[KB7205] Remotely disable a workstation using ESET Endpoint Encryption (EEE) Server

• Use settings and commands from the ESET Endpoint Encryption (EEE) Server to disable access to data on a workstation. This can be useful if a machine is lost or stolen.
• These options are only available for workstations that are under the management of an EEE Server.
• Delete encryption keys
• Disable FDE

Delete encryption keys (Deactivation)

The encryption keys in a user's key-file provide access to granular encrypted data (e.g., encrypted files, encrypted folders, encrypted removable media, encrypted emails, etc.). Deactivating an encryption user's key-file removes access to their copies of the encryption keys. 

It is possible to reactivate a machine that has been deactivated.

To send a deactivate command:

1. Verify the applicable ESET Endpoint Encryption (EEE) Client(s) and Server are connected to the internet.
   
   
2. Verify the target client machine is logged in to the Windows profile that contains the user's key-file.
   
   
3. Log in to the ESET Endpoint Encryption (EEE) Server.
   
   
4. Select the Users branch or user team and then select the applicable user.
   
   
5. Click Details.
   
   
6. Click the Workstations tab and then click Deactivate.

Figure 1-1

7. Select the check box next to Are you sure you want to deactivate this user? and then click Deactivate.
   The command will be posted and received by the client machine if it is connected to the internet and the Windows user profile of the user is logged in.
   When the command is received, the user is logged out of their key-file. The key-file is reset, and the activation window reappears as if for a new user.

Figure 1-2

Disable Full Disk Encryption (FDE) on your system

Remove Full Disk Encryption (FDE) logins on an FDE machine to prevent the machine from being started using those credentials in the future.

When you disable a machine and remove all FDE logins, it will no longer be possible to access any data on that system. To regain entry into a disabled workstation, you must carry out an FDE recovery.

When removing credentials, we advise you do not disable the FDE admin login.

This process also has the option to force the machine to reboot upon processing the command so any user currently using the system will be stopped from using the machine.

To send a disable command:

1. Verify the applicable ESET Endpoint Encryption (EEE) Client(s) and Server are connected to the internet.
   
   
2. Log in to the ESET Endpoint Encryption (EEE) Server.
   
   
3. Click Users and then select the applicable user or team.
   
   
4. Click Workstation Details → Disable.

Figure 2-1

5. Select the applicable FDE credentials removal option. If appropriate, select the Reboot the workstation after processing command option and then click OK.

Figure 2-2

6. Confirm your EEE Server password and then click OK.

If you selected the reboot option, the workstation will display the screen below when it receives the command, and the system will restart.

Figure 2-3

If you selected the Remove ALL FDE Logins (including admin) option in step 5 above, the workstation will display the screen below when it receives the command, and the system will not restart.

Figure 2-4

If the EEE Server receives a receipt of command completion, it continues to display the encrypted workstation, but there will no FDE Logins tab displayed when viewing the Workstation Details.

Client expired settings

The Workstation Policy contains options to force an ESET Endpoint Encryption (EEE) Client to disable automatically if it is unable to contact the EEE cloud for a specified period of time.

Use these options with caution. If for some reason the machine is unable to access the cloud for the specified period of time, the disable action will be performed. Therefore, if you intend to use the options, they should be set with an amount of leeway to allow for network problems, user vacations, machine repairs, and other unexpected events that could delay connection to the cloud.

To view these settings, click Workstation Policy →  Server Communication Settings. The relevant options are detailed below:

• Client disable warning period—When set to a non-zero value this is the number of days that can pass before the user is given a warning that their EEE will disable.
• Client disable warning message—The warning text that is displayed once the warning period has been reached to remind the user that they need to connect the machine to the internet. This message can be customized as required.
• Client disable period—When set to a non-zero value this is the number of days that can pass before the expiry action is performed.
• Client disable message— At the point of performing the expiry action, this message will be displayed to the user explaining what has happened. This message can be customized as required.
• Expiry action to perform—This can either be set to deactivate the users key-file or to remove all user FDE logins.  The FDE admin login will remain if this happens to allow the admin to recover access should it be required.

For more information, visit How do I modify workstation policy?