Automatically Starting Full Disk Encryption (FDE)

The Automatic Full Disk Encryption (FDE) feature will initiate Full Disk Encryption once the client has been installed on the target workstation. Usually a command would need to be sent from the Enterprise Server to a target workstation in order to start the Full Disk Encryption Process after activating a user.

In this mode, no credentials will be required to boot the system until the first user has activated. During activation the first user with a DESlock+ Pro licence on this workstation will be prompted to choose a password with which to boot the system. At which point the FDE username, recovery information and Admin FDE credentials will be visible in the Enterprise Server and the workstation will operate normally.

Although you can use DESlock+ FDE in this manner, it is strongly recommended that you activate a DESlock+ Pro licence as soon as possible to ensure the workstation is fully secured. Automatic FDE is not a replacement for starting FDE from the Enterprise Server as shown in the article below:

KB101 - How to encrypt a hard drive using a managed version of DESlock+?

It is designed to ensure the workstation is encrypted prior to user Activation, for example where a system administrator prepares the laptops before distributing to end users or if the end users are currently unknown.

Note: This feature is available from the Enterprise Server version 2.9.0 and Client Software version 4.9.0 and will only work when performed as a 'fresh' install, not an upgrade from a previous version.

What will be encrypted?

• Only the 'Boot' disk will be encrypted. If you have more than one disk to encrypt, the secondary disk will need to be encrypted manually.
• Only compatible Partitions with drive letters will be encrypted.

Step 1: Enabling the feature

• Open the DESlock+ Enterprise Server Program Files folder (Program Files (x86) on a 64bit OS).
• Edit config.cfg with a text editor.
• Add the following to the bottom of the file:  
      EnableAutoEncryptPolicy=true
• Save the file and Login to the Enterprise Server.

Step 2: Configuring the Workstation Policy

• Navigate to your workstation policy Full Disk Encryption settings. Please see the article below for more information:

KB229 - How do I modify workstation policy?

• Change the configuration of Automatically start encryption after installation to Yes.
• Enter the number of Password and Recovery attempts you wish the user to have at the pre-boot FDE login page.
• Enter the number of Recovery uses you wish the user to have.
• Enter an FDE Administrator Username by default this is set to 'admin'.
• Select whether you would like to enable the user with Single (Sign-On SSO) (Requires the user to be activated with Self Enrolment) Please see the article below for more information:

KB187 - What is Single Sign-On (SSO)?

Note: If you are using Self-Enrolment to activate workstations and have previously sent an FDE command to another machine, the FDE Administrator password that was used will be set as a default. If not, a randomly generated password will be created which can be seen in the FDE logins window. Please see the article below for more information:

KB316 - How do I change my Full Disk Encryption password?

Step 3: Install Client Software

• Install the Client software by pushing the install over a LAN or downloading an MSI from the Enterprise Server manually. Please see the article below for more information:

KB253 - Installing a managed version of DESlock+

• Once the software has installed, on reboot Safe Start will take place. Please see the article below for more information:

KB177 - What is DESlock+ Full Disk Encryption Safe Start

• The encryption process will then begin, indicated by the warning dialog and progress bar.

Step 4: Activation

Note: This step is not necessary if you have activated using Self Enrolment.

• You will then be required to supply the activation details.

KB216 - How do I activate a new client (Enterprise Server v2.5.2 or later)?

Step 5: Enter FDE pre-boot password details

Once you have entered the activation details you will be required to enter a pre-boot password. If you have Self Enrolment enabled and have chosen to set your user with an SSO type login, you will be required to verify your domain login credentials.

• Normal user dialog:

• SSO enabled dialog:

Kewords: auto start fde full disk encryption automatically automatic