Seqrite Pre-Boot (Boot-time) prompt for password disappeared or password does not ask for login.
Windows directly goes into Automatic Repair mode.
It might happen that Windows Update or third-party utilities replaced or removed the Seqrite Volume Encryption loader.
If the installed SEM is removed, then boot-time prompt for password does not appear when the computer is powered on and Windows goes directly into Automatic Repair mode.
- User must create USB rescue to recover the Seqrite pre-boot/Boot-time prompt.
- To create rescue USB from Seqrite Encryption Manager portal, follow these steps:
- Log on to Seqrite Encryption Manager portal.
- From the left pane, select the affected computer.
- In computer page, click Recovery options. `
- In Recovery options dialog, select the Computer / volume on fixed media option and click Next.
- In new dialog, select the Encrypted computer won't boot and click Next.
- Select the authentication method as Use user password and click Download recovery.
- Extract the downloaded Recovery file.
- Connect the USB drive.
- Run the rb_creator.exe and click OK. Your USB rescue is ready.
- Boot your affected computer using USB rescue. The Rescue USB will:
- Check for installed Seqrite pre-boot/Boot-time UEFI Loader.
- Check status of the Loader.
- Recover the Loader if required.
- To continue with the process, press Y.
- Seqrite Volume Encryption will check consistency of Seqrite Boot Loader and re-install it, if required.
In case of “Manage locally” policy, user is not able to encrypt or decrypt volumes because Encrypt Volume/Decrypt Volume options on Volume menu appears dimmed.
Seqrite Volume Encryption is not running in Administrator mode.
- Run Seqrite Volume Encryption in Administrator mode.
- To run the SVE software in Administrator mode, follow these steps:
- On the client computer, click Start > Seqrite Volume Encryption.
- Right click Seqrite Volume Encryption.
- Click More > Run as administrator.
In case of Manage locally policy, What is Recovery/System Reserved/Windows RE partitions; Why we need to encrypt these partitions?
In case of Manage locally policy, the Recovery/System Reserved/Windows RE partitions are as follows:
Recovery partition: The Recovery partition contains a system image that would allow you to reset your computer to manufacturer settings, if required. This partition does not contain any user data unless you have configured the system or some third-party software to use it. For example, it can be used to create shadow copies or backups. If you have not configured it accordingly, then it is not necessary to encrypt this partition.
Reserved partition: According to https://en.wikipedia.org/wiki/Microsoft_Reserved_Partition, the System Reserved partition serves two functions. First, it holds the Boot Manager code and the Boot Configuration Database. Secondly, it reserves space for the start-up files required by the BitLocker Drive Encryption feature. It does not contain any sensitive data, but few standard boot files including the Seqrite Volume Encryption bootloader. It is up to you whether you want to encrypt it or not. The system operates smoothly in both the cases.
Windows RE (Recovery Environment): The Windows RE (Recovery Environment) is a partition from where your PC boots in case its normal boot process fails. It contains number of recovery tools allowing you to recover (both manufacturer settings or a restore point) or troubleshoot the OS. According to Microsoft, it does not contain any user data either. It is your choice whether you want to encrypt it or not.
What is the use of Mount at Boot time or Mount at Logon option?
Mount at Boot time: When Mount at Logon option is enabled on SVE, all the volumes on your computer gets mounted when you open the Seqrite Volume Encryption software. To enable this option, the system volume should be encrypted.
Mount at Logon: When Mount at Boot time option is enabled for all the encrypted volumes on your computer, then the volumes get mounted when your computer starts to boot. This option is available only if boot/system volume is encrypted.
Encrypted volume will be mounted or become accessible only if the user provides correct password.
Note: Both options are not applicable for system/boot volume.
How to access encrypted USB drive on a computer where Seqrite Volume Encryption is not installed?
- You need to download the Traveller kit file from www.seqite.com, and perform the following steps:
- Download and extract the Traveller_Kit file on your computer/laptop, which doesn’t have SVE installed on it.
- Connect the encrypted USB drive.
- Run the bcfmgr.exe
- Right click the USB drive.
- Click the Mount option.
- Enter the password.
- USB drive will be mounted and become accessible.
How to disable pre-boot/Boot-time temporarily?
- You can disable pre-boot/Boot-time password temporarily by using Suspense Protection option and temporarily suspend the client protection.
