Full Disk Encryption Manual Deployment

Installing the Full Disk Encryption Agent

To install Full Disk Encryption, perform the following procedure.

  1. Verify that all of the agent installation prerequisites have been completed.

    See Agent Installation Prerequisites.

  2. Verify that the hard disk is not already encrypted, no other full disk encryption product is installed, and that Microsoft BitLocker is disabled.
  3. Run a hard drive integrity utility on the system drive.

    For example, to run the Windows utility Check Disk, open a command prompt and run chkdsk /f /r. Windows will perform Check Disk on the next restart.

    If bad sectors are found, fix or replace the hard drive depending on your enterprise hardware policy.

  4. Defragment the system drive.
  5. Copy the installation files to the system drive.
  6. Run TMFDEInstall.exe.
    Note:

    If the User Account Control windows displays, click Yes to allow the installer to make changes to the Endpoint Encryption device.

    The Full Disk Encryption installer checks the endpoint for installation issues. If a system incompatibility is discovered, the installer closes and generates the PreInstallCheckReport.txt in the same location as the installer. For more information, see Pre-Installation Check.

  7. Specify the following PolicyServer information:
    Option Description

    Server name

    Specify the PolicyServer IP address, host name, or FQDN and include the port number assigned to that configuration.

    Enterprise

    Specify the Enterprise. Only one Enterprise is supported.

    User name

    Specify the user name of an account with permission to add devices to the Enterprise.

    Password

    Specify the password for the user name.

    Forcesoftware

    (Optional) Forces Full Disk Encryption to use software encryption instead of hardware encryption.

    This option is recommended for SED disks.

    Warning:

    Full Disk Encryption is unable to install on SED disks attached to devices using UEFI if these disks were previously managed by Windows Bitlocker. To install Full Disk Encryption on these disks, perform one of the following:

    • Configure Full Disk Encryption to use software-based encryption by adding the FORCESOFTWARE parameter during installation.

    • Restore the SED disk back to its factory setting. This procedure removes all existing data from the SED disk. After the disk has been restored, try running the installer again.

  8. At the Installation Complete screen, click Close.

    A message appears asking if you want to restart or shut down the endpoint. The endpoint restarts for software-based encryption or shuts down for hardware-based encryption.

  9. Click Yes to restart or shutdown the endpoint.

    Full Disk Encryption installation is complete when the Full Disk Encryption preboot displays. At the preboot screen, the user must log on. The user is required to change their password after logging on. The next time Windows starts, Full Disk Encryption encrypts the disk.

    Policies are synchronized with PolicyServer after the endpoint restarts.

Pre-Installation Check

The Full Disk Encryption installer automatically checks the target system to make sure that all necessary system requirements are met before installing the agent. If a system incompatibility is discovered, the installer closes and generates the PreInstallCheckReport.txt in the same location as the installer. The following are the requirements that Full Disk Encryption installer checks.

Specification

Requirement

Supported Operating System

The endpoint must have a supported operating system installed.

Encryption Management for Microsoft BitLocker is already installed

Encryption Management for Microsoft BitLocker must not be installed. Uninstall Encryption Management for Microsoft BitLocker to install Full Disk Encryption or use Encryption Management for Microsoft BitLocker instead.

Secure Boot

Full Disk Encryption is unable to install on endpoints where Secure Boot has been enabled. To ensure successful installation, disable Secure Boot prior to installation.

Fixed media

The physical disk must be fixed and not removable.

Full Disk Encryption cannot be installed on removable drives running Windows.

Free space

The drive must have at least 256 MB of contiguous free disk space.

Memory

The endpoint must have at least 512 MB of RAM.

Trend Micro recommends having at least 1 GB of RAM.

Partition count

The drive must have fewer than 25 partitions.

Partitions with extended MBRs are not supported.

Physical drive is bootable

The drive must be bootable.

SCSI disk

SCSI drives are not supported.

Note:

This check only records a warning, because Windows may report a SATA drive as SCSI. If the disk is not SCSI, Full Disk Encryption may be installed. To verify that the drive is not SCSI, physically check the device.

Microsoft .NET Framework

Microsoft .NET Framework 3.5 or later is required for Windows 8 or later devices.

SED hardware compatibility

If a drive is a self-encrypting drive, Full Disk Encryption enables hardware encryption for that drive.

Full Disk Encryption currently supports the following:

  • Seagate OPAL and OPAL 2 drives

  • SanDisk self-encrypting (OPAL2) solid-state drives

BitLocker is enabled

Microsoft BitLocker must not be enabled. Two full disk encryption solutions may not run on the same drive.

If your environment uses Microsoft BitLocker for encryption, install the Encryption Management for Microsoft BitLocker agent instead of Full Disk Encryption.

Intel Rapid Storage Technology

Drives using Intel Rapid Storage Technology with mSATA caches are not supported.

Windows MBR

Checks if the boot disk uses a typical Windows MBR or not.

Keyboard

The Full Disk Encryption Preboot supports the current keyboard layout.

Wi-Fi/NIC

The Full Disk Encryption Preboot supports the system Network Interface Controller (NIC) and Wi-Fi hardware.

Disks are distinguishable

The disks on the device must have unique hardware properties, such as Serial Number and Model

Check Not Initialized Disk(s)

The disks on the device are initialized. If there are one or more disks which are not initialized, open Disk Management to initialize.

GPT partition checking

First usable LBA and partition size check.

Incompatible software

Incompatible software must be uninstalled before installing Full Disk Encryption.

For example, HP Drive Encryption and Dell Backup Recovery.