DriveLock Disk Protection

Disk Protection and DriveLock Operations Center (DOC)

The information about the status of encrypted hard disks in the DOC does not show the proper values if the hard disks have been encrypted with DriveLock Disk Protection rather than BitLocker. Up to and including DriveLock 2019.2, we recommend that Disk Protection customers use DriveLock Control Center functionality to monitor their system environment.

Up to and including DriveLock 2019.2, we recommend that Disk Protection customers use DriveLock Control Center functionality to monitor their system environment.

Inplace Update to Windows 10 1903

If you have enabled a certain number of automatic logins for the PBA (dlfdecmd ENABLEAUTOLOGON <n>) before updating to a current Windows 10 version, the automatic logon is active throughout the upgrade process. However, since the counter <n> cannot be updated during the process, we recommend that you only set it to 1, so that the user logons in the PBA are required again immediately after the Windows Inplace Upgrade.

If you want to disable user logins to the PBA during the update process, reset the counter to 1, so that the automatic login only takes place once after the update and after a restart and the users must login to the PBA after that.

Antivirus software

Antivirus protection software may cause the DriveLock Disk Protection installation to fail if the antivirus software quarantines files in the hidden C:\SECURDSK folder. If this occurs, please disable your antivirus protection for the duration of the Disk Protection installation. We recommend that you configure your virus scanner with an exception for the folder.

Application Control

We strongly recommend that you disable Application Control as long as it is active in whitelist mode for the duration of the Disk Protection installation to prevent programs required for the installation from being blocked.

Hibernation

Hibernation will not work while a disk is encrypted or decrypted. After complete encryption or decryption windows has to be restarted once to make hibernate work again.

UEFI mode

Not all hardware vendors implement the complete UEFI functionality. The UEFI mode must not be used with UEFI versions lower than 2.3.1.

The new PBA available with 2019.2 is currently only available for Windows 10 systems, because the Microsoft driver signatures required for the hard disk encryption components are only valid for this operating system.

Pre-boot authentication (PBA) for UEFI mode does not yet generically support all PS/2 devices.

With VMWare Workstation 15 and also with a few hardware manufacturers, our test results revealed conflicts with mouse and keyboard drivers of the UEFI firmware, so that keyboard input in the PBA is not possible. By pressing the "k" key, you can prevent the Drivelock PBA drivers from loading once when starting the computer. After you log on to Windows on the client, you can then run the dlsetpb /disablekbddrivers command from an administrator command line to permanently disable the Drivelock PBA drivers. Please note that the standard keyboard layout of the firmware is loaded in the PBA login screen, which generally has an EN-US layout, meaning that special characters may differ.

Note the following information:

  • DriveLock 7.6.6 and higher supports UEFI Secure Boot.
  • If you update the firmware, the NVRAM variables on the mainboard that DriveLock requires may be deleted. We strongly recommend that you install the firmware updates for the mainboard /UEFI before installing DriveLock PBA / FDE ( this also applies to recently purchased devices or to bug fixes).
  • A 32 bit Windows operating system or 32 bit DriveLock cannot be installed on 64 bit capable hardware. Please use a 64 bit version of a Windows operating system and DriveLock instead.
  • There is still a limitation to disks up to a maximum of 2 TB disk size.
  • On some HP PCs Windows always will be set to position one again in the UEFI boot order and the DriveLock PBA has to be selected manually from the UEFI boot menu. In this case fast boot has to be switched off in UEFI to keep the DriveLock PBA at position one.
  • Windows 10 Version 1703 (Creators Update) can remove the DriveLock boot entry from the UEFI boot menu while shutting down or when hibernating. Therefore the DriveLock PBA will no longer boot at the next startup and Windows cannot boot from the encrypted system hard disk. In August 2017 Microsoft released Update KB4032188 which resolves this issue. Update KB4032188 will be installed automatically by Windows or can be downloaded manually: download link.
    Check if update KB4032188 or any later update that replaces KB4032188 is installed before you install DriveLock Disk Protection for UEFI.
    When upgrading to Windows 10 Version 1703 where DriveLock Disk Protection for UEFI is already installed, add update KB4032188 to the Creators Update before you upgrade.

BIOS mode

On a small number of computer models the default DriveLock Disk Protection pre-boot environment configuration may not work correctly and cause the computer to become unresponsive. If this occurs turn off the computer and restart it while pressing the SHIFT-Taste key. When prompted select the option to use the 16-bit pre-boot operating environment.

Due to an issue in Windows 10 Version 1709 and newer, DriveLock Disk Protection for BIOS cannot identify the correct disk if more than one hard disk is connected to the system. Therefore Disk Protection for BIOS is not yet released for Windows 10 1709 systems with more than one hard disk attached until Microsoft provides a fix for this issue.

An additional technical whitepaper with information on updating to a newer Windows version with DriveLock Disk Protection installed is available for customers in our Support Portal.

Workaround for Windows Update from 1709 to 1903 while encrypting drive C: with Disk Protection:

Reference: EI-686)

  1. Decrypt drive C:
  2. Update Windows 10 from 1709 to 1903
  3. Encrypt drive C:

Requirements for Disk Protection:

Disk Protection is not supported for Windows 7 on UEFI systems.

Restart after installation of PBA on Toshiba PORTEGE Z930:

Reference: EI-751)

After activating Disk Protection with PBA and restarting the above-mentioned notebooks, Windows cannot be started and so the notebook cannot be encrypted. Our team is working on a solution.

Workaround for DriveLock update from 7.7.x with Disk Protection with PBA enabled to version 2019.2 or newer

First, update from 7.7.x to version 7.9.x. Only then do you update to version 2019.2. Please contact our support for further questions.