<> Trend Micro Incorporated January 5th, 2024 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) Endpoint Encryption 6.0 - Full Disk Encryption Patch 1 Update 3 English - Windows - 32-bit / 64-bit Critical Patch - Build 3328 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contents ================================================================ 1. Overview of This Critical Patch Release 1.1. Issues 1.2. Files Included in This Release 2. Documentation Set 3. System Requirements 4. Installation 4.1. Installing 4.2. Uninstalling 5. Post-installation Configuration 6. Known Issues 7. Release History 8. Contact Information 9. About Trend Micro 10. License Agreement ================================================================ 1. Overview of This Critical Patch Release ======================================================================== 1.1. Issues ==================================================================== This Critical Patch resolves the following issue(s): Issue 1: On endpoints using the UEFI boot method, the system may terminate the uninstallation process unexpectedly and generate an event log with the following information: Faulting application name: TMFDEUninstall.exe Faulting module name: FDEInstall.dll Exception code: 0xc0000005 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This Critical Patch updates the related modules to resolve this issue. 1.2. Files Included in This Release ==================================================================== There are no files included in this Critical Patch release. 2. Documentation Set ======================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com - Online Help: The Online Help contains an overview of features and key concepts, and information on configuring and maintaining the product. To access the Online Help, go to http://docs.trendmicro.com - Installation Guide (IG): The Installation Guide contains information on requirements and procedures for installing and deploying the product. - Administrator's Guide (AG): The Administrator's Guide contains an overview of features and key concepts, and information on configuring and maintaining the product. - Getting Started Guide (GSG): The Getting Started Guide contains product overview, installation planning, installation and configuration instructions, and basic information intended to get the product 'up and running'. - Support Portal: The Support Portal contains information on troubleshooting and resolving known issues. - To access the Support Portal, go to http://success.trendmicro.com 3. System Requirements ======================================================================== 1. Trend Micro Endpoint Encryption 6.0 Full Disk Encryption Patch 1 Update 3 Build 3204 - English - Windows - x32-x64 4. Installation ======================================================================== This section explains key steps for installing the Critical Patch. 4.1. Installing ==================================================================== This Critical Patch supports both complete Endpoint Encryption installations and updates from existing installations. To install: 1. Copy the "tmee_60_fde_win_criticalpatch_b3328.zip" file to a local folder. 2. Extract the Critical Patch file from "tmee_60_fde_win_criticalpatch_b3328.zip" to a local folder. 3. Run the "TMFDEInstall.exe" file. If Endpoint Encryption 6.0 has already been installed on the endpoint, the installer will update Endpoint Encryption with this Critical Patch. If Endpoint Encryption has not been installed on the endpoint, the installer will proceed to install Endpoint Encryption 6.0 onto the endpoint. Refer to Chapter 5, "Endpoint Encryption Agent Deployment", of the "Installation Guide" for the complete installation procedure. 4.2. Uninstalling ==================================================================== Refer to Chapter 7, "Uninstalling Endpoint Encryption Agents", of the "Installation Guide" for the complete uninstallation procedure. 5. Post-installation Configuration ======================================================================== No post-installation steps are required. 6. Known Issues ======================================================================== Known issues in this release: #1 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] The Full Disk Encryption preboot login may encounter reduced performance if the Wi-Fi adapter is connected to an access point with no network access to PolicyServer. This issue occurs when the PolicyServer IP address is used during Full Disk Encryption installation. Use the PolicyServer FQDN during installation to resolve the issue. #2 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] The Full Disk Encryption preboot Wi-Fi is unable to automatically detect access points with WEP-Shared security. Manually specify WEP-OPEN or WEP-PSK security. #3 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] The Full Disk Encryption preboot is unable