[KB7942] Windows User context and ESET Endpoint Encryption

Issue

ESET Endpoint Encryption (EEE) Client and EEE Server are separate products from ESET Full Disk Encryption (EFDE)

The article below applies only to the EEE Client or EEE Server and not EFDE.

Visit What's new in ESET Full Disk Encryption to view EFDE content.

Solution

Access based on sessions

When a user enters their ESET Endpoint Encryption Key-File password it enables access to encrypted containers. The containers are encrypted using keys available to the user, for example, Virtual Disks and Encrypted Removable Media.

If another user logs in to Windows simultaneously as the original user, they will have limited access to the same containers.  

  • User will be denied access to removable media
  • User will have read-only access to virtual disks

Access based on users

After certain software is launched from within a user's session, the software may elevate itself when run under the System user account.  If this happens, then encryption keys will not be available to that software's process and access will be denied to the containers. 

  • Another user is attempting to access the encrypted data across the network
  • The user has elevated software by using the Run as administrator option and is being denied access to the encrypted containers from the software
  • Software is running under a different user context within the user's session for example, backup software that runs under the System user account, possibly as a Windows Service

This does not apply to Full Disk Encryption of system disks.  If you intend to use backup software with an encrypted system disk, ensure restoration has been tested using the solution before deploying to a live environment. 

In most instances, a file-style sync backup of data from full disk encrypted systems would be the best for scheduled backups. Backups performed at a file-level are more likely to run as the user instead of the system. Users will also have access to encrypted storage should it be required.

Use the command line tool to mount a virtual disk globally so all system users can access its contents.