Installing the Full Disk Encryption Agent
Procedure
- Verify that all of the agent installation prerequisites have been completed.
- Verify that the hard disk is not already encrypted, no other full disk encryption product is installed, and that Microsoft BitLocker is disabled.
- Run a hard drive integrity utility on the system
drive.For example, to run the Windows utility Check Disk, open a command prompt and run
chkdsk /f /r. Windows will perform Check Disk on the next restart.If bad sectors are found, fix or replace the hard drive depending on your enterprise hardware policy. - Defragment the system drive.
- Copy the installation files to the system drive.
- Run
TMFDEInstall.exe.
Note
If the User Account Control windows displays, click Yes to allow the installer to make changes to the Endpoint Encryption device.The Full Disk Encryption installer checks the endpoint for installation issues. If a system incompatibility is discovered, the installer closes and generates thePreInstallCheckReport.txtin the same location as the installer. For more information, see Pre-Installation Check. - Specify the following PolicyServer information:
Option Description Server nameSpecify the PolicyServer IP address, host name, or FQDN and include the port number assigned to that configuration.EnterpriseSpecify the Enterprise. Only one Enterprise is supported.User nameSpecify the user name of an account with permission to add devices to the Enterprise.PasswordSpecify the password for the user name.Forcesoftware(Optional) Forces Full Disk Encryption to use software encryption instead of hardware encryption.This option is recommended for SED disks.
WARNING
Full Disk Encryption is unable to install on SED disks attached to devices using UEFI if these disks were previously managed by Windows Bitlocker. To install Full Disk Encryption on these disks, perform one of the following:-
Configure Full Disk Encryption to use software-based encryption by adding the
FORCESOFTWAREparameter during installation. -
Restore the SED disk back to its factory setting. This procedure removes all existing data from the SED disk. After the disk has been restored, try running the installer again.
-
- At the Installation Complete screen,
click Close.A message appears asking if you want to restart or shut down the endpoint. The endpoint restarts for software-based encryption or shuts down for hardware-based encryption.
- Click Yes to restart or shutdown the
endpoint.Full Disk Encryption installation is complete when the Full Disk Encryption preboot displays. At the preboot screen, the user must log on. The user is required to change their password after logging on. The next time Windows starts, Full Disk Encryption encrypts the disk.Policies are synchronized with PolicyServer after the endpoint restarts.
Pre-Installation Check
The Full Disk Encryption installer automatically checks the target system to make
sure that all necessary system requirements are met before installing the agent. If
a system incompatibility is discovered, the installer closes and generates the
PreInstallCheckReport.txt in the same location as the installer. The following are the requirements that Full
Disk Encryption installer checks.|
Specification
|
Requirement
|
||
|
Supported Operating System
|
The endpoint must have a supported operating system installed.
|
||
|
Encryption Management for Microsoft BitLocker is already installed
|
Encryption Management for Microsoft BitLocker must not be installed. Uninstall Encryption
Management for Microsoft BitLocker to install Full Disk Encryption or use Encryption
Management for Microsoft BitLocker instead.
|
||
|
Secure Boot
|
Full Disk Encryption is unable to install on endpoints where Secure Boot has been
enabled. To ensure successful installation, disable Secure Boot prior to installation.
|
||
|
Fixed media
|
The physical disk must be fixed and not removable.
Full Disk Encryption cannot be installed on removable drives running Windows.
|
||
|
Free space
|
The drive must have at least 256 MB of contiguous free disk space.
|
||
|
Memory
|
The endpoint must have at least 512 MB of RAM.
Trend Micro recommends having at least 1 GB of RAM.
|
||
|
Partition count
|
The drive must have fewer than 25 partitions.
Partitions with extended MBRs are not supported.
|
||
|
Physical drive is bootable
|
The drive must be bootable.
|
||
|
SCSI disk
|
SCSI drives are not supported.
|
||
|
Microsoft .NET Framework
|
Microsoft .NET Framework 3.5 or later is required for Windows 8 or later devices.
|
||
|
SED hardware compatibility
|
If a drive is a self-encrypting drive, Full Disk Encryption enables hardware encryption
for that drive.
Full Disk Encryption currently supports the following:
|
||
|
BitLocker is enabled
|
Microsoft BitLocker must not be enabled. Two full disk encryption solutions may not
run on the same drive.
If your environment uses Microsoft BitLocker for encryption, install the Encryption
Management for Microsoft BitLocker agent instead of Full Disk Encryption.
|
||
|
Intel Rapid Storage Technology
|
Drives using Intel Rapid Storage Technology with mSATA caches are not supported.
|
||
|
Windows MBR
|
Checks if the boot disk uses a typical Windows MBR or not.
|
||
|
Keyboard
|
The Full Disk Encryption Preboot supports the current keyboard layout.
|
||
|
Wi-Fi/NIC
|
The Full Disk Encryption Preboot supports the system Network Interface Controller
(NIC) and Wi-Fi hardware.
|
||
|
Disks are distinguishable
|
The disks on the device must have unique hardware properties, such as Serial Number
and Model
|
||
|
Check Not Initialized Disk(s)
|
The disks on the device are initialized. If there are one or more disks which are
not initialized, open Disk Management to initialize.
|
||
|
GPT partition checking
|
First usable LBA and partition size check.
|
||
|
Incompatible software
|
Incompatible software must be uninstalled before installing Full Disk Encryption.
For example, HP Drive Encryption and Dell Backup Recovery.
|