to log on Windows 8, 8.1, or 10 when installed on a virtual machine using VMWare Workstation with the e1000e Ethernet driver. The e1000e Ethernet driver is the default driver for Windows 8 and 8.1. Full Disk Encryption does not support the e1000e Ethernet driver. To resolve this issue, change the driver to e1000: * Shut down VMWare Workstation. * Using a text editor, open the vmware.vmx file. * Find the driver line: ethernet0.virtualDev = "e1000e" * Change "e1000e" to "e1000". * Save the file and restart the virtual machine. #4 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] Full Disk Encryption displays an error message and is unable to lock the system when the "LockDeviceTimeDelay" policy is 999999 minutes. #5 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] Full Disk Encryption is unable to log on by single sign-on when the endpoint wakes from hibernation. #6 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] When a user logs on Full Disk Encryption, the tray icon shows the correct user name. However, if the user logs off after the endpoint hibernates and another user logs on, the user name stills shows the previous user name. No user data is at risk. #7 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] Toshiba Tecra computers with self-encrypting drives may be unable to run Windows after installing Full Disk Encryption. #8 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] The Full Disk Encryption preboot does not support combinations of characters with the "AltGr" key when using a Spanish keyboard layout. #9 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] The Full Disk Encryption preboot is unable to control the Num Lock indicator for some HP laptops. In those cases, the Num Lock indicator can be configured in the BIOS settings. #10 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] Full Disk Encryption does not support installation alongside other third-party full disk encryption products. If multiple encryption products are installed on the same endpoint, the endpoint may be unable to start Windows and may display a blue screen error message. #11 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] The Full Disk Encryption Recovery Tool may encounter errors when logging on Zoom by single-sign on, or by using Google or Facebook accounts. To avoid this issue, only use Zoom to connect to meetings hosted by Trend Micro support. Do not attempt to host meetings through the Recovery Tool. #12 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] Full Disk Encryption is unable to install on the HP Probook 6570b, HP EliteBook Folio 9470m, and Dell Inspiron 7386 if the boot configuration for these endpoints is set to UEFI. To ensure successful installation, set the boot configuration to BIOS prior to installation. #13 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] The Full Disk Encryption installer is unable to upgrade older Full Disk Encryption versions on devices where the system disk contains more than 8 extended partitions. To upgrade these devices to the 6.0 version, uninstall the old version first and then perform a clean install instead. #14 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] Full Disk Encryption may display an inaccurate percentage of completion if the value of the Encrypt Policy setting changes during encryption. To fix this issue, decrypt the whole disk and encrypt it again. #15 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] Disk conversion from MBR to GPT cannot be performed on a disk managed by Full Disk Encryption. To convert a managed disk from MBR to GPT, decrypt the whole disk first, and then detach the disk from Full Disk Encryption. Afterwards, perform the disk conversion as usual. #16 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] During preboot, the Wire Network Configuration screen displays the hidden SSID \x00\x00\x00\x00\x00\x00\x00\x00. #17 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] In rare cases, sectors may become corrupted if the power is cut off while encrypting. To prevent this issue, ensure that the power cord is connected during the initial encryption period of Full Disk Encryption. #18 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] Multiple device encryption complete messages from the same device appear in the audit log for a period of time. This is because Full Disk Encryption generates an "encryption complete" message to PolicyServer for encrypted disks whenever the Full Disk Encryption service restarts to ensure that the encryption status on server side is up to date. #19 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] Full Disk Encryption is incompatible with the PLEXTOR PX-128M5 Pro (old firmware). The encryption status of the disk is displayed as (NaN%) when the encryption starts. #20 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] Full Disk Encryption usually queries DNS suffixes from Windows and applies it in preboot. However, Full Disk