Full Disk Encryption Policy Synchronization

The following list explains the events that initiate policy synchronization between agents and PolicyServer:

After the operating system loads and the agent service starts

For information about Endpoint Encryption services, see Endpoint Encryption Services.
When the Full Disk Encryption preboot starts
At regular intervals based on the PolicyServer synchronization policy
Manually, from the agent context menu or from the Full Disk Encryption preboot

See Manually Updating Full Disk Encryption Agents.

Note

Device actions initiate after the agent receives policy updates.

Full Disk Encryption Connectivity Requirements

Endpoint Encryption uses a FIPS 140-2 approved encryption process for data passed between the Full Disk Encryption preboot and PolicyServer. Full Disk Encryption agents that have network connectivity to PolicyServer can receive policy updates and upload audit data from the agent. All client-server communications are internally encrypted and can be sent over insecure connections such as the Internet.

You can place an Endpoint Encryption proxy within a DMZ (Demilitarized Zone) for access to both internal networks and the Internet. For information about different network topology configurations, see the Endpoint Encryption Installation Guide.

Full Disk Encryption Connectivity Requirements

Resource	Function
PolicyServer	Updated security policies from PolicyServer are sent to the Full Disk Encryption preboot or by connectivity established within Windows, LAN, or VPN.
TCP/IP Access	Network connectivity requires full TCP/IP network access; dial-up or telephone access cannot be used to provide connectivity with PolicyServer during preboot authentication.
Port	Endpoint Encryption agents communicate using port 8080 by default. To change the default port number, go to Recovery Console and update the PolicyServer. For details, see Changing the Full Disk Encryption PolicyServer.

Manually Updating Full Disk Encryption Agents

Full Disk Encryption agents automatically receive policy updates from PolicyServer at intervals determined by policy.

Do either of the following to manually update policies.

Procedure

Use the Full Disk Encryption preboot.
1. Go to Communications → Synchronize policies.
2. Go to Computer → About Full Disk Encryption.
  
  The timestamp of the latest PolicyServer policy synchronization displays.
Use the Full Disk Encryption agent.
1. Double-click the Full Disk Encryption icon () in the Windows system tray.
  
  The Full Disk Encryption agent opens.
2. Click Synchronize with PolicyServer.
  
  After a moment PolicyServer enforces all new policies changes.

Moving Full Disk Encryption Disks

If a Full Disk Encryption disk is moved to another endpoint registered with PolicyServer, Full Disk Encryption automatically detects the change and sends an update to the PolicyServer database. An administrator account is not required for this process.

Note

Before moving the disk, ensure that the following requirements are met:

The source endpoint and destination endpoint belong to the same group, and use the same PolicyServer.
The disk to be moved is a disk that is currently managed by Full Disk Encryption.

Procedure

Power off the source endpoint and physically remove an existing disk.
Power off the destination endpoint and insert the disk that was removed from the source endpoint.
Restart the endpoints.
Full Disk Encryption detects the removal or addition of any disks and sends an update to the PolicyServer database during start up.
Click the Full Disk Encryption icon () on the system tray and view the Encryption Status tab to verify if the process was successful.

Note

During this process, the new disk becomes inaccessible on the destination endpoint.
Restart the endpoint where the new disk was attached to initiate re-authentication with PolicyServer.
After restarting, click the Full Disk Encryption icon () on the system tray and view the Encryption Status tab to verify if the process was successful.

The new disk is now accessible and ready for use.