Patch Management with Full Disk Encryption

Use the Command Line Helper and DAAutoLogin together to run Windows patch management on devices with Full Disk Encryption installed. Command Line Helper creates encrypted values for scripts and DAAutoLogin grants a one-time bypass of the Full Disk Encryption Preboot.

Use DAAutoLogin in various combinations to accomplish different needs. Patches can be pushed out, and followed by a script using DAAutoLogin to send a reboot command for the device to display the Windows GINA for confirmation of successful patching or to another round of patches can be deployed.

DAAutoLogin accepts the following switches:

DAAutoLogin <pre-boot Username> <pre-boot Password> [<Domain Name> <Domain Username> <Domain Password>]

Each required value can be passed and separated with a space. Adding in the domain switches allows for Windows authentication.

  • Make sure to run both tools on a Full Disk Encryption device.

  • Both tools are available in the tools folder of the zip file received from Trend Micro. For assistance, contact Trend Micro Support.

Using the Command Line Helper

Command Line Helper enables encrypted values to pass via the installation script to the Full Disk Encryption preboot and installer. You can manually use Command Line Helper to generate encrypted values of strings for installation scripts or patch management.

  1. Download the Command Line Helper tool and locate the tool in your Endpoint Encryption download folder.

    The Command Line Helper tool is part of the PolicyServer installation package. Go to Trend Micro Download Center, select the Endpoint Encryption, and download the PolicyServer package.

    The Command Line Helper tool is located in the following directory:

    <download_directory>\TMEE_PolicyServer\Tools\Command Line Helper

  2. Open a command prompt.
  3. Change the directory to the directory of the Command Line Helper tool.


    cd C:\TMEE_PolicyServer\Tools\Command Line Helper

  4. Type CommandLineHelper.exe followed by the string that you want to encrypt, and press ENTER.


    CommandLineHelper.exe examplepassword


    It may be easier to copy the generated value directly from a text file.

    In that case, the above example would be modified as follows:

    CommandLineHelper.exe examplepassword > file.txt

    The Command Line Helper produces an encrypted string.

Patching Process for Full Disk Encryption

  1. Push patches to targeted Full Disk Encryption devices.
  2. Follow up with a script using DAAutoLogin.
  3. Send a reboot command for the Full Disk Encryption device to load Windows GINA for confirmation of successful patching or to push another round of patches.