JPritchard

Hello, Only if you delete the 'premiumkey.dat' file in C:\Users\USERNAME\AppData\Local\DESlock+\ If you disable Secure Data or uninstall ESSP, then this file is left behind intentionally so you don't lose your encryption key in the event that you re-install Secure Data. Regardless, there's a lot being discussed in this thread and I feel it would be best that these questions are answered through the correct support channels so we can address each query accurately. Please submit a support case for your queries and we'll assist you from there. Thanks! Kind regards Jay Pritchard Encryption Technical Support Engineer III / Team Lead

I appreciate the update, take care!

Hello BowForMe, In your opening post, you said: ESSP Secure Data creates an encryption 'keystore' file called 'premiumkey.dat' in C:\Users\USERNAME\AppData\Local\DESlock+\ If you delete this directory and the files within, then the encryption key is no longer available and your encrypted USB cannot be decrypted or accessed. Re-installing ESSP and enabling Secure Data will generate a new keystore file, which will NOT work for anything encrypted with a different key. If we're lucky, and you still have the directories and files you deleted in the Recycle Bin, then you should be able to restore them and access your USB stick! If not, perhaps you have a Windows backup that you can restore where the DESlock+ directory and files are intact and can be restored to regain access to your USB. Failing this, the data on the USB is inaccessible and you will need to format the device for future use. Kind regards Jay Pritchard Encryption Technical Support Engineer III / Team Lead

Hello Perhaps one of these reports will provide the information you're after.

Hello Richard, While I cannot comment on the development plans for the encryption products, I would like to offer my team's help to investigate this issue. In your previous post you said, If your users are noticing a considerable performance impact performing the actions above, then please can you submit a support case and request that the case is escalated to HQ so my team can investigate the issue? Please note that due to the nature of the problem, we will ask you to perform and record your findings doing various tasks on a system that has already experienced performance related issues. These tasks will need to be completed while the computer is encrypted and then again while not encrypted. This will help paint a clear picture of the scope of the issue. I'd like to add a little more background information. Using software-based Full Disk Encryption will always have a performance overhead. This is true of all encryption vendors, not just ESET. How much of a performance impact can vary from system to system, as there are multiple factors involved. However, we expect that a computer used in a "normal" office setting will operate with little to no discernible difference to the user after Full Disk Encryption has been completed (we expect performance to be more highly impacted while encryption is in progress, but this impact will subside after encryption has completed). However, depending on the nature of the work the user does, they may notice more of an impact, such as using 3-D rendering software or during video editing and rendering. Perhaps this ties in with your statement here: Could it be the user is experiencing a performance impact while encryption is currently in progress? Regardless, in instances where a user needs the best disk performance available, EEE/EFDE supports OPAL 2.0 self-encrypting drives. This hardware-level encryption has no performance impact at all to the drive. Have you explored this with your customers as a solution to their concerns? Please let me know if you submit a support case, as I want to be personally involved in the investigation. All the best, Jay Pritchard Technical Support Engineer III / Tier 3 Encryption Support Team Lead

Good afternoon, Based on your description of the problem, I recommend you contact ESET support for further assistance. Please include any details of how you performed the SQL backup & restore, so we have a clear understanding of what steps you have taken so far. Thanks Jay Prichard

Hello, As far as I know, it is not possible to remove recovery passwords from the ESET Protect console. I suspect the computer in question has been decrypted and re-encrypted several times. Each time you encrypt a computer (even if it's the same computer) a Workstation ID is generated. This is likely why you're seeing three recovery passwords, but each have different Workstation ID's. When reseting a User's password in this manner, always match the index number and the Workstation ID with what the User see's on their computer in the recovery screen. Kind regards, Jay Pritchard Encryption Technical Support Engineer III / Team Lead

Hello Mauricio, Thank you for clarifying that the user is managed by an EEES. I think you need to adjust the Group Policy in your EEES to prevent Users from encrypting data with passwords. This will force them to use encryption keys instead, which are backed up on the EEES itself. This avoids the situation of forgetting passwords entirely. Please see my attached image, as this shows the specific Group Policy setting that you need to change. After changing the setting, don't forget to post a key-file update out to the affected Users to push the new settings to their computers. For more information on this process, please see: KB7408 - ESET Endpoint Encryption Server group policy settings As for pre-existing data encrypted with passwords, it would be best to decrypt and then re-encrypt the data using a key instead. Please let me know if you have any further questions. Jay Pritchard Technical Support Engineer III / Encryption Support Team Lead

