Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Shahar_Grober
Advisor

Check Point FDE vs. Bitlocker

Hi all,

Does anyone have some experience and insights on  FDE vs. BitLocker? 

I was asked to do a comparison of the two products. I want to understand what are the pros/cons of each of them especially in terms of: 

- Ease of deployment

- OS/BIOS compatibility

- issues with OS upgrades and updates

- recovery and decrypt options 

I know that FDE has some issue with OS upgrades, Microsoft updates and BIOS Updates. 

In addition, FDE doesn't support some Microsoft security features like credential guard and device guard 

Bitlocker is more native to the OS but requires to have intune and Azure AD  to activate and deploy in an enterprise environment (this is supported only on windows 10 pro)

Any further information is welcome 

6 Replies
Steve_Lander
Collaborator

We switched from Bitlocker (Windows 7) to CheckPoint FDE Windows 10.  

Upgrading major windows versions as well as installing windows updates are a hassle for us.  It's better when Pre-Boot is turned off when doing anything windows update related until they make the whole process smoother.  You are also required to use the BCD store instead of the default BOOTMGFW for windows updates.  Make sure your computers BIOS is the latest version before changing to BCD.  See this thread for more info on updates.  Windows 10 1803 Auto Upgrade with FDE Failing We still are experiencing BSOD after some major windows upgrades as well as some windows patches which switch the boot order in the BIOS, but not as much after with upgraded everyones BIOS and flip flopped from BCD -> BOOTMGFW->BCD again.

Deployment of CheckPoint FDE is quick, and the decryption is fast as well.  Secondary physical drives are slow to encrypt, but that is to be expected.  I would not recommend using a physical drive for the OS with FDE, its very slow.  If you need to decrypt a drive or access and encrypted drive out of a computer, once you get used to using the recovery options its pretty straightforward.  If a drive is badly corrupted/damaged, you might not be able to use the recovery methods to access/decrypt the drive.  There is not an option to suspend FDE like there is with bitlocker.

Honestly the only bad thing about CheckPoint FDE is with Windows Patches or Upgrades (1803/1809) breaking, and once they smooth this out it will be solid. I think the Pre-Boot environment is better than Bitlocker's, and recovery options as well as preboot remote help is cleaner and more secure.  You can also customize the background on the pre-boot environment.  

0 Kudos
Shahar_Grober
Advisor

Hi Steve, 

Thanks for the information, this is exactly what I needed to know. 

We were doing a test pilot group with FDE and experience the same issues with OS Upgrades. 

I agree that deployment and management of FDE are superior to BitLocker, but having to deal with constant Windows update and upgrade failure seems like a no go. 

PhoneBoy
Admin
Admin

There's a reason we are issuing frequent updates to our Endpoint client these days. Smiley Happy

Steve_Lander
Collaborator

In future releases of Full Disk Encryption, when the FDE blade installs, somewhere in the process of the several reboots to enable FDE, CheckPoint should change the bootmode to BCDBOOT instead of BOOTMGFW automatically to smooth out the installation process.

Can this be forwarded to the developers?

Thanks!

0 Kudos
PhoneBoy
Admin
Admin

That's part of why this community exists Smiley Happy

Steve_Lander
Collaborator

Looks like E80.92 is out, and it says it fixes a BCDBOOT bootloop issue with FDE.  Hopefully this clears up all the issues with Windows Updates with FDE, will start deploying to our test group now!

Enterprise Endpoint Security E80.92 Windows Clients 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events