Encryption only uses the first DNS suffix found. To minimize issues, ensure that the preferred DNS suffix is set as the first DNS suffix in Windows. #21 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] Full Disk Encryption may incorrectly mark the network information display of Windows XP VMware images with an (X). However, this is only a display issue. There is no impact on network connectivity. #22 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] During preboot, the touchpad of an Acer V3-372 ASUS BU400A machine may be unresponsive. To solve this issue, change the touchpad setting in the firmware from Enhanced to Basic, or use an external USB mouse. #23 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] When deploying Full Disk Encryption using the Endpoint Encryption Deployment Tool Plug-in, the Endpoint Encryption Deployment Tool Plug-in does not display the result of safety check (a new feature of Full Disk Encryption in 6.0). As a workaround, administrators can manually review the safety check result from Control Manager or the Endpoint Encryption MMC console. #24 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] Full Disk Encryption may encounter issues if installed on an ASUS BU400A machine using a UEFI SED configuration. This causes the firmware to delete the boot entry after the device has booted into Windows, which makes unlocking the self encrypting drive difficult after the device is powered on again. To minimize issues, switch to BIOS with SED configuration, or UEFI with normal disk configuration. If the self encrypting drive cannot be unlocked, administrators may use the recovery tool to unlock the drive after authentication. #25 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] WiFi SSID settings deployed from Control Manager does not support angle brackets (< >). Remove angle brackets from the WiFi SSID settings. #26 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] The Full Disk Encryption preboot does not support the network port of the Microsoft Surface Dock. However, the Full Disk Encryption preboot supports the built-in Wi-Fi found on the Surface Pro 3 and Surface Pro 4. To establish a connection to PolicyServer, configure the Full Disk Encryption Preboot to use the built-in Wi-Fi. #27 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] The Full Disk Encryption does not provide support for Microsoft Surface Pro 7. To use Full Disk Encryption on these endpoints, install Encryption Management for Microsoft Bitlocker. #28 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] Installation of Full Disk Encryption may cause the endpoint to require more time to resume from hibernation. On average, time to resume from hibernation may take 80 seconds for BIOS-configured endpoints, and 30 seconds for UEFI-configured endpoints. #29 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] If the Full Disk Encryption database of a data disk becomes corrupt, the data disk becomes inaccessible in Windows. To resolve this issue, use the Full Disk Encryption recovery tool. The Full Disk Encryption recovery tool reports the disk as "Not an FDE disk", but will still automatically repair the database on the data disk. If the issue persists, contact Trend Micro support for data recovery. #30 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] Full Disk Encryption is unable to complete installation on Lenovo Think Station P410 endpoints if the boot configuration is set to UEFI. To ensure successful installation, set the boot configuration to BIOS prior to installation. #31 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] Full Disk Encryption is incompatible with some Dell Optiplex 980 models. To use Full Disk Encryption on these endpoints, install Encryption Management for Microsoft Bitlocker. #32 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] For NVMe disks, Full Disk Encryption displays the "Failed to find FDE Device" error message if the firmware's SATA Operation setting is set to RAID on. To resolve this issue, switch the firmware's SATA operation setting to AHCI, and then install Full Disk Encryption again. #33 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3204] The Full Disk Encryption preboot is unable to display the network card information of an ASUS T100TA. However, the network connection still works. #34 Known issue: [Reported at: TMEE 6.0 Full Disk Encryption Patch 1 Update 3 B3304] Machines on legacy boot do not support new devices Since Hotfix 3301, machines running the legacy boot no longer support new devices. 