool is located.

Using CPinfoPreboot

Run CPinfoPreboot if you cannot:

CPinfoPreboot collects the:

Use an external USB device to collect the Pre-boot data. The device must have at least 128 MB of free space, and sufficient storage for the output cab file. CPinfoPreboot cannot run on boot media prepared with the Full Disk Encryption filter driver

To collect Pre-boot data:

  1. Copy CPinfoPreboot.exe to an external USB device.
  2. Boot the client from the USB device.

Note - Microsoft Windows does not automatically detect USB devices after boot up. The USB device must be connected while booting the computer.

  1. Open the command prompt and type: <path to CPinfoPreboot> <CPinfoPreboot.exe <output cap filename> <output folder name>.

    For example: C:\path\>CPinfoPreboot.exe SR1234 temp.

  2. CPinfoPreboot stores the output file to the designated folder.
    • If no output name is specified, the output file has the same name as the output folder.
    • If no output folder is specified, CPinfoPreboot saves the output file to the working directory on the external media. An output folder is required if the working directory is on read-only media.

Debug Logs

You can use the debug logs to examine the deployment phase or problems that occur. The information there is included in CPinfopreboot. Send the full results of CPinfopreboot to Technical Support for analysis.

The Client debug log is named dlog1.txt, and found in these places on user:

Operating System

Path to log file

Windows 7 and higher

C:\ProgramData\CheckPoint\Endpoint Security\Full Disk Encryption

Pre-boot Issues

Mouse or Keyboard Trouble

If users have trouble with their mice or keyboards during Pre-boot, you might need to change the setting of Enable USB device in Pre-boot environment. This setting is in the Full Disk Encryption Policy > Pre-boot Settings. You can also change this setting from the Pre-boot Customization Menu by pressing both shift keys while Full Disk Encryption is loading when the computer starts up.

Trouble with Password on First Pre-boot

When the Pre-boot window opens for the first time on a computer, users get a message to log in with their Windows password. If the Windows password does not meet the requirements configured for the Pre-boot, the authentication does not work.

To resolve this, change the password requirements in the OneCheck User Settings to match the Windows requirements. Then install the new OneCheck User Settings policy on the client.

Trouble with Smart Cards

If there are Smart Card compatibility issues, change the Legacy USB Support setting in the BIOS. If it is enabled, change it to disabled, and if disabled, enable it.

If clients have UEFI, see the UEFI Requirements in the Release Notes for your Endpoint Security client version.

Full Disk Encryption Logs

Full Disk Encryption utilizes the client logger module for audit logging. Logs are created in the Pre-boot and Windows environments. Logs created in Pre-boot are cached in the Full Disk Encryption system area before they are transferred to the client logger module. Full Disk Encryption logs these operations:

Upgrade Issues

Full Disk Encryption Deployment Phase

Here are some issues that can occur in the Deployment Phase and possible causes and solutions.

Problem: The deployment is stuck at the User Acquisition step.

Causes and Solutions:

  1. The User Acquisition policy might say that multiple users must log on to a computer. You can:
    • Change the User Acquisition policy.
    • Instruct users to log on to the computer so Full Disk Encryption can acquire them.
    • Make sure that a user logs on with an account that has a password. User accounts without passwords cannot be acquired.

    If User Acquisition is not enabled, at least one user with a password must be assigned to the device.

  2. The Pre-boot password requirements must not be stricter than the Windows logon password requirements. If the password requirements of Windows and the Pre-boot do not match, change the password settings for the Pre-boot password.
  3. Make sure that the necessary connections work and that all processes are running. Make sure that:
    • The network connection is stable.
    • Driver Agent is running and has a connection to the server.
    • The Device Auxiliary Framework is running.
    • Check the Security Package key.

To check the Security Package key:

  1. Start Regedit.
  2. Go to HKLM\SYSTEM\CurrentControlSet\Control\LSA
  3. Make sure that the Security Package key starts with one of these:
    • eps_kerberos_proxy
    • eps_msv_proxy
  4. If it contains the default Kerberos msv1_0, change it to one of the correct values above.

Problem: The deployment is stuck at the encryption.

Causes and Solutions:

If encryption stopped at 50%, make sure that system services are running. Make sure that the fde_srv.exe service is running. If it is not running, start it manually (right click the service and select start in Windows Task Manager).

Problem: The deployment is slow or hanging.

Causes and Solutions: