Issue
- Install Windows Feature updates while ESET Endpoint Encryption (EEE) Full Disk Encryption (FDE) is installed
- Update Windows using Windows Server Update Services
- Windows Media Creation tool (ISO)
- Additional information
Solution
Update Windows using Windows Server Update Services
The default Windows update does not work.
To install Windows Feature updates on an FDE system, the encryption drivers must be made available to Windows during the update. EEE includes the SetupConfig.ini file, stored inside the following directory:
C:\Users\Default\AppData\Local\Microsoft\Windows\WSUS\
Custom SetupConfig.ini files must be tested alongside FDE as a part of the update process.
The SetupConfig.ini file passes two switches:
/ReflectDrivers=C:\WINDOWS\system32\dlpcore\Upgradeensures that during the Windows Updates process, the encryption driver is passed to Windows to allow it to access the disk correctly during the update. Without this switch, Windows will not be able to read the disk correctly due to the encryption, and the update process will fail./ResizeRecoveryPartition=Disableensures that during the Windows Update process, resizing the existing Windows Recovery Environment (Windows RE) partition or creating a new one during installation is prevented. Without this switch, if this process is performed, it would likely cause data loss and possibly render the machine unbootable.
After Windows has successfully installed an update, the Postoobe switch will run a script. The Postoobe script creates the necessary entries to allow Windows to update correctly.
Windows Media Creation tool (ISO)
Manual install of Windows 10 Feature Updates does not work.
The EEE Windows Update utility uses the /ConfigFile switch to point Windows in the direction of the SetupConfig.ini file.
