[KB7209] Enable Automatic Full Disk Encryption (FDE)

Details

ESET Endpoint Encryption (EEE) Client and EEE Server are separate products from ESET Full Disk Encryption (EFDE)

The article below applies only to the EEE Client or EEE Server and not EFDE. Visit What's new in ESET Full Disk Encryption to view EFDE content.

After the Automatic Full Disk Encryption (FDE) feature is enabled, credentials are not required to boot the workstation until it has been activated. During activation, the first user with a Pro license on the workstation will be prompted to choose a password to boot the system. At which point, the FDE username, recovery information and FDE admin credentials are visible.

Automatic FDE is designed to ensure a workstation is encrypted prior to user activation, for example, when a system administrator prepares laptops before distributing to end users or if an end user is currently unknown.

Although you can use FDE in this manner, we strongly recommend you activate a Pro license as soon as possible to ensure the workstation is fully secure. Automatic FDE is not a replacement for starting FDE from the server as shown in Starting Full Disk Encryption using the ESET Endpoint Encryption Server (managed).

Solution

Verify your version is compatible

This feature is available for servers version 2.9.0 and later and clients version 4.9.0 and later. Automatic Full Disk Encryption (FDE) only works on new installations; not updates from previous versions.

The following will be encrypted:

  • The "Boot" disk will be encrypted. If you have more than one disk to encrypt, the secondary disk will need to be encrypted manually.
  • Compatible Partitions with drive letters will be encrypted
  • Software encryption mode is used, OPAL is not available.
  • Standard Username and Password authentication is used, TPM modes are not available

I. Configure a Workstation policy

  1. Navigate to your Workstation policy Full Disk Encryption settings.

  2. Change the configuration of Automatically start encryption after installation to Yes.

  3. Enter the applicable number of Password and Recovery attempts you want the user to have at the pre-boot FDE login page.

  4. Enter the applicable number of Recovery uses.

  5. Enter an FDE Administrator Username. It is admin by default.

  6. Make the appropriate Single Sign-On (SSO) selection (must be activated with Self-Enrollment).
Self-Enrollment users

If you are using Self-Enrollment to activate workstations, and have previously sent an FDE command to another machine, the FDE admin password that was used will be set as a default. If not, a randomly generated password will be created which can be seen in the FDE login window. Visit our article for more information to change my full disk encryption password.




II. Install client software

  1. Install the ESET Endpoint Encryption (EEE) Client.

When the client software is installed, a Safe Start reboot occurs. For more information on Safe Start, refer to What is Full Disk Encryption Safe Start?

The FDE process is in progress. The Disk Encryption Status window indicates the progress.

Figure 1-1



III. Activate

Self-Enrollment users

This is not a required step if you activated using Self-Enrollment. 

Refer to Activate ESET Endpoint Encryption Client using ESET Endpoint Encryption Server.



IV. Enter FDE pre-boot password details

Once you have entered the activation details you will be required to enter a pre-boot password. If you have Self-Enrollment enabled and have elected to set up your user with an SSO login, you will be required to verify your domain login credentials.

SSO enabled (Self-Enrollment Only):

Figure 2-1

Normal user:

 

Figure 2-2