Views:
Parent topic: Encryption Management for Microsoft BitLocker Installation

Installing the Encryption Management for Microsoft BitLocker Agent

To install Encryption Management for Microsoft BitLocker, perform the following procedure.
  1. Verify that all of the agent installation prerequisites have been completed.

    See Agent Installation Prerequisites.

  2. Verify that the hard disk is not already encrypted and that no other full disk encryption product is installed.
  3. Run a hard drive integrity utility on the system drive.

    For example, to run the Windows utility Check Disk, open a command prompt and run chkdsk /f /r. Windows will perform Check Disk on the next restart.

    If bad sectors are found, fix or replace the hard drive depending on your enterprise hardware policy.

  4. Defragment the system drive.
  5. Copy the installation files to the system drive.
  6. Run TMFDEInstall_MB.exe.
    Note:

    If the User Account Control windows displays, click Yes to allow the installer to make changes to the Endpoint Encryption device.

  7. Specify the following PolicyServer information:
    Option Description

    Server name

    Specify the PolicyServer IP address, host name, or FQDN and include the port number assigned to that configuration.

    Enterprise

    Specify the Enterprise. Only one Enterprise is supported.

    User name

    Specify the user name of an account with permission to add devices to the Enterprise.

    Password

    Specify the password for the user name.
  8. Click Install.

    Encryption Management for Microsoft BitLocker installation begins. After a moment, the installation completes and the installer closes.

  9. Go to the system tray and click the icon to open the Encryption Management for Microsoft BitLocker agent.
    Note:

    For information about understanding and managing the Endpoint Encryption agent, see the Endpoint Encryption Administrator's Guide.

Creating a System Partition with Microsoft BitLocker

Encryption Management for Microsoft Bitlocker requires separate boot and system partitions on the local endpoint. On Microsoft Windows 7 and later versions, a system partition and a boot partition are both typically created during the installation process. If you attempt to install or upgrade Encryption Management for Microsoft Bitlocker and receive an error regarding system and boot partitions, you may need to create a system partition.

Perform the following procedure to check whether the endpoint has separate boot and system partitions. If the endpoint does not have separate partitions, this procedure also shows how to use BitLocker Drive Encryption to create a system partition.

  1. Verify whether your endpoint has separate system and boot partitions.
    1. Open the Windows Start menu.
    2. Type diskmgmt.msc to open the Computer Management window.

      The following is an example of an endpoint that contains separate system and boot partitions:



      Warning:

      If you attempted to install or upgrade Encryption Management for Microsoft Bitlocker and received an error regarding system and boot partitions, check Computer Management. If you find that you already have separate system and boot partitions, do not continue this task. Contact Trend Micro Support.

      The following is an example of an endpoint that contains a combined system and boot partition:



      If your system and boot partitions are both in the same disk, continue the rest of this procedure.

  2. If you already have an Encryption Management for Microsoft BitLocker agent on your endpoint, uninstall the agent.

    This step is only necessary if you were attempting to upgrade Encryption Management for Microsoft BitLocker to a newer version.

  3. Back up critical files in your primary drive.
    Important:

    The following steps include using BitLocker to change the structure of your primary drive. Any changes to system structure may result in errors. Trend Micro strongly recommends backing up important files before continuing.

  4. Turn on BitLocker.
    1. From the Windows Start menu, go to Control Panel > System and Security > BitLocker Drive Encryption.
    2. Click Turn on BitLocker.


    The BitLocker Drive Encryption window appears.

  5. To create the system partition, follow the on-screen instructions in the BitLocker Drive Encryption window.

    Creating the system partition may take a long time depending upon the drive size.

  6. Restart your endpoint.

    After restarting your endpoint, BitLocker will display the following screen:



  7. Click Next.

    BitLocker will request that you back up your recovery key.

  8. Click Cancel to close BitLocker Drive Encryption.
    Tip:

    Endpoint Encryption will create a recovery key during the encryption process, so backing up the recovery key at this point is unnecessary.

    The system partition has been created.

    At this point you may re-install the Encryption Management for Microsoft BitLocker agent.

Troubleshooting Password and Encryption Issues

After installing Encryption Management for Apple FileVault and restarting the endpoint, Apple FileVault attempts to encrypt the disk.

If the password specified during installation did not match the specified user account, the following window appears:

  • For endpoints with hard drives not using APFS (Apple File System), restart the endpoint again after specifying the correct password. If the password was the issue, Apple FileVault encrypts the endpoint after restarting.

  • For endpoints running Mac OS High Sierra (10.13) with SSDs using APFS, a restart is not required. Apple FileVault encrypts the endpoint after specifying the correct password.

If this problem persists, or if the encryption status displays that the endpoint is not encrypting, then another issue is restricting Apple FileVault functionality. Do the following procedure to determine the location of the issue and whether to send the issue to Trend Micro Support.

  1. From the Apple menu, go to Security & Privacy > FileVault.
  2. If the lock icon is locked, click the lock icon to make changes.
  3. Click Turn On FileVault....

    A window appears that asks for your password.

  4. Type your password and click Start Encryption.

    If your user account has permission to turn on FileVault, your credentials are correct, and FileVault is working properly, FileVault begins encrypting the disk.

  5. If FileVault encounters any issues during encryption after this point, take relevant screenshots of those issues and contact Trend Micro Support.