JPritchard

I appreciate the update, take care!

Hello BowForMe,
In your opening post, you said:
ESSP Secure Data creates an encryption 'keystore' file called 'premiumkey.dat' in C:\Users\USERNAME\AppData\Local\DESlock+\
If you delete this directory and the files within, then the encryption key is no longer available and your encrypted USB cannot be decrypted or accessed. Re-installing ESSP and enabling Secure Data will generate a new keystore file, which will NOT work for anything encrypted with a different key.
If we're lucky, and you still have the directories and files you deleted in the Recycle Bin, then you should be able to restore them and access your USB stick! If not, perhaps you have a Windows backup that you can restore where the DESlock+ directory and files are intact and can be restored to regain access to your USB.
Failing this, the data on the USB is inaccessible and you will need to format the device for future use.
Kind regards
Jay Pritchard
Encryption Technical Support Engineer III / Team Lead

Hello,
As far as I know, it is not possible to remove recovery passwords from the ESET Protect console.
I suspect the computer in question has been decrypted and re-encrypted several times. Each time you encrypt a computer (even if it's the same computer) a Workstation ID is generated. This is likely why you're seeing three recovery passwords, but each have different Workstation ID's.
When reseting a User's password in this manner, always match the index number and the Workstation ID with what the User see's on their computer in the recovery screen.
Kind regards,
Jay Pritchard
Encryption Technical Support Engineer III / Team Lead

Hello Mauricio,
Thank you for clarifying that the user is managed by an EEES.
I think you need to adjust the Group Policy in your EEES to prevent Users from encrypting data with passwords. This will force them to use encryption keys instead, which are backed up on the EEES itself. This avoids the situation of forgetting passwords entirely.
Please see my attached image, as this shows the specific Group Policy setting that you need to change. After changing the setting, don't forget to post a key-file update out to the affected Users to push the new settings to their computers.

For more information on this process, please see: KB7408 - ESET Endpoint Encryption Server group policy settings
As for pre-existing data encrypted with passwords, it would be best to decrypt and then re-encrypt the data using a key instead.
Please let me know if you have any further questions.
Jay Pritchard
Technical Support Engineer III / Encryption Support Team Lead

Hello Mauricio,
Is the User's ESET Endpoint Encryption client (EEE) managed by an ESET Endpoint Encryption Server (EEES)?
If so, the encryption keys and recovery data are available in the EEES for the Administrator to decrypt and access the computer and data if necessary.
However, if the User has a standalone version of EEE installed, then only they know their key-file password and FDE Admin credentials. You may wish to discuss with them sharing these details, however this creates a security risk of sharing important passwords.
If they are using a standalone version of EEE, then you may want to encourage the User to create a key-file backup and  create a backup of their FDE Admin password file ('adminpassword.html'). This file will have been generated at the time they originally performed FDE on their computer. This file is most likely stored on a USB device already.
For more details, see:
KB7571 - Back up Key-File in ESET Endpoint Encryption
As a side note, it is possible to 'adopt' standalone clients into an EEES, so perhaps consider upgrading/purchasing an EEES to provide the means of recovery in such cases.
I hope this helps!
Jay Pritchard
Technical Support Engineer III / Encryption Support Team Lead

Hello,
Unfortunately the encryption key tied to your Virtual Drive will have been lost in the Windows reset. Without the key, it is not possible to automatically mount the Virtual Drive, this is why you must enter the password manually each time.
I recommend creating a new Virtual Drive and copying/moving all contents from the old one to the new one. This will allow you to automatically mount the Virtual Driveas desired.
Best regards,
Jay Pritchard
Encryption Technical Support Engineer III / Team Lead

Cheers, it doesn't tell me the policy name but it does give me some relief to see the configuration (same custom policy I applied in the installer). Learned something new today, thank you JPritchard

Good afternoon!
The behavior you describe is normal - Policies applied by the installer do not show in the console. However, where EFDE is concerned, you will see the encryption status information on the computer panel here:

If you want to update the Policy details in the ESET Protect console, then you can press the "REQUEST CONFIGURATION" button. Once processed, you will see the currently applied policies. Here's an example:
Before

After

It might be possible to automate this process, however I don't know enough about ESET Protect to assist you further with this. You may want to ask for further help in the ESET Protect forum or contact support.
I hope this helps out!

Good afternoon!
The behavior you describe is normal - Policies applied by the installer do not show in the console. However, where EFDE is concerned, you will see the encryption status information on the computer panel here:

If you want to update the Policy details in the ESET Protect console, then you can press the "REQUEST CONFIGURATION" button. Once processed, you will see the currently applied policies. Here's an example:
Before

After

It might be possible to automate this process, however I don't know enough about ESET Protect to assist you further with this. You may want to ask for further help in the ESET Protect forum or contact support.
I hope this helps out!

Good afternoon,
I am a technical support engineer for ESET's Encryption product family.
You have mentioned a few things that I feel need clarifying, some of which may require in-depth explanations in order for you to come to your own conclusion on how best to deploy ESET Endpoint Encryption in your own environment.
First I feel I need to address an important concept regarding ESET Endpoint Encryption. EEE uses a "cloud proxy", which is our patented technology which simply acts as a pigeonhole (or middleman) for communicating commands/client updates between the EEE server and EEE client workstations.
If your environment has an Internet proxy to control traffic, then you will need to add your proxy details to your EEE Server.  For complete details on this, please read our article here: KB7607 - Add internet proxy server settings to ESET Endpoint Encryption Server
Providing everything is configured correctly, your EEE client workstations will be able to communicate with your EEES (through the cloud proxy) as normal.
Regarding your questions about deployment, I am not familiar with deploying EEE from ESMC itself, but I know there isn't a repository for EEE, so it cannot be installed that way. However, the EEE Server has a "Push Install" feature which allows you to install the EEE client (MSI) on clients across the network.
Sadly this may not be suitable, as you said your users never connect to your internal network. In which case I would ask, how do you currently manage software deployments for users off your network?
Regardless, EEE's installer is an MSI file, which can be easily deployed through 3rd party tools. Just ensure your Workstation Policy is configured correctly before generating the MSI for the endpoints, as the Workstation Policy is bundled into the MSI itself. Additionally, depending on your requirements you may need to create a separate Merged Installer for each Workstation Team you have set-up in your EEES. 
I hope this sheds some light on your situation and what you can do to deploy EEE in your environment.

I'm pleased to hear that has resolved your issue.
Have a nice evening 🙂
-JP

Yes that was the problem,
version though is 20H2 OS Build 19242.662
Thank you for your help.

Good afternoon,
I'm sorry to hear about this issue. 
I suspect you are encountering a known issue with the latest version of Windows 10 2004 (OS build 19042).  You can check what Windows version you are running by typing 'winver' into the Run dialog. I have attached an example:
 
 
If your computer IS running Windows 10 2004 (OS build 19042), then please check to see if you are missing the UseNullDerivedOwnerAuth registry value found in:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPM\WMI
If it is missing, then you can create it manually by opening an elevated command prompt and entering the following command:
reg add hklm\system\currentcontrolset\services\tpm\wmi -v UseNullDerivedOwnerAuth -t REG_DWORD -d 0x01 -f
After running this command, reboot your computer before trying FDE again. This should allow the TPM to be used for encryption. 
Let me know how you get on.
- JP