Disk Protect

Disk Protect 9.4.9 (build 26)

Release Notes

Product Name: Disk Protect Commercial and CPA 9.4.9 (Build 26)

Valid on: 07/06/2024

New Features and Improvements
– Added an option to the Disk Protect Management Tool under the Local Machine Policy tab, Authentication Screen, where the user can enable or disable ‘Use UEFI firmware keyboard layout’. This allows the Disk Protect preboot to use the same keyboard layout provided by the machine’s BIOS.
– Added support for protocols used by ‘Secure Core’ on Surface Pro.
– Added a fix for installations of Disk Protect on the Surface Pro, where enabling ‘Secure Core’ would cause the pre-boot login screen to loop.
– Fixed issues with SSO password synchronisation and exporting RMM keys when using an RDP connection.


– Added a fix for an issue seen when installing Disk Protect on the French version of Windows. The first created user was using the machine name, instead of the logged in user. The created user now uses the logged in Windows username.
– Added a fix for installing and using Disk Protect remotely using a Windows Remote Desktop connection.

-Setup.exe must now be run before performing standalone installations to grant the MSI admin permissions.
– Added a fix to support upgrades and installations on Lenovo devices with Boot Order Lock enabled. Installations and upgrades had been failing due to the change in how our pre-boot files were instated in the boot order, which had been changed to attempt to prevent Windows Updates from overwriting our boot loader. If a BIOS password is set while Boot Order Lock is enabled, it will need to be supplied through the package distribution service, or by running the DiskProtectSetup.exe and providing the BIOS password when prompted. It can also be supplied through the command line.

– Includes additional logging to confirm boot order priorities.

– Added a fix for an issue where newer Lenovo devices would bluescreen when upgrading to Disk Protect 9.4.3 or later. For affected devices it is important to ensure ‘Boot Order Lock’ is disabled in the BIOS settings when installing or uninstalling Disk Protect.
– The Disk Protect Recovery Tool has been updated to 5.2.1. This Disk Protect version should use the Disk Protect Recovery Tool version 5.2.1 to avoid damaging the boot manager.

– Added a fix for an issue with CPA TPM authentication where the third login attempt always failed.

– Added a fix for an issue that was preventing Disk Protect from being installed or uninstalled in some instances due to missing EFI\Boot files.
– Added Bitlocker detection. If Bitlocker is enabled, then Disk Protect will not install.
– Added a fix for BEM managed Disk Protect machines, for cases where the Disk Protect encryption status was not correctly updated in BEM.
– Added a new fix for an issue where Windows updates over-wrote the pre-boot in some cases. This DP version and above should use the Disk Protect Recovery Tool version 5.2.0 or higher to avoid damaging the boot files and rendering the device unbootable without decryption.

– Added a fix to allow Disk Protect to work in conjunction with Netstart 1.6.1. This fix was added to address an issue with newer Desktops which resulted in Netstart failing to register or complete setup when installed.

– Added an option to disable or enable the Disk Protect physical keyboard drivers to the Disk Protect Management Tool. If upgrading from a version of Disk Protect where this had been configured with a config file, this option will be updated to match that configuration. Used as a possible work-around if the keyboard does not work properly in pre-boot.
– Fixed an issue where the pre-boot screen was suppressed on the first restart of Windows following a major Windows upgrade.
– Added an option Rescan Disks to the systray. Selecting this will detect external USB HDDs and SSDs if they were not previously detected.
– Upgrades no longer request a Disk Protect user to authenticate to Windows a second time following the first reboot after upgrading.
– Fixed an issue where single sign on would occasionally fail to login to devices that contained lowercase letters in their Windows host-name.
– Fixed an issue where Windows updates over-wrote pre-boot on some cases

– Added an option to have a ‘number pad only’ and ‘hex number pad’ on-screen keyboard at authentication. The option can be set in the Disk Protect Management Tool on the ‘Authentication Screen’ tab under ‘Local Machine Policy->Authentication Settings’ and can be changed once encryption is completed.

