Windows Boot Drive Installation Prerequisites

The HyTrust DataControl Policy Agent supports encryption for Windows MBR and GPT boot disks, including any GPT boot disks that use UEFI Secure Boot, as long as those boot disks meet the following requirements.

Important: UEFI and Secure Boot is only supported with VMware ESXi version 6.5 and later. It is not supported on Azure or AWS.

For details on boot drive encryption, see Windows Boot Drive Encryption.

  • The encrypted boot partition must be on the Windows C: drive. Although Windows itself can boot from alternate drive letters, the boot volume can only be encrypted if it is the C: drive or if it is mapped to C:.

    The Bootloader is automatically assigned a drive letter during installation. This default drive letter can be changed using the Windows Disk Manager after the Bootloader has been installed.

  • The Bootloader requires a Windows System Reserved Partition (SRP). We will create an SRP if one does not already exist.

    The Bootloader SRP requires roughly 350 MB on Windows 2012 and above, and roughly 100 MB on Windows 7, Windows 8, Windows 8.1, Windows 10, and Windows 2008 R2. As part of the installation process, the boot drive will shrink to free up space for the Bootloader (and Windows SRP if one does not already exist). If there is insufficient space on the boot drive, the Bootloader will fail to install.

    Note: If the Bootloader SRP has less than 50 MB free space, KeyControl generates an alert every six hours until the issue is resolved.

  • The SRP and the boot partition must both reside on Harddisk0 (Disk 1). You cannot encrypt a boot partition that resides on any other disk, or split the SRP and the boot partition across disks.
  • The boot disk must have at least 1 MB of free space at the beginning of the disk that DataControl can use to store encryption metadata. If this free space is not available, boot drive encryption will fail.

  • If the VM is associated with a Cloud VM Set that is controlled by a Key Encryption Key (KEK), the HSM must be available before you can encrypt the root drive on the VM. For more information, see KEKs with Cloud VM Sets.

  • The Disk Defragmenter service on the target server must be enabled before installing the Policy Agent software.
  • The user account used for installing the software must have SeRestorePrivilege and SeTakeOwnershipPrivilege.
  • If you are using Windows 2008R2, the installation user account must also have SeSecurityPrivilege.

  • For GPT boot disks:

    • The GPT disk must be running Windows 2016 Server, Windows 2019 Server, or Windows 10.

    • The boot partition must be one of the first four partitions on the disk.

      Tip: If you try to encrypt the boot disk and the boot partition is not one of the first four partitions, the encryption will fail with the error "Maximum supported encrypted partition limit exceeded."

    • If you want to extend the boot partition, you must use the hcl extend command. For details, see Disk Size Management in Windows.