Full Disk Encryption Installation and Deployment

After a package that includes Full Disk Encryption is successfully installed on a client, many requirements must be met before the Full Disk Encryption policy can be enforced. Before these requirements are met, the Pre-boot does not open. The period of time between the installation and when the policy can be enforced is called the Full Disk Encryption Deployment Phase.

To move from Deployment phase to Full Disk Encryption policy enforcement, these requirements must be met:

• There must be communication between the client and the server.
• The client must receive Full Disk Encryption and user policies from the server.
• Users must be acquired according to the configured policy.
• At least one user account must be configured.
• The client must send a recovery file to the server.
• The required System Area must be created and boot records must be updated according to the configuration (this includes the activation of Pre-boot).
• The device must have the Client requirements or Full Disk Encryption.

If there is communication between the client and server and the client meets the Client requirements, all of the requirements are completed automatically. However, if these requirements are not met, Full Disk Encryption cannot protect the computer and the Pre-boot cannot open.

Client Requirements for Full Disk Encryption Deployment

Note - Not all the Full Disk Encryption (FDE) requirements are shown here. For the complete FDE requirements, see the Release Notes for your Endpoint Security client version.

Clients must have:

• 32MB of continuous free space on the client's system volume

Note - During deployment of the Full Disk Encryption component on the client, the Full Disk Encryption service automatically defragments the volume to create the 32MB of continuous free space, and suspends the Windows hibernation feature while the disk is encrypted.

Clients must not have:

• RAID.
• Partitions that are part of stripe or volume sets.
• Hybrid Drive or other similar Drive Cache Technologies. See sk107381.
• The root directory cannot be compressed. Subdirectories of the root directory can be compressed.

Other Requirements:

• All disks that are encrypted by FDE must have the same format (MBR or GPT)
• GPT-formatted disks are supported only on UEFI devices.
• Update the BIOS on the client computer to the latest version.
• If using the BIOS\UEFI option Fastboot, follow the precautions in sk140215.
• If using a third-party credential provider to log in to Windows, configure FDE to use (wrap) the third-party provider. See sk118817.

Completing Full Disk Encryption Deployment on a Client

Users will have to reboot their computers twice while Full Disk Encryption deploys. One time to make sure the Pre-boot is running before Full Disk Encryption encrypts the hard drive, and one time to validate the authentication credentials.

Stages of the Deployment Phase

You will see the status of the Deployment phase in:

• The Client Endpoint Security Main Page - In the Full Disk Encryption status.
• SmartEndpoint - In the Computer Details > General Details. Look at the Blade Status for Full Disk Encryption.
• The debug logs

These are the statuses as shown in the Client Endpoint Security Main Page:

• Waiting for Policy – Waiting for policy to be downloaded from server.
• User Acquisition – Users are acquired when they log on to Windows on the computer that has Full Disk Encryption installed. The number of users that must be acquired depends on the settings configured. Full Disk Encryption can become active after all users are acquired. User accounts must have passwords and fulfill password rules to be acquired.
• Verifying Setup – The client verifies that all of the settings are fulfilled properly and checks that users acquired are correct and fulfill password policies.
• Deliver Recovery File- The client sends a recovery file to the server. It includes users on the computer that have permission to use the recovery media.
• Waiting for Restart– The user must reboot the client. After it is rebooted, users will see the Pre-boot. Users get a message to log in with their Windows credentials. Then Full Disk Encryption starts to encrypt the volumes according to the policy.
• Encryption in Progress – Full Disk Encryption is encrypting the volumes.

Primary Full Disk Encryption Components

Component Name	File Name	Description
Full Disk Encryption service	FDE_srv.exe	The Full Disk Encryption service contains the current configuration data and initiates background encryption or decryption. By exchanging volume boot records, the Full Disk Encryption service identifies volumes that are targeted for encryption.
Crypto core	ccore32.bin	The Crypto core contains the encryption algorithms.
Filter driver	Prot_2k.sys	The Full Disk Encryption driver for encryption. The File Allocation Table (FAT) provides the driver with the location of sectors where data is stored. Full Disk Encryption encrypts every byte of the selected disk. Background encryption starts from the first sector of the selected volume and moves in sequence to the last sector. The entire operating system is encrypted.