Deploying the Agent with OfficeScan

This section describes how to use the Endpoint Encryption Deployment Tool Plug-in to initiate agent installation and uninstallation commands.

The following illustration shows the Endpoint Encryption Deployment Tool Client Management screen.

Figure 1. Endpoint Encryption Deployment Tool

Deploying the Agent with OfficeScan

Before deploying agents, make sure that the endpoints meet the minimum system requirements.

For more information, see Full Disk Encryption System Requirements.

  1. Select the endpoint from the client tree.
    Note:

    To select multiple endpoints, hold CTRL and select applicable endpoints.

  2. Click Install, then select one of the following options:
    Option Description

    Full Disk Encryption

    Select the appropriate Full Disk Encryption agents.

    • Select the Full Disk Encryption agent to deploy all features, including preboot authentication, all policies, notifications, and device actions.

    • Select the Encryption Management for Microsoft BitLocker agent to enable Microsoft BitLocker full disk encryption, deploying only limited policies and device actions.

    Note:

    It is not possible to deploy the Encryption Management for Apple FileVault agent using the Endpoint Encryption Deployment Tool plug-in.

    File Encryption

    Deploy the File Encryption agent, which includes all features and policies.

  3. Click Deploy.
  4. At the message, click OK to confirm the deployment.

    The agent deployment command is initiated. If successful, any selected endpoint is prompted to restart.

Confirming Agent Deployment

This task explains how to confirm that the Endpoint Encryption agent install initiates correctly on the endpoint.

  1. Complete Deploying the Agent with OfficeScan.
  2. Log on to the selected Endpoint Encryption device.
  3. Do one of the following:
    • To view the deployment status, open the log files at:

      Client endpoint

      C:\TMEE_Deploy_Client.log

      Server endpoint

      C:\TMEE_Deploy_Server_Inst.log

    • Run Task Manager and search for the service Trend Micro Full Disk Encryption.

  4. When the Endpoint Encryption agent deployment completes, reboot the endpoint to complete the installation.

Endpoint Encryption Agent Deployment Statuses

The following table explains the OfficeScan statuses that appear in the Endpoint Encryption Deployment Tool plug-in console after initiating a deployment command. Use it to understand if there was a problem during the agent installation or uninstallation.

Table 1. Agent Installation Statuses

Status

Message

Description

In progress

In progress: agent deployment

OfficeScan is attempting to communicate with the managed endpoint, install the Endpoint Encryption agent, then establish a connection with PolicyServer.

Successful

Successful agent deployment

The Endpoint Encryption agent installed successfully, and has established communication with both OfficeScan and PolicyServer.

Unsuccessful

Unsuccessful agent deployment

The Endpoint Encryption agent deployment could not finish. Review the logs to find out why the managed endpoint could not update with the selected Endpoint Encryption agent.

Restart required

Successful agent deployment. Shutdown/Restart required.

For the Full Disk Encryption agent, a restart is required to complete the installation. The status is not updated until after the user has logged on the PolicyServer preboot.

Timeout

Timed out: agent deployment

The timeout period is 30 minutes. After a timeout, initiate a new deployment command.

Table 2. Agent Uninstallation Statuses

Status

Message

Description

In progress

Request in progress: agent deployment

OfficeScan is attempting to communicate with the managed endpoint and uninstall the agent software. The managed endpoint must reply to the deployment command before the uninstallation can start.

Successful

Successful agent uninstallation

The Endpoint Encryption agent uninstalled successfully and has established communication with OfficeScan and PolicyServer. After uninstallation, the Endpoint Encryption device is removed from PolicyServer.

Unsuccessful

Unsuccessful agent uninstallation

The Endpoint Encryption agent uninstallation request could not establish a connection. Review the logs to find out why the managed endpoint could not uninstall the Endpoint Encryption.

Restart required

Successful agent uninstallation. Shutdown/Restart required.

For some Endpoint Encryption agents, a restart is required to complete the uninstallation.

Timeout

Request timeout: agent uninstallation

The timeout period is 30 minutes. After a timeout, initiate a new uninstallation request.

Endpoint Encryption Agent Installation Error Codes

The following table describes the error codes for Endpoint Encryption agent installation errors. Use it to understand the problem and resolution for a specific installation error.

Note:

Make sure that the endpoint meets the minimum system requirements before deploying Endpoint Encryption agents. Microsoft .Net Framework 2.0 SP1 or above is required. For information about system requirements, see the Endpoint Encryption Installation and Migration Guide.

Table 3. Installation Error Codes

Agent

Error Code

Problem and Resolution

File Encryption

1603

Unable to install the Endpoint Encryption agent. A required resource may be unavailable. Restart the endpoint and try the installation again. If the problem persists, contact Trend Micro Support.

1641

Unable to install the Endpoint Encryption agent. The system may require a restart to complete a previous uninstallation. Restart the endpoint and try the installation again. If the problem persists, contact Trend Micro Support.

Full Disk Encryption

-3

The user name or password is invalid. Verify the credentials and try to log on to PolicyServer again.

-6

Unable to install the Endpoint Encryption agent. A required resource may be unavailable. Restart the endpoint and try the installation again. If the problem persists, contact Trend Micro Support.

-13

The endpoint does not meet the minimum system requirements. Upgrade the RAM or disk space and try to install the agent again.

Encryption Management for Microsoft BitLocker

1603

Unable to install the Endpoint Encryption agent. A required resource may be unavailable. Restart the endpoint and try the installation again. If the problem persists, contact Trend Micro Support.

-13

Unable to install the Endpoint Encryption agent. Microsoft BitLocker requires Trusted Platform Module (TPM). The endpoint either does not support TPM, TPM is not enabled in BIOS, or TPM is locked by another logged on user. Enable TPM in BIOS or contact the system administrator for assistance.

-14

Unable to install the Endpoint Encryption agent. The operating system is not supported. Install one of the following supported operating systems and then try again:

  • Windows 7 32-bit or 64-bit, Ultimate or Enterprise edition

  • Windows 8 32-bit or 64-bit, Professional or Enterprise edition

  • Windows 8.1 32-bit or 64-bit, Professional or Enterprise edition

-15

Full Disk Encryption is already installed.

-16

Unable to install the Endpoint Encryption agent. The endpoint is already encrypted.

Using OfficeScan to Uninstall Endpoint Encryption Agents

During an upgrade, some Endpoint Encryption agents require first manually uninstalling the old Endpoint Encryption agent software. If the Endpoint Encryption agent software is malfunctioning in some way, uninstalling and reinstalling the Endpoint Encryption agent software may solve the problem.

This procedure explains how to uninstall Endpoint Encryption agents using the OfficeScan Endpoint Encryption Deployment Tool plug-in.

  1. Select the Endpoint Encryption device.
    Note:

    To select multiple Endpoint Encryption devices, hold SHIFT and select applicable endpoints.

  2. Click Uninstall and select the appropriate Endpoint Encryption agent from the drop-down list.
  3. Click OK to confirm the deployment.

    The Endpoint Encryption agent uninstall command is deployed.

  4. The Endpoint Encryption agent uninstallation is complete when OfficeScan displays the confirmation message.
    Note:

    All future deployment commands fail if the Endpoint Encryption device is not restarted after the uninstall command is initiated and completes.

    If uninstallation is unable to complete, manually uninstall the agent. See the Endpoint Encryption Installation Guide.

    When uninstallation completes, the Endpoint Encryption agent is removed and the product folder is deleted from the endpoint.