Hello Mauricio, Is the User's ESET Endpoint Encryption client (EEE) managed by an ESET Endpoint Encryption Server (EEES)? If so, the encryption keys and recovery data are available in the EEES for the Administrator to decrypt and access the computer and data if necessary. However, if the User has a standalone version of EEE installed, then only they know their key-file password and FDE Admin credentials. You may wish to discuss with them sharing these details, however this creates a security risk of sharing important passwords. If they are using a standalone version of EEE, then you may want to encourage the User to create a key-file backup and create a backup of their FDE Admin password file ('adminpassword.html'). This file will have been generated at the time they originally performed FDE on their computer. This file is most likely stored on a USB device already. For more details, see: KB7571 - Back up Key-File in ESET Endpoint Encryption As a side note, it is possible to 'adopt' standalone clients into an EEES, so perhaps consider upgrading/purchasing an EEES to provide the means of recovery in such cases. I hope this helps! Jay Pritchard Technical Support Engineer III / Encryption Support Team Lead

Hello, Unfortunately the encryption key tied to your Virtual Drive will have been lost in the Windows reset. Without the key, it is not possible to automatically mount the Virtual Drive, this is why you must enter the password manually each time. I recommend creating a new Virtual Drive and copying/moving all contents from the old one to the new one. This will allow you to automatically mount the Virtual Driveas desired. Best regards, Jay Pritchard Encryption Technical Support Engineer III / Team Lead

Hi Brian I have run a test in a virtual environment this morning and I did not encounter any issues installing the afforementioned update on an encrypted virtual machine. In my attached screenshots, you can see I installed the same Insider Preview 22593.1 (ni_release) update: I did nothing special, I simply installed Windows 11 from scratch, installed EEE v5.1.1.14, performed FDE using the TPM in PIN mode, joined the Windows Insider Program (on the beta branch) and then checked for updates to allow the computer to download and install the update. During the update, the computer rebooted several times which required me to enter my pre-boot credentials (PIN code), but the actual update was successful and I could sign into Windows as normal. My second screenshot shows the update was successfully installed and shows the build number: If you can reproduce the issue, then please let me know the exact steps you have taken and I'll try again 🙂 And if you do manage to reproduce the issue, then there might be some log files that will help us identify what environmental variables are involved to help us reproduce the issue. Best regards, Jay Pritchard Encryption Technical Support Engineer III / Team Lead

Hello, This is a rather tricky problem to guide you through on a forum. For this reason you may want to reach out to ESET support for further help. If you want to continue this discussion here, then we need to first reset the file associations. As you have made manual adjustments to the file associatations in the registry, you may want to re-install Windows again to reset these file association settings. I'm afraid that re-installing ESSP doesn't reset the Secure Data file associations and as you have only recently installed Windows from scratch, I am hopeful that it won't be a complicated process to do this again. After re-installing Windows, install ESSP and enable the Secure Data module. From this stage, I would like to know exactly what happens when attempting to open your Virtual Disk. Does it prompt for the Virtual Disk password?

Hello, ESET Smart Security Premium requires you to specify a password when encrypting data. Please can you give me more information about the encrypted file in question. Is it a Virtual Disk file? Or something else? Do you know the password for the file you are attempting to access? Specifically what happens when you attempt to open the encrypted file?

Hello @Pavilions! I deeply apologize for the delay in responding to you. I'm afraid it's not currently possible to force the encrypted folder to prompt for a password each time you access the directory when using ESET Smart Security Premium. As an alternative solution you may be interested by ESET Endpoint Encryption, as this has more functionality with how it handles encrypted data. For example, all granular encrypted data can be quickly protected by logging out of the software's "key-file". This prevents anyone from accessing the encrypted data until you enter the key-file password to regain access. I hope this helps you.

Hello, EFDE does not utilize/manage Bitlocker. EFDE performs the encryption itself and is managed by ESET Protect. Let me know if you have any further questions

Hello there, What version of the EEE Server do you have installed currently? The latest available to download is version 3.2.2. If you are using an older version, please upgrade and try again and let me know if the issue still occurs. Please refer to this knowledgebase article for guidance on upgrading your EEE Server: https://support.eset.com/en/kb7402

Good afternoon! The behavior you describe is normal - Policies applied by the installer do not show in the console. However, where EFDE is concerned, you will see the encryption status information on the computer panel here: If you want to update the Policy details in the ESET Protect console, then you can press the "REQUEST CONFIGURATION" button. Once processed, you will see the currently applied policies. Here's an example: Before After It might be possible to automate this process, however I don't know enough about ESET Protect to assist you further with this. You may want to ask for further help in the ESET Protect forum or contact support. I hope this helps out!