- To disable pre-boot/boot-time authentication, the Administrator can follow these steps:
- Log on to Seqrite Encryption Manager portal.
- In the left pane, select the computer.
Note: To suspend the protection of any computer, the computer must be encrypted.
- On the Computer page, select the Suspend protection check box.
- The user will not receive the pre-boot/Boot-time prompt.\
Warning: Admin should not perform this action unless it is really a requirement, as this action suspends the SVE protection.
Does Seqrite Volume Encryption support tablet/Surface?
Yes, Seqrite Volume Encryption supports tablet and Surface, but user must connect the keyboard to enter the pre-boot/Boot-time password at the boot time.
Unfortunately, touchscreen keyboard drivers are not loaded in the pre-boot environment, where Seqrite Volume Encryption prompts for authentication. However, if the keyboard is attached, the user can authenticate the tablet/Surface.
How to upgrade Seqrite Encryption Manager 1.1 to latest version?
You can upgrade Seqrite Encryption Manager to the latest version in the following ways:
- Manual upgrade with setup file
- Upgrade through updates
Manual SEM upgrade using setup file
When you have the SEM setup file, you can do the manual upgrade.
- On your computer, run the higher version of SEM setup file.
- In the Welcome setup dialog, click Next.
- Select the I accept the Agreement and consent check box and click Next.
- In SEM setup dialog, click Finish. Seqrite Server Monitor dialog will be displayed.
- To start SEM Console in a Web browser, click Start Server.
SEM upgrade through update
With update, you can upgrade to the higher SEM version. The updates provide you with the options to frequently check for updates and, set time to automatically install the higher version of the SEM application whenever available.
To automatically upgrade SEM with the help of updates:
- Log on to the SEM portal and click Administration.
- In left pane, click Software update. Whenever the upgrade is available, a notification will be displayed next to Software update and the “Update now” button will be enabled on the page.
- On the Software Update page, click Update now.
- If you have already configured the Check for updates and Install automatically at check boxes, then the upgrade of all the applications will be done as per the configuration.
- In the Upgrade information dialog, click Update.
- The upgrade of Seqrite Encryption Manager server will start, and the server will not be available to the client computers until the server resumes the services. You need to reload the page again after some time.
How to reset/recover Seqrite Encryption Manager Web console login password?
To change your account password, another user with Administrator rights can reset your password as follows:
- The first Administrator should access the SEM login page and click the Forgot password link. Password reset request is raised and is sent to the second Administrator.
- The second Administrator has to log in to SEM console and click Administration > Accounts. The Change Password link gets active for the second Administrator.
- The second Administrator should click Change Password. The Change Password dialog is displayed.
- Create new password and confirm the password. The password is reset for the first Administrator.
How to change master password?
To change master boot password, follow these steps:
- On the computer, run Seqrite Volume Encryption (SVE) as an Administrator.
- To run SVE as an administrator, follow these steps:
- Click Start > Seqrite Volume Encryption > right-click Seqrite Volume Encryption > click More > Run as administrator.
- After enabling administrator mode, SVE opens.
- On menu, click Volume > Manage boot passwords > Change master boot password.
- Note: To change the master boot password, make sure the volumes are encrypted. Otherwise, all the options for Manage boot passwords will appear dimmed.
- After changing the master boot password, enter the current password for the volume, and then enter new password twice for verification.
How to configure multiple users' login with different pre-boot password?
You can create additional boot passwords only when volumes are encrypted and that means that master boot password is already created.
To create multiple users’ login with different pre-boot passwords, follow these steps:
For example: Creating boot password for four users. In this scenario, one master boot password is already created, and you can create three additional boot passwords.
- Open Seqrite Volume Encryption.
- On menu, click Volume > Manage boot passwords > Add boot password.
- Enter master boot password.
- In new dialog, enter new boot password and confirm the password, and click OK.
- To create additional boot passwords for more two users, repeat above steps.
- The boot password is created for multiple users.
How to configure SSO for single or multiple users (max 4 user)?
To configure SSO for single or multiple users, you can apply Encrypt / Manage locally policy and enable the SSO option in the policy.
Enabling SSO option for single client computer
- Log on to SEM console.
- In the left pane, select the computer.
- On the computer page, select the Use individual encryption policy option and click the policy.
- In Select encryption policy dialog, choose the SSO option and click Apply.
- In the left pane, the computer with individual policies are marked with the gear icon.
- Note: If the SEM Admin applies the Manage locally policy for a single client computer from SEM console, then the client user gets the privilege to configure the SSO on their computer.
Enabling SSO option for a group
You can enable SSO option for multiple client computers by creating a group and applying an encryption policy to it.
- Log on to SEM console.
- In the left pane, select the group name to which you want to apply the encryption policy.
- In Group settings, click the current encryption policy name.
- In Select encryption policy dialog, in Select policy list, choose the SSO policy.
- Click Apply.
What is FailSafe mode?
The Failsafe mode is an additional layer of security provided by Seqrite Volume Encryption (SVE). It protects your data from unauthorized access or any intruder. The Failsafe mode gets enabled, when the user enters the wrong pre-boot password for 10 times. In such scenario, you may need to recover or change the boot password of your computer.
How to Disable/Turn Off FailSafe mode?
To disable the Failsafe mode, you need recovery/administrator password. You can generate the recovery/administrator password as follows:
- Log on to SEM console.
- In the left pane, select the client computer. On the computer page, click the Recovery Options. The following dialog appears:
- Select Computer / volume on fixed media option and click Next.
- In the new dialog, select Password is lost / Forgotten/ Failsafe Mode option and then click Next.
- The recovery/administrator password will be generated, which can be used to boot the computer and disable the Failsafe mode.
What are different SEM policies?
The default SEM policies are as follows:
- Encrypt: With this policy, you can encrypt local volumes and removable devices.
- Decrypt: With this policy, you can decrypt the client computers or the removable devices.
- Encrypt fixed drive: With this policy, you can encrypt the fixed drives.
- SVE None: This policy is applicable for those client computers, which were synced with SEM console with the help of Active Directory.
- You can define encryption policies with different actions for fixed drives and removable devices, and by using appropriate encryption algorithms.
- Fixed drive action: Helps to perform different actions on fixed drives, as follows:
- Encrypt: When you apply this policy, you ask the user on the client computer to enter a password and start the encryption process. With this policy, all the local volumes will be encrypted. However, the mapped network drives will not be encrypted.
- Decrypt: When you apply this policy, you initiate the decryption process on the client computer.
- Manage locally: With this option, you give the rights to the user to manage the encryption process on the local computer.
- Encrypt volumes without drive letter (mount points): You can select this check box, if you want to encrypt the mount points.
- Removable devices: With this option, you can configure different settings for removable devices in a policy.
- Encrypt: When this check box is selected and a removable device (i.e. a USB drive) is connected to the computer, the user will be asked to enter a password and start the encryption of removable device. If the user refuses to encrypt, then the access to the removable device will be restricted. The restriction on the removable device will be read-only or blocked depending on the other selected options.
- When this check box is not selected, the user will not be forced to encrypt the removable device.
- For an encrypted removable drive, the user can enter the password either to decrypt or continue using it.
- Read-only access if media is not encrypted: You can select this option to provide read-only access to the removal device if the user resist to encrypt the removable device.
- Block access if media is not encrypted: You can select this option to block complete access to the removal device if the user resist to encrypt the removable device.
- Encryption algorithm: You can use different encryption algorithms to manage the policies, such as AES, RC6, Twofish, and Serpent.
- Single Sign On Action: The SEM Administrator can apply Single Sign On policy on the endpoints using the Single Sign On actions such as:
- User Control: With this action, the Administrator gives the user the privilege to associate with Single Sign On authentication on their own. It is user’s choice to enable Single Sign On or not.
- Enable: When this option is selected, the Administrator directly applies the Single Sign On authentication policy. The user will receive continuous prompt on the computer to associate with Single Sign On untill the user accepts it after the encryption of the volumes.
- Disable: When this option is selected, the Administrator disables the applied Single Sign On authentication policy from the client computers.
What is Manage Locally policy?
With Manage locally option, the client user gets the privilege to manage the encryption process on the local computer.
How to rescue using WinPE?
To rescue using WinPE:
- On your computer, download the Rescue ISO (WinPe) from link (Link will be available at GA).
- Download the Refus from https://rufus.ie/
- Run the Rufus.exe
- Select the downloaded ISO file by clicking the Select button.
- Connect the USB drive.
- Click the Start button.
- It will create the Bootable USB with recuse ISO. You must perform the following steps on the affected computer.
- Boot the computer from bootable USB drive.
- Computer starts through rescue ISO.
- On desktop, double-click the Seqrite Volume Encryption icon.
- In the SVE application, right-click the encrypted volume and click Decrypt Volume option or on menu, click the Decrypt button.
- On the confirmation dialog, click Yes and then enter the master boot password.
- Decryption process starts.
What are the different recovery options in SEM?
SEM provides multiple recovery options for computer, volumes, and removable media.
To access recovery options:
- On SEM console, select the computer.
- On computer page, click Recovery options.
- Password is lost /Forgotten/FailSafe Mode: This option is beneficial if you are unable to recall the password for the encrypted computer or FailSafe mode is enabled on the computer because of wrong password attempts. Decryption is not required in such case. A recovery password will be automatically generated, which can be used to boot the computer.
- After booting the computer with the recovery password, it is possible to change the password on the client computer by clicking Rescue > Recover/Change Boot Password.
- To change the recovery password, you must decrypt and then encrypt the computer again.
- Encrypted volume is damaged: This option helps to repair a non-system volume. The Rescue file is generated with the same password that was used to encrypt the volume, or with a new password. To recover the damaged volume using Rescue File, follow these steps:
- Open the SVE and select the damaged volume.
- On menu, click Rescue > Decrypt with Rescue File.
- In new dialog, enter the password.
- Decryption process starts for the damaged volume.
- Encrypted computer won’t boot: Use this option to recover the client computer that is unable to boot. In this case, a bootable USB disk is created that can be used to boot the computer and run rescue decryption.
- Removal media ID:
Password is lost / Forgotten: Use this recovery option for if you forget the password for removable media.
- Encrypted removable media is damaged: Use this option to recover the encrypted removable media that is not accessible or is misbehaving.
Why does Windows 8 and later operating systems take much time to boot the computer if Seqrite is installed on them?
Cause: The Fast Startup option in Windows 8 and later OS is disabled by Seqrite software due to following reasons:
- Installation issues: If you set the Turn on fast start-up option ON, the encryption driver will not be loaded if you shut down/start your computer instead of restarting it.
- If Turn on fast start-up option is set ON, then in some cases the encrypted non-system volumes remain mounted when you start/shutdown the client computer.
- General issues: If Turn on fast start-up is set to ON, it is not possible to troubleshoot or boot from a different device, rescue disk, etc.
- NOTE: After the installation of Seqrite software, your system volume gets encrypted. Then you can enable the Turn on fast start-up option, if required.
To enable the Turn on fast start-up option, follow these steps:
- On your computer, right-click the Start button.
- Click Power Options.
- From Control Panel, click Choose what the power button does.
- System Settings is displayed.
- In Shut-down settings section, select the Turn on fast start-up check box.
- If the options appear dimmed, scroll up and click Change settings that are currently unavailable.
- The options get active and you can select the Turn on fast start-up check box.
Does Seqite Volume Encryption support Virtual Box's guest OS?
Yes, Seqrite Volume Encryption supports Virtual Box's guest OS, but the user must change settings of Virtual box's guest OS as follows:
Open VirtualBox Manager.
- Click the machine.
- Click Settings or right-click the machine of Virtual Machine (Guest OS).
- Click System and then select the Enable I/O APIC check box.
- Click Acceleration and turn off the Paravirtualization interface by selecting Not Present or None.
How to install Seqrite Encryption Manager Server on Cloud/AWS/Public IP Address?
To install Seqrite Encryption Manager Server on Cloud/AWS/Public IP address, the SEM Administrator must install SEM with the help of Host Name. The host name must be FQDN (fully qualified domain name), i.e. Abc.com
If host name of SEM Server is not FQDN then user needs to run the below-mentioned command on every client computer to communicate with the SEM server:
- Open the command prompt as Administrator.
- Run the below-mentioned command:
echo IP_ADDRESS_of_SEM_Server_Name_Of_SEM_Server >> %WINDIR%\System32\Drivers\Etc\Hosts
Note: User must run the mentioned command on all the endpoints, where administrator wants to install the SEM client.