Known Issues

This section describes the Endpoint Encryption issues and limitations grouped according to agent or console.

PolicyServer MMC Issues

The following are the PolicyServer MMC issues and limitations:

  1. If a domain user has the Enterprise Administrator or Enterprise Authenticator role, no event log is created when Active Directory synchronization is unsuccessful.

  2. PolicyServer MMC is unable to display information for multiple enterprises. PolicyServer is only able to display the first enterprise entered into PolicyServer MMC.

  3. Permission issues may prevent PolicyServer 5.0.0.3506 from upgrading directly to 6.0. To prevent this issue, grant "db_ddladmin" permission to the database user account of PolicyServer before upgrading to 6.0, or upgrade PolicyServer to 5.0.0.3793 first before upgrading to 6.0.

  4. During preboot, Full Disk Encryption generates message id "10029" (successfully fixed password login) if a user is authenticated by domain password. To distinguish between fixed password authentication and domain authentication, Full Disk Encryption assigns message id "100057" for domain authentication.

  5. The Endpoint Encryption 5.0 MMC console is unable to correctly display new policies added in Endpoint Encryption 6.0. To avoid this issue, upgrade the Endpoint Encryption MMC from 5.0 to 6.0 after PolicyServer is upgraded.

  6. The time filter function in log events displays incorrect results if the Endpoint Encryption 6.0 MMC connects to a 6.0 beta version of PolicyServer. To solve this issue, upgrade both the PolicyServer and the Endpoint Encryption MMC to the 6.0 release version.

  7. Control Manager and the Endpoint Encryption MMC displays the incorrect encryption status of a device after it is migrated to a New Enterprise before the device is rebooted. Control Manager and the Endpoint Encryption MMC should display the correct encryption status after the device is rebooted.

  8. The Log Integrity Alert report may show log events from the PolicyServer 6.0 beta version as "log integrity compromised" events. Log events from the PolicyServer 5.0 or 6.0 versions should be reported correctly.

Control Manager Integration Issues

The following are the Control Manager issues and limitations:

  1. After deploying a new policy from Control Manager to PolicyServer, a new policy group does not immediately appear in PolicyServer MMC. To see the new policy group, log off from PolicyServer MMC and log back on.

  2. Users cannot be added to the policy if the Users panel in Control Manager Policy Management is disabled.

  3. Deleting a policy that was created in Control Manager does not delete the policy from PolicyServer. The policy can still be viewed in PolicyServer MMC.

Endpoint Encryption Deployment Tool Plug-in Issues

The following are the Endpoint Encryption Deployment Tool plug-in issues and limitations:

  1. If the OfficeScan administrator tries to deploy server settings to PolicyServer using an Endpoint Encryption user account, an error message returns that the connection was unsuccessful.

  2. Plug-in Manager does not display an error message when installing the Endpoint Encryption Deployment Tool Plug-in on a server that does not meet the minimum system requirement of 1 GB free hard disk space.

  3. The Endpoint Encryption device may still appear in Plug-in Manager even after the Endpoint Encryption agent has been uninstalled. Agents will disappear the next time that PolicyServer synchronizes with OfficeScan and the Plug-In Manager screen refreshes.

  4. Endpoint Encryption users with a one-time password (OTP) are only allowed to deploy agents using the Endpoint Encryption Deployment Tool Plug-in once. All future deployments are unsuccessful. After the first deployment, the user must set a fixed password before performing deployment again.

  5. When the uninstall command is deployed from OfficeScan to Full Disk Encryption devices, the message "Successful agent uninstallation request" appears before uninstallation has completed. Endpoint Encryption decrypts the endpoint before completing uninstallation.

Full Disk Encryption Issues

The following are the Full Disk Encryption issues and limitations.

  1. The Full Disk Encryption preboot login may encounter reduced performance if the Wi-Fi adapter is connected to an access point with no network access to PolicyServer.

    This issue occurs when the PolicyServer IP address is used during Full Disk Encryption installation. Use the PolicyServer FQDN during installation to resolve the issue.

  2. The Full Disk Encryption preboot Wi-Fi is unable to automatically detect access points with WEP-Shared security.

    Manually specify WEP-OPEN or WEP-PSK security.

  3. The Full Disk Encryption preboot is unable to log on Windows 8, 8.1, or 10 when installed on a virtual machine using VMWare Workstation with the e1000e Ethernet driver.

    The e1000e Ethernet driver is the default driver for Windows 8 and 8.1. Full Disk Encryption does not support the e1000e Ethernet driver.

    To resolve this issue, change the driver to e1000:

    1. Shut down VMWare Workstation.

    2. Using a text editor, open the vmware.vmx file.

    3. Find the driver line:

      ethernet0.virtualDev = "e1000e"

    4. Change "e1000e" to "e1000".

    5. Save the file and restart the virtual machine.

  4. Full Disk Encryption displays an error message and is unable to lock the system when the "LockDeviceTimeDelay" policy is 999999 minutes.

  5. Full Disk Encryption is unable to log on by single sign-on when the endpoint wakes from hibernation.

  6. When a user logs on Full Disk Encryption, the tray icon shows the correct user name. However, if the user logs off after the endpoint hibernates and another user logs on, the user name stills shows the previous user name. No user data is at risk.

  7. Toshiba Tecra computers with self-encrypting drives may be unable to run Windows after installing Full Disk Encryption.

  8. The Full Disk Encryption preboot does not support combinations of characters with the "AltGr" key when using a Spanish keyboard layout.

  9. The Full Disk Encryption preboot is unable to control the Num Lock indicator for some HP laptops. In those cases, the Num Lock indicator can be configured in the BIOS settings.

  10. Full Disk Encryption does not support installation alongside other third-party full disk encryption products. If multiple encryption products are installed on the same endpoint, the endpoint may be unable to start Windows and may display a blue screen error message.

  11. The Full Disk Encryption Recovery Tool may encounter errors when logging on Zoom by single-sign on, or by using Google or Facebook accounts.

    To avoid this issue, only use Zoom to connect to meetings hosted by Trend Micro support. Do not attempt to host meetings through the Recovery Tool.

  12. Full Disk Encryption is unable to install on the HP Probook 6570b and HP EliteBook Folio 9470m, if the boot configuration for these endpoints is set to UEFI. To ensure successful installation, set the boot configuration to BIOS prior to installation.

  13. The Full Disk Encryption installer is unable to upgrade older Full Disk Encryption versions on devices where the system disk contains more than 8 extended partitions. To upgrade these devices to the 6.0 version, uninstall the old version first and then perform a clean install instead.

  14. Full Disk Encryption may display an inaccurate percentage of completion if the value of the Encrypt Policy setting changes during encryption. To fix this issue, decrypt the whole disk and encrypt it again.

  15. Disk conversion from MBR to GPT cannot be performed on a disk managed by Full Disk Encryption. To convert a managed disk from MBR to GPT, decrypt the whole disk first, and then detach the disk from Full Disk Encryption. Afterwards, perform the disk conversion as usual.

  16. During preboot, the Wire Network Configuration screen displays the hidden SSID \x00\x00\x00\x00\x00\x00\x00\x00.

  17. In rare cases, sectors may become corrupted if the power is cut off while encrypting. To prevent this issue, ensure that the power cord is connected during the initial encryption period of Full Disk Encryption.

  18. Multiple device encryption complete messages from the same device appear in the audit log for a period of time. This is because Full Disk Encryption generates an "encryption complete" message to PolicyServer for encrypted disks whenever the Full Disk Encryption service restarts to ensure that the encryption status on server side is up to date.

  19. Full Disk Encryption is incompatible with the PLEXTOR PX-128M5 Pro (old firmware). The encryption status of the disk is displayed as (NaN%) when the encryption starts.

  20. Full Disk Encryption usually queries DNS suffixes from Windows and applies it in preboot. However, Full Disk Encryption only uses the first DNS suffix found. To minimize issues, ensure that the preferred DNS suffix is set as the first DNS suffix in Windows.

  21. Full Disk Encryption may incorrectly mark the network information display of Windows XP VMware images with an (X). However, this is only a display issue. There is no impact on network connectivity.

  22. During preboot, the touchpad of an Acer V3-372 ASUS BU400A machine may be unresponsive. To solve this issue, change the touchpad setting in the firmware from Enhanced to Basic, or use an external USB mouse.

  23. When deploying Full Disk Encryption using the Endpoint Encryption Deployment Tool Plug-in, the Endpoint Encryption Deployment Tool Plug-in does not display the result of safety check (a new feature of Full Disk Encryption in 6.0). As a workaround, administrators can manually review the safety check result from Control Manager or the Endpoint Encryption MMC console.

  24. Full Disk Encryption may encounter issues if installed on an ASUS BU400A machine using a UEFI SED configuration. This causes the firmware to delete the boot entry after the device has booted into Windows, which makes unlocking the self encrypting drive difficult after the device is powered on again. To minimize issues, switch to BIOS with SED configuration, or UEFI with normal disk configuration. If the self encrypting drive cannot be unlocked, administrators may use the recovery tool to unlock the drive after authentication.

  25. WiFi SSID settings deployed from Control Manager does not support angle brackets (< >). Remove angle brackets from the WiFi SSID settings.

  26. The Full Disk Encryption preboot does not support the network port of the Microsoft Surface Dock. However, the Full Disk Encryption preboot supports the built-in Wi-Fi found on the Surface Pro 3 and Surface Pro 4. To establish a connection to PolicyServer, configure the Full Disk Encryption Preboot to use the built-in Wi-Fi.

  27. Installation of Full Disk Encryption may cause the endpoint to require more time to resume from hibernation. On average, time to resume from hibernation may take 80 seconds for BIOS-configured endpoints, and 30 seconds for UEFI-configured endpoints.

  28. If the Full Disk Encryption database of a data disk becomes corrupt, the data disk becomes inaccessible in Windows. To resolve this issue, use the Full Disk Encryption recovery tool. The Full Disk Encryption recovery tool reports the disk as "Not an FDE disk", but will still automatically repair the database on the data disk. If the issue persists, contact Trend Micro support for data recovery.

  29. Full Disk Encryption is unable to complete installation on Lenovo Think Station P410 endpoints if the boot configuration is set to UEFI. To ensure successful installation, set the boot configuration to BIOS prior to installation.

  30. Full Disk Encryption is incompatible with some Dell Optiplex 980 models. To use Full Disk Encryption on these endpoints, install Encryption Management for Microsoft Bitlocker.

File Encryption Issues

The following are the Full Disk Encryption issues and limitations.

  1. If you attempt to delete files or folders in an encrypted folder, Windows prompts the following error: "Can't read from the source file or disk."

    This error occurs because File Encryption is unable to move deleted files and folders in an encrypted folder to the Recycle Bin. To delete files and folders in an encrypted folder, use the permanent delete command Shift + Delete.

  2. File Encryption does not support "Self Help" questions and answers. At registration, if the Endpoint Encryption user goes to the "Change Password" screen, the user should be given "Self Help" challenge questions.

  3. After upgrading PolicyServer and File Encryption from 3.1.3 SP1 to 5.0, policies are unable to synchronize if the File Encryption 3.1.3 agent uses port 8080 (TMEE Service) during registration.

  4. After upgrading PolicyServer and File Encryption from 3.1.3 SP1 to 5.0, authentication is locked at the "Change Password" screen if the File Encryption 3.1.3 agent used port 8080 (TMEE Service port) during registration.

  5. Uninstalling File Encryption without restarting the endpoint does not automatically remove the program from the Add/Remove Programs list.

  6. The legal notice does not appear when the endpoint starts.

  7. The File Encryption agent desktop shortcut and agent icon flash when the File Encryption agent synchronizes with PolicyServer.

Encryption Management for Microsoft BitLocker Issues

There are no known issues for Encryption Management for Microsoft BitLocker in this release.

Encryption Management for Apple FileVault Issues

The following are the Encryption Management for Apple FileVault issues and limitations.

  1. After upgrading Mac OS to 10.13.1, Encryption Management for Apple FileVault may not start encryption if the domain user doesn't have a "secure token" to enable FileVault. Administrators may need to manually apply a secure token to the mobile account. For details, refer to the following Knowledge Base entry:

    https://success.trendmicro.com/solution/1119488

  2. After Encryption Management for FileVault receives the Kill command from PolicyServer , all the user passwords on that device are reset to random characters. However, due to a Mac OS 10.10 security design , the Kill function may become "locked", and users are unable to unlock FileVault on that device.