Hello there! After reading through your post, it's unclear to me what the issue is exactly. When you say: If the computer started encryption after the installation, then an EFDE Policy was included in the installer. EFDE does NOT perform any kind of encryption unless the EFDE Policy specifically enables encryption. If the Policy included in your installer isn't encrypting in the way that you expect, then I suggest you amend the installer's settings and then generate a new MSI. Regarding this statement: It is not possible to change the FDE mode (TPM/OPAL/Software based encryption) without decrypting the computer first. After decrypting the computer, you can apply the desired EFDE Policy. It should be noted that the computer details shown in ESET Protect do not show the currently applied EFDE Policy if the Policy was established as part of the install. You may be able to request the computer details in order to update the computer details to show this information. If I have misunderstood the issue, then please may you provide more information on the problem. Thank you

Hello there! While we haven't tested on the Surface Laptop 3 model specifically, you should be able to install EEE and encrypt the machine with no foreseeable problems. We routinely test the software on other Surface models without any issues, so the Surface Laptop 3 should in theory be okay too. However, we recommend you install the latest version of EEE, which is currently 5.0.8.4, not 5.01. This is available from ESET's website. As with all things, we recommend you maintain backups of important data regardless of whether or not encryption is in place.

Good morning, Self Enrolment is separate from the cloud proxy, take care not to confuse them. Self Enrolment is a feature which automates the EEE user activation process by communicating on the local network to licence users. This is not essential, as you can activate users manually by email instead. You can see the EEES process for user activation here: KB7157 - Activate ESET Endpoint Encryption Client using ESET Endpoint Encryption Server EFDE and EEE are separate products entirely. Depending on your requirements, perhaps EFDE is more suitable for your needs? It only offers Full Disk Encryption, but it's managed and deployed from your existing ESMC which may be more convenient for you.

Good afternoon, I am a technical support engineer for ESET's Encryption product family. You have mentioned a few things that I feel need clarifying, some of which may require in-depth explanations in order for you to come to your own conclusion on how best to deploy ESET Endpoint Encryption in your own environment. First I feel I need to address an important concept regarding ESET Endpoint Encryption. EEE uses a "cloud proxy", which is our patented technology which simply acts as a pigeonhole (or middleman) for communicating commands/client updates between the EEE server and EEE client workstations. If your environment has an Internet proxy to control traffic, then you will need to add your proxy details to your EEE Server. For complete details on this, please read our article here: KB7607 - Add internet proxy server settings to ESET Endpoint Encryption Server Providing everything is configured correctly, your EEE client workstations will be able to communicate with your EEES (through the cloud proxy) as normal. Regarding your questions about deployment, I am not familiar with deploying EEE from ESMC itself, but I know there isn't a repository for EEE, so it cannot be installed that way. However, the EEE Server has a "Push Install" feature which allows you to install the EEE client (MSI) on clients across the network. Sadly this may not be suitable, as you said your users never connect to your internal network. In which case I would ask, how do you currently manage software deployments for users off your network? Regardless, EEE's installer is an MSI file, which can be easily deployed through 3rd party tools. Just ensure your Workstation Policy is configured correctly before generating the MSI for the endpoints, as the Workstation Policy is bundled into the MSI itself. Additionally, depending on your requirements you may need to create a separate Merged Installer for each Workstation Team you have set-up in your EEES. I hope this sheds some light on your situation and what you can do to deploy EEE in your environment.

I'm pleased to hear that has resolved your issue. Have a nice evening 🙂 -JP

Good afternoon, I'm sorry to hear about this issue. I suspect you are encountering a known issue with the latest version of Windows 10 2004 (OS build 19042). You can check what Windows version you are running by typing 'winver' into the Run dialog. I have attached an example: If your computer IS running Windows 10 2004 (OS build 19042), then please check to see if you are missing the UseNullDerivedOwnerAuth registry value found in: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPM\WMI If it is missing, then you can create it manually by opening an elevated command prompt and entering the following command: reg add hklm\system\currentcontrolset\services\tpm\wmi -v UseNullDerivedOwnerAuth -t REG_DWORD -d 0x01 -f After running this command, reboot your computer before trying FDE again. This should allow the TPM to be used for encryption. Let me know how you get on. - JP

Hi Jock Once the machine is fully decrypted, please refer to the section titled "Removing ESET Endpoint Encryption with Managed Uninstall" from this knowledgebase article here: KB288 - ESET Endpoint Encryption Windows Installer (MSI) However if it's only one machine, then you may find it quicker to access the machine itself and click "Change" from Add/Remove Programs and follow the on-screen steps to remove the software as shown in this article: KB7617 - Using Managed Uninstall in ESET Endpoint Encryption

Good afternoon, When the FDE command is received by the endpoint, does the machine reboot to perform Safe Start? I also noticed you are using an older version of EEE. Please upgrade to v5.0.7.3 and try again.