Troubleshooting Full Disk Encryption

This section covers basic troubleshooting of Full Disk EncryptionClosed A component on Endpoint Security Windows clients. This component combines Pre-boot protection, boot authentication, and strong encryption to make sure that only authorized users are given access to information stored on desktops and laptops. Acronym: FDE..

CPinfo is used to collect data about components in the Full Disk Encryption environment on the client. We recommend that you send the collected data to Check Point for analysis.

If you do not enter an output folder, CPinfo collects data about components in the Full Disk Encryption Pre-bootClosed Authentication before the Operating System loads. environment on the client.

Run CPinfo if:

  • Encrypting or decrypting fails on Windows.

  • The selected disk or volume does not encrypt or decrypt.

  • Full Disk Encryption related issues occur.

  • You experience system issues or crashes.

CPinfo gathers:

  • All files in the data directory.

  • Installation log.

  • File version data for executables.

  • Registry values for Full Disk Encryption

  • GinaDll, UpperFilters and ProviderOrder.

  • SMBios structure.

  • Installed application lists.

  • Microsoft Windows Partition list.

To run CPinfo:

  1. In the notification area, right-click the client icon.

  2. Select Display Overview.

  3. In the right pane, click Advanced.

  4. Click Collect information for technical support.

    CPinfo opens in the command prompt.

  5. Press ENTER to start.

    The information is collected. A window opens that shows the location of the cab file.

  6. Press a key to exit CPinfo.

To Run CPinfo manually:

  1. Open a command prompt.

  2. Go to the CPinfo tool path location: cd \path\

  3. Run CPinfo with output filename and folder:

    C:\path\>CPinfo.exe <output cab filename> <output folder name>

    For example: C:\path\>CPinfo.exe SR1234 temp.

    The CPinfo application stores the output to the designated folder.

    • If no output name is specified, the output file has the same name as the output folder.

    • If no output folder is specified, CPinfoPreboot saves the output file to the directory where the CPinfo tool is located.

Note - CPinfoPreboot does not collect logs from BitLocker-encrypted computers.

Run CPinfoPreboot if you cannot:

  • Access the Pre-boot Logon window.

  • Log in to the Pre-boot Logon window.

  • Start encryption or decryption.

  • You have had a system crash- this includes a Windows or Full Disk Encryption crash.

    • A Windows crash gives you a blue or black screen.

    • A Full Disk Encryption crash gives you a green or red screen.

CPinfoPreboot collects the:

  • Readable log of all disks and volumes (scan.log).

  • Master Boot Record for each disk.

  • Partition Boot Record for each volume.

  • The first 100 sectors from each physical disk.

  • First 100 sectors from each volume.

  • System area data.

Use an external USB device to collect the Pre-boot data. The device must have at least 128 MB of free space, and sufficient storage for the output cab file. CPinfoPreboot cannot run on boot media prepared with the Full Disk Encryption filter driver

To collect Pre-boot data:

  1. Copy CPinfoPreboot.exe to an external USB device.

  2. Boot the client from the USB device.

    Note - Microsoft Windows does not automatically detect USB devices after boot up. The USB device must be connected while booting the computer.

  3. Open the command prompt and type: <path to CPinfoPreboot> <CPinfoPreboot.exe <output cap filename> <output folder name>.

    For example: C:\path\>CPinfoPreboot.exe SR1234 temp.

  4. CPinfoPreboot stores the output file to the designated folder.

    • If no output name is specified, the output file has the same name as the output folder.

    • If no output folder is specified, CPinfoPreboot saves the output file to the working directory on the external media. An output folder is required if the working directory is on read-only media.

You can use the debug logs to examine the deployment phase or problems that occur. The information there is included in CPinfopreboot. Send the full results of CPinfopreboot to Check Point Technical Support for analysis.

The client debug log file is on the user's Endpoint Security client computer (for Windows 7 and higher) at:

C:\ProgramData\CheckPoint\Endpoint Security\Full Disk Encryption

The log file name is dlog1.txt. For BitLocker it is called Win_Nem.log. For an explanation of the error messages that can show in Win_Nem.log, see sk157995.

Note - Pre-boot issues are not relevant for BitLocker-encrypted computers

Mouse or Keyboard Trouble

If users have trouble with their mice or keyboards during Pre-boot, you might need to change the setting of Enable USB device in Pre-boot environment. This setting is in the Full Disk Encryption Policy > Pre-boot Settings. You can also change this setting from the Pre-boot Customization Menu by pressing both shift keys while Full Disk Encryption is loading when the computer starts up.

Trouble with Password on First Pre-boot

When the Pre-boot window opens for the first time on a computer, users get a message to log in with their Windows password. If the Windows password does not meet the requirements configured for the Pre-boot, the authentication does not work.

To resolve this, change the password requirements in the OneCheckClosed OneCheck settings define how users authenticate to Endpoint Security client computers. User Settings to match the Windows requirements. Then install the new OneCheck User Settings policy on the client.

Trouble with Smart Cards

If there are Smart Card compatibility issues, change the Legacy USB Support setting in the BIOS. If it is enabled, change it to disabled, and if disabled, enable it.

If clients have UEFI, see the UEFI Requirements in the Release Notes for your Endpoint Security client version.

Full Disk Encryption utilizes the client logger module for audit logging. Logs are created in the Pre-boot and Windows environments. Logs created in Pre-boot are cached in the Full Disk Encryption system area before they are transferred to the client logger module. Full Disk Encryption logs these operations:

  • User acquisition

  • Installation and upgrade

  • Policy changes

  • Dynamic encryption

  • User authentication/user locked events

  • The FDEInstallDLL.dll file creates the upgrade log: %ALLUSERSPROFILE%\Application Data\Check Point\Full Disk Encryption\FDE_dlog.txt. Always examine the log file for possible installation errors.

  • The log file sometimes contains Win32 error codes with suggested solutions. To show the Win32 error code text, run the HELPMSG command: C:\>net helpmsg <errorcode>

Here are some issues that can occur in the Deployment Phase and possible causes and solutions.

Causes and Solutions:

  1. The User Acquisition policy might say that multiple users must log on to a computer. You can:

    • Change the User Acquisition policy.

    • Instruct users to log on to the computer so Full Disk Encryption can acquire them.

    • Make sure that a user logs on with an account that has a password. User accounts without passwords cannot be acquired.

    If User Acquisition is not enabled, at least one user with a password must be assigned to the device.

  2. The Pre-boot password requirements must not be stricter than the Windows logon password requirements. If the password requirements of Windows and the Pre-boot do not match, change the password settings for the Pre-boot password.

  3. Make sure that the necessary connections work and that all processes are running. Make sure that:

    • The network connection is stable.

    • Driver Agent is running and has a connection to the server.

    • The Device Auxiliary Framework is running.

Causes and Solutions:

If encryption stopped at 50%, make sure that system services are running. Make sure that the fde_srv.exe service is running. If it is not running, start it manually (right-click the service and select start in Windows Task Manager).

Causes and Solutions:

  • Make sure that the computer has all client requirements.

  • Disk fragmentation or a damaged hard drive can cause problems with Full Disk Encryption. Run disk defragmentation software on the volume to repair fragmentation and damaged sectors.

  • Make sure that the network connection is stable.