7. Release History ======================================================================== For more information about updates to this product, go to: http://www.trendmicro.com/download Prior Hotfixes ==================================================================== Only this Critical Patch was tested for this release. Prior hotfixes were tested at the time of their release. [Critical Patch 3323] Issue 1: A vulnerability in Trend Micro Endpoint Encryption Full Disk Encryption version 6.0.0.3204 and below could allow an attacker with physical access to an affected device to bypass Microsoft Windows’ Secure Boot process in an attempt to execute other attacks to obtain access to the contents of the device. An attacker must first obtain physical access to the target system in order to exploit this vulnerability. It is also important to note that the contents of the drive(s) encrypted with TMEE FDE would still be protected and would NOT be accessible by the attacker by exploitation of this vulnerability alone. IMPORTANT NOTE: Due to the nature of this vulnerability, at some point in the next few months Microsoft will be adding vulnerable TMEE FDE builds to the Secure Boot Forbidden Signature Database (DBX) that will prevent certain UEFI modules from loading. It is imperative that customers apply this latest Critical Patch as soon as possible to prevent any potential impact from their users. https://success.trendmicro.com/dcx/s/solution/000292 473 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: Trend Micro has released the following solutions to address the issue: Full Disk Encryption Critical Patch 3323 These are the minimum recommended version(s) of the patches and/or builds required to address the issue. Trend Micro highly encourages customers to obtain the latest version of the product if there is a newer one available than the one listed in this bulletin. [Hotfix 3318] Issue 1: On Acer TravelMate P215-53G, the system displays a disk move warning message when the Full Disk Encryption service is started and may not be able to access the disk that is encrypted. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix updates the related modules to resolve the hardware compatibility issue. [Hotfix 3314] Enhancement 1: This hotfix enables version 6.0 of Trend Micro Endpoint Encryption to support the trackpoint and touchpad on HP ZBook Fury 15.6 inch G8 Mobile Workstation PC. [Hotfix 3313] Issue 1: When users click "Decrypt Disk" in the recovery console, the decryption progress bar becomes unresponsive. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix updates the decryption module to resolve the issue. [Hotfix 3311] Issue 1: Users are not able to change the user account password successfully using the Remote Help feature. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: This hotfix enables normal users to change passwords using the Remote Help feature when the agent is online. Note 1: Administrators and authenticators cannot change passwords using the Remote Help feature. Note 2: To make this change take effect, make sure you are using Policy Server 6.0.0.3079 or later versions. Issue 2: The Policy Server may not display all device attribute information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: This hotfix updates the policy synchronization process to resolve this issue. [Hotfix 3304] Enhancement 1: This hotfix enables version 6.0 of Trend Micro Endpoint Encryption to support the following Ethernet and Wi-Fi devices for machine use UEFI boot: - Intel Ethernet Connection (10) I219-LM PCI 8086:0d4e - Intel Ethernet Connection (10) I219-V PCI 8086:0d4f - Intel Ethernet Connection (11) I219-LM PCI 8086:0d4c - Intel Ethernet Connection (11) I219-V PCI 8086:0d4d - Intel Ethernet Connection (13) I219-LM PCI 8086:15fb - Intel Ethernet Connection (13) I219-V PCI 8086:15fc - Intel Wi-Fi 6 AX201 160MHz PCI 8086:a0f0:8086:0074 - Intel Wi-Fi 6 AX210 160MHz PCI 8086:2725:8086:0020 - Intel Wi-Fi 6 AX1650i 160MHz PCI 8086:a0f0:1a56:1651 - Realtek RTL8821CE PCIe Wireless Network Adapter PCI 10ec:c822:103c:85f7 Enhancement 2: This hotfix enables version 6.0 of Trend Micro Endpoint Encryption to support single NVMe SSD's with Intel Volume Management Device (VMD) controller. Enhancement 3: This hotfix enables version 6.0 of Trend Micro Endpoint Encryption to support the Elantech touchpad for HP 250 G8 Notebook PC. 8. Contact Information ======================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. https://www.trendmicro.com/en_us/contact.html NOTE: This information is subject to change without notice. 9. About Trend Micro ======================================================================== Smart, simple, security that fits. As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2024, Trend Micro Incorporated. All rights reserved. Trend Micro, the t-ball logo, OfficeScan, Trend Micro Security (for Mac), Control Manager, Trend Micro Apex One, and Trend Micro Apex Central are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other product or company names may be trademarks or registered trademarks of their owners. 10. License Agreement ======================================================================== View information about your license agreement with Trend Micro at: https://www.trendmicro.com/en_us/about/legal.html Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide