Windows Update January 10, 2017 - KB3213986 (MS17-001) causes issues with FDE Windows logon functionality on Windows 10
For E80.64 users with R77.30.02 server who do not use SmartCards, download the fixed client: E80.64 HFA1 Check Point Endpoint Security Clients for Windows OS. For other Management Server versions support, for SmartCards support and for E80.65 please use Enterprise Endpoint Security E80.70 Client.
KB4013429 supersedes KB3213986, and resolves the issue.
In case you do not wish to install KB4013429, Check Point recommends using one of the following workarounds:
Note that in both workarounds, SSO will not be working.
Workaround: FDE Workaround with User Acquisition blocking KB installed
With the KB installed FDE User Acquisition (UA) will not work for automatically enrolling users in the Preboot environment. A workaround is to manually assign users to each computer using Direct Assignment.
- Change the FDE Policy to "Manually authorize users to access encrypted computers".
- Now go to the Users and Computers tab in SmartEndpoint and select the computer you are assigning a user to. Right-click the computer and go to 'Full Disk Encryption > Authorize preboot users'.
- Click the "Add" button and select the user that will have access to the computer.
- Before the user can be deployed you must set a temporary FDE Preboot password, do this by clicking the "Change Password" button.
- Select a temporary password and tell the user(s) to change it at the first logon in the FDE Preboot authentication screen.
- This is the screen that the user will see after the account has been pushed to the computer. The user should click the "Change Password" button instead of the "OK" button, when he is logging in for the first time. The user should preferably change his password to the same password that he uses in Windows.
This is the Password Change dialog:
- When these steps are completed, the FDE encryption will start to encrypt the disks.
Workaround: Use FDE User Acquisition with Windows 10 Anniversary Update:
- Uninstall the KB
- Acquire users with User Acquisition.
- Apply the KB again.
Working cooperatively in the best interest of our customers, Check Point and Microsoft have agreed upon the following plan:
- Microsoft will be offering a temporary fix for this issue as part of the March 2017 Quality Update for Windows 10, version 1607 (available March 14, 2017). This fix will expire at the end of 2017.
- Check Point will deliver a hotfix on top of the E80.64 client with a robust fix for this issue. The hotfix will be available for Windows 10, version 1607 only and will be generally available during Q2-2017.
Customers that would like to upgrade to Windows 10, version 1607 should wait until the Q2-2017 Quality Update is available, or skip the installation of the January 2017 Quality Update.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.