– Corrected fix for an issue which prevented Unattended Reboot from occurring.
– Fixed an issue which caused certain TPM machines to not log-in on the first authentication.
– The BEM client has been updated

– Added an option to install a ‘repair only’ version of the recovery tool.
– Added an option to not install the recovery tool on client machines.
– Fixed an issue which prevented Unattended Reboot from occurring.
– Tidied up the the authentication screen settings pages to make the options more consistent for BIOS and UEFI installs
– Fast start up is now disabled when Disk Protect is installed

– Added support for the Japanese keyboard layout.
– Fixed an issue that caused some characters to not be accepted in usernames or passwords at pre-boot.
– Fixed an issue where the user was unable to login after upgrading DP when RMM was enabled
– Added a drop down box to select specific screen resolution options for the pre-boot screen
– Added a fix to prevent Windows upgrades from changing the Disk Protect pre-boot loader order.

– Fixed a bug where some machines with SSO enabled would fail to boot Windows properly.
– Fixed a cosmetic bug when showing the TPM locked message
– SSO can now be enabled when RMM is configured.


– Fixed a bug where the error “Unable to collect enough entropy” was displayed on installation (not package installation) of a BEM managed machine.
– Recovery console now exports the encryption key using dash separators to make it easier to read. The DP Recovery tool will accept either format of exported key file.
– Now removes Becrypt application folder from the start menu after uninstalling
– Added missing failed authentication events for PKI installations
– UEFI authentication screen now clears both username and password fields when re-entering login credentials
– Now displays the FIPS Library version in the Becrypt systray About Box


– Fixed a minor display issue with the on-screen authentication keyboard


– Updated FIPS library to
– Added an option to recreate a lost brf recovery file.
– Added more UEFI authentication screen options.
– Rebranded Disk Protect
– Both BIOS and UEFI machines are now able to disable the on-screen authentication keyboard.

Changed UEFI preboot to update Netstart.
– Removed unnecessary ARP timeout.
– Changed text displayed to user.
– Fixed a couple of bugs which might cause Netstart to stop progressing.
– Added some watchdog timers, in case Netstart stops responding.
– Changed some timers to reduce the chance of encountering a problem in the firmware of some LAN adapters which would make the LAN adapter stop functioning. If this problem does occur then it can be necessary to disconnect the power to the machine to reset the LAN adapter. Power off from the front of the machine is not sufficient, as it leaves power connected to the LAN adapter in order to do Wake-On-LAN
Known Issues
– Secure Core on Surface Pro devices is not currently supported. Issues with the pre-boot screen, such as encountering the Disk Protect login screen twice.
– To use Disk Protect with Secure Boot enabled on Surface Pro devices, the Secure Boot configuration must be set to ‘Microsoft + 3rd Party CA’
– USB sticks cannot be used as tokens with Secure Core enabled in the firmware configuration.
– On some EFI machines the keys \|£#~¬ get handled incorrectly by the preboot. If these characters are used in passwords then it may be difficult for the user to login. In some cases this is a firmware problem, in other cases the preboot itself may be doing the wrong thing. The behaviour of the preboot can be modified by creating a file ‘EFI\Becrypt\Boot\config.txt’ containing the line useAlternateKeymap=true, or by disabling ‘Enable DP pre-boot keyboard drivers’ in the Disk Protect Management Tool -> Local Machine Policy -> Authentication Settings -> Authentication Screen.
– Windows Fast Boot must be disabled on machines with Disk Protect installed.
– BEM managed installations must be completed using an Active Directory admin account.
– UEFI Pre-boot does not make audible alerts.
– UEFI Pre-boot may not be compatible with some high-end graphics cards, e.g. AMD FirePro.
– It is recommended that Hibernation and Sleep functions are disabled before a decryption is triggered.
– Please do not hibernate the machine during Disk Protect installation.
– HP Elitebook Revolve 810 fails to authenticate with tokens.
– Toshiba Z10T fails to authenticate with tokens.
– Allow unencrypted media to be accessed in Kiosk mode when RMM keys are present. This is automatic in Windows 10, but Windows 8 requires a registry entry to be created for the kiosk mode user. A suitable .reg file follows:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Becrypt\Disk Protect]

