dxw Contributor.
Contributor.
3508 views

FDE error

I have 3 pcs that have the fde policy assigned that do not seem to encrypt the hatd drive. It has worked on 58 other pcs but fails on 3 pcs. I have removed the zenworks agent and re-installed but it fails with the following
11/28/2017 15:22:54.000 Initialize Pre-boot loader and partition Create Script** Policy is being applied****
11/28/2017 15:22:54.000 Initialize Pre-boot loader and partition Create FDE Script: Initialize Pre-boot loader and partition/DoFDEInit** Policy is being applied****
11/28/2017 15:22:54.000 Initialize Pre-boot loader and partition Process Script** Policy is being applied****
11/28/2017 15:22:59.000 Initialize Pre-boot loader and partition Process Script 0xfffffffb, BERR_INTERNAL - BERR_INTERNAL: Internal program error or assertion
failure -5 (0x)* Policy is being applied****
11/28/2017 15:22:59.000 End initialization of FDE*** Policy is being applied* ***
11/28/2017 15:22:59.000 Allow Next policy: ApplyFDEPolicy, no policy*** Policy is being applied*
0 Likes
11 Replies
Not applicable

Re: FDE error

What is the following setting for your FDE policy:
"Enable software encryption of Opal compliant self-encrypting drives" option is unchecked?

What version of ZENworks are you on?

Are you using RAID (software), Secure Boot, NVMe?
0 Likes
dxw Contributor.
Contributor.

Re: FDE error

Zcm 2017 update 1
no raid drives but the tick box is greyed out
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: FDE error

#1 - On a GOOD System...how many partitions do you see in Disks Manager (Take note of the sizes)
#2 - How many on the bad?

FDE needs to SHRINK the Drive, then Create a Small Partition...This seems to be failing by the log......

If there are already 4, it will not be able to create a 4th.
If less than 4....Try "Shrinking" manually....I've seen cases where "SHRINK" fails even manually....this would something that would need to be resolved 1st....outside of ZCM to see why Windows cannot perform this operation....
0 Likes
dxw Contributor.
Contributor.

Re: FDE error

it only allows me to shrink by 16mb, any suggestions to fix. It has 3 partitions one of which is a recovery partition which I can remove. Is it worth doing this?
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: FDE error

dxw;2471053 wrote:
it only allows me to shrink by 16mb, any suggestions to fix. It has 3 partitions one of which is a recovery partition which I can remove. Is it worth doing this?


#1 - Check Free Space...If you have lots of Free Space, it SHOULD allow you to shrink more.
If you HAVE lots of disk space, you can try googling "unable to shrink drive c"
There should be lots of hits....sometimes they help but not always.....
In theory the root cause is that there is an unmovable system file at the end of the partition and if you remove that, it should let you shrink.
Setting Swapfile size to 0, Disabling Hibernate, rebooting and removing any remain leftover swap/hibernate file may do it.
There are other tips as well....

Does this always work? Nope...but sometimes.....

#2 - I would take great caution in deleting the Recovery Partition.....Often that has boot-loader ties...........

#3 - Shrinking the OTHER partition may help......if there is sufficient free space there..........
0 Likes
kabigabor
New Member.

Re: FDE error

Hi,
I came accross with the same error message. What I've found is Sophos Exploit Prevention has blocked C:\Windows\NAC\fdeinit.exe process.
If you have any similar product running (for eg. Palo Alto Traps, etc) may worth to look into it.

Gábor

dxw;2470903 wrote:
I have 3 pcs that have the fde policy assigned that do not seem to encrypt the hatd drive. It has worked on 58 other pcs but fails on 3 pcs. I have removed the zenworks agent and re-installed but it fails with the following
11/28/2017 15:22:54.000 Initialize Pre-boot loader and partition Create Script** Policy is being applied****
11/28/2017 15:22:54.000 Initialize Pre-boot loader and partition Create FDE Script: Initialize Pre-boot loader and partition/DoFDEInit** Policy is being applied****
11/28/2017 15:22:54.000 Initialize Pre-boot loader and partition Process Script** Policy is being applied****
11/28/2017 15:22:59.000 Initialize Pre-boot loader and partition Process Script 0xfffffffb, BERR_INTERNAL - BERR_INTERNAL: Internal program error or assertion
failure -5 (0x)* Policy is being applied****
11/28/2017 15:22:59.000 End initialization of FDE*** Policy is being applied* ***
11/28/2017 15:22:59.000 Allow Next policy: ApplyFDEPolicy, no policy*** Policy is being applied*
0 Likes
lxzndr Super Contributor.
Super Contributor.

Re: FDE error

Having the same issue here on new windows 10 1709 systems. Windows only shows 2 partitions in GUI, but Diskpart shows 4 partitions - which windows will always autocreate during install.

These are also UEFI bios systems. running Zenworks 2017u2 on primary and new agent install.

If I do a new install and leave more than 500mb (502?) available during windows setup partitioning (custom install) then it will work.
otherwise it appears the issue in that you can't shrink a windows 10 SSD c: partition using windows tools. Found various references to that being a problem and saying you need to so use some other partition utility. It appears that w10 shrink requires defrag service - which isn't part of the clean install on a SSD drive. I have not tested resizing a HDD as we have moving towards strictly SSD on all workstations.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: FDE error

Yes, There will need to be free Space to create partition for use by FDE.
Yes, Shrink Requires the Degrag Service which handles Defrag on Platter Drives and TRIM on SSD Drives.
(Windows can detect drive type....)

Could try configuring your Windows 10 Install to leave free space or create your Image on a VM so it installs the service.
I'd definitely make sure I was using install Media from Microsoft and not a Vendor.......
0 Likes
lxzndr Super Contributor.
Super Contributor.

Re: FDE error

they don't like to make it easy....

I did find the issue. defragsvc service is now displayed as Optimize Drives, and is sometimes disabled.
Also appears that it can need as much as 509MB.
I will check into modifying the windows installer to leave free space. Have only been using MS media and always performing a clean install on systems, even new ones get full wipe and replace.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: FDE error

If you find that the issue is related to the service being disabled, I would open an SR.
This is something that could be handled in code......
(If Disabled, Enable...Shrink....Disable...)

Thanks for the feedback, disabled makes more sense than gone......

I will try and test in my lab....
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: FDE error

Also Read...
https://www.howtogeek.com/256859/dont-waste-time-optimizing-your-ssd-windows-knows-what-its-doing/

If the install or some policy is setting the "Optimize" Service to disabled.....
Then use a bundle or policy to fix that....
The "Optimize" Service is very important for SSD drives to operate well.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.