The value ‘2’ enables this feature, the value ‘0’ disables this feature. If the registry value is not present this feature is disabled. With the feature enabled the user does not need to respond to the dialog box which is presented to allow the user to select a key to encrypt the media (this dialog box is hidden by kiosk mode). If the value ‘1’ is used then the dialog box is displayed for 10 seconds, allowing the user to access it if kiosk mode is not in fact in use. This registry value can be used in windows 10 to override the automatic detection of kiosk mode.

– Disk Protect package installs cannot be completed by remote (RDP) users. A local user is required to login to trigger the preboot installation.

Disk Protect CPA specific issues:

– DPTokenManager.exe needs to be run as administrator to program standard USB sticks as tokens.
– If the USB stick has multiple partitions it cannot be configured as a token for CPA.
-TPM 2.0 authentication is only supported on UEFI machines if the operating system is Windows 8 or higher. (TPM 2.0 cannot be used with BIOS machines or with Windows 7)

Removable Media specific issues:

– Removable media password encrypted with v8.5 will not be compatible with earlier version of DP/RMM. Please contact support for more information.
– When using USB sticks as tokens, RMM will block the ability to update user passwords if the RMM policy is set to Read-Only or Block Access to unencrypted media.
– When using Removable Media encryption on eSATA drives, there is a possibility of data corruption if the device is not unplugged safely prior to logging on as a different user.
– Windows Hello Face and Windows Hello PIN are not supported
– Using RMM over an RDP connection may cause the USB to not be detected. To resolve this, restart the device and login to Windows on the device locally.
– An admin document on how to perform an installation can be found in the documentation folder.
– It is possible to upgrade to Windows 10 using the Disk Protect driver upgrade process – please refer to the Upgrading to Windows 10 document for details.
It is possible to upgrade directly to this version from DISK Protect 7.3.3 and above.

To upgrade from any previous version it is necessary to upgrade first to DISK Protect 7.3.3.

Supported Operating Systems
This product supports installation on the following windows OS:

– Windows 8 and Windows 8.1 (64 bit)
– Windows Server 2012 (64 bit), Windows Server 2012 R2 (64 bit) and Windows Server 2016 (64 bit)
– Windows 10 (64 bit)
– Windows 11

Interoperability with other Becrypt Products
– BEM 4.7.1 or later is required to manage estates which desire to use TPM Authentication or Self Registration, with DP plug-in 8.2.1 or above.
– DP Std plugin, version 8.3.x, also requires BEM 4.7.1 or above.
– For BEM 4.5 and below, please use the the DP 8.1 plug-in to manage DP 8.1 and above, otherwise an error wil be seen when trying to install the DP 8.3 plugin on BEM 4.5 and below.

Supported Tokens in DP Standard
– RSA SID 800 D3
– RSA SID 800 D4
– RSA SID 800 D7
– Gemalto IDPrime 3810
– Gemalto IDPrime MD 830-FIPS

Supported Tokens in DP CPA
– Aladdin eToken pro 32K 4.2b
– Aladdin eToken pro 64K 4.2b
– Aladdin eToken Pro 72k (Java)
– Safenet 5100
– Safenet 5105
– Safenet 5110
– RSA SID 800 A4
– RSA SID 800 B2
– RSA SID 800 B4
– RSA SID 800 D1
– RSA SID 800 D2
– RSA SID 800 D3
– RSA SID 800 D4
– RSA SID 800 D7
– Generic USB sticks (as long as they are marked as Removable by Windows)
– support@becrypt.com

We're here to help

Please Contact us

general enquiries

+44 (0) 845 8382050


+44 (0) 345 8382070

Join Our Newsletter

Receive our latest blog posts directly in your inbox!