Kstainton

thanks we'll check the flashdrive that we used before and send the logs if still exist in the flashdrive

Hi,
You can acquire the required logs via the ESET Recovery USB in the following folder:
USB:\\efi\boot\logfiles\
Then submit a ticket via https://www.eset.com/int/support/contact/.
Thank you.

Sounds good.   I will open up a support ticket.  Thanks!

Dears ,
The issue has been resolved, By BIOS set the supervisor password NO after that I able to change the secure boot, 
 
All the best 

Hi @Lockbits,
I am afraid that I do not, but I shall log this and do my best to update you when I know of a release window.
Thank you,
Kieran

Hi @MartinM,
Changing Hardware shouldn't be an issue unless you are using the TPM for Encryption and are changing the Motherboard, as the TPM is tied to the Motherboard it is simply not possible to change it without there being issues and you will need to decrypt the disk using the ESET Recovery Utility and the 'efderecovery.dat' file, which it sounds like you have already been using for decryption.
If you are planning on changing the Motherboard for reasons outside of a failure of the Motherboard, I would suggest decryption using the normal means instead and then changing the Motherboard for the new one. This is instead of changing it and then using the ESET Recovery Utility to decrypt.
As for Windows being stuck in a loop, where Windows is attempting to perform a 'Check Disk', would you mind submitting a support case to your local ESET Technical Support office: https://www.eset.com/int/support/contact/ I would be interested to get more details about this issue.
Thank you,
Kieran

Hi @Heterz,
Thank you for letting us know, I suspect Bitlocker automatically encrypted your main HDD for the following reason as stated on one of their articles:
"BitLocker automatic device encryption uses BitLocker drive encryption technology to automatically encrypt internal drives after the user completes the Out Of Box Experience (OOBE) on Modern Standby or HSTI-compliant hardware."
Source: https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-bitlocker
Thank you.
Kieran

Hi @Heterz,
May I ask you to do the following for me just to confirm that BitLocker is indeed disabled on your machine:
Open an Elevated Command Prompt Enter 'manage-bde -status' Send us a screenshot of the output please? If we confirm that BitLocker is in fact 100% decrypted, we will need to request additional logging (https://support.eset.com/en/kb7123-eset-encryption-diagnostics-tool) and support case to be submitted to your local ESET Support Office via the following link: https://www.eset.com/int/support/contact/
Thank you,
Kieran

Hi @Kstainton,
Thank you for this. This cleared up my concern in using EFDE.
 

Hi @razec06,
Upon deleting an EFDE Encrypted Workstation from the EP Console it does not delete the Recovery Data needed to generate a efderecovery.dat file.
Therefore you can still use the following article: https://help.eset.com/efde/en-US/recovery_data.html using the Workstation ID to create the efderecovery.dat file.
The Workstation ID is found at the bottom of the EFDE Pre-boot login screen.
Please note: EFDE can only be decrypted using the ESET Recovery Media Creator and the efderecovery.dat or via a decryption policy sent from the EP Console.
Thank you.
Kieran.

I think that Marc wanted was to install the additional keyboard.
https://help.eset.com/efde/en-US/add_remove_keyboard_layouts.html
This should do the trick

This happens all the time with me with laptops that have secure boot enable bitlocker encryption the drive int he background but doesnt full turn it on. Once I have turn it on, save the key then remove the encryption it fixes the issue and you can use ESET Encryption. 

Amazing! Thank you for letting us know it is working for you
Kieran

Hi @Zac French,
This one will require more depth investigation by the Development Team for ESET Encryption, may you acquire the following logs for us and submit a ticket via https://www.eset.com/uk/about/contact/
Meta Data Search Logs: https://support.eset.com/en/kb7894-eset-encryption-recovery-utility-diagnostics#SearchForMeta
Thank you,
Kieran

Hi @secured2k,
Thank you for getting in touch, here is the KB that you requested regarding the ESET Windows Updater Utility: https://support.eset.com/en/kb7148-manually-install-windows-10-feature-updates-on-a-full-disk-encrypted-fde-system
The error you are running into is due to the disk not being accessible during the update as it is Encrypted and Windows has not been told to use the Encryption Drivers in order to access the disk, this utility solves that problem by passing the required switches to allow Windows to use the Encryption Drivers and thus be able to access the disk.
Thanks,
Kieran 

Hi @secured2k,

Here is a KB with some more technical details about what the tool is doing: https://support.eset.com/en/kb7394-technical-details-regarding-eset-endpoint-encryption-and-windows-feature-updates it also explains how you can do this via the WSUS method, providing the relevant Microsoft articles required to do this.
The problem is that the driver is not available in the Windows installation image. Windows Feature updates contain a .wim image which uses windows RE (Recovery Environment).
During the update the system boots to this image to perform the upgrade of the OS. This environment does not automatically use any extra drivers.

What we do to perform the upgrade is use a feature of the setup to “reflect” the drivers through to the installation image:
Setup.exe command line switches - This is how the ESET Endpoint Encryption Windows Feature Updater Utility does it SetupConfig.ini - This is supported by Windows Update or WSUS

Hi @rjanz,
I am going to have to target specific sections of your posts to answer as best as I can for you here.
Question: “While testing the ESET Full Disk Encryption product we found that we can successfully move the drives to a new desktop (different TPM, CPU, mobo etc) and we’re able to successfully boot into Windows. This completely defeats the purpose of encrypting the drives with a TPM. In our configuration we don’t have the login password set as the computers live in facility” Answer: Using the TPM with EFDE, the encryption key is protected using the TPM. This means when the user enters their password, this is used along with the TPM and other information to provide access to the Disk Encryption Key. In this situation if a disk is moved to another machine the system will not be able to boot because the original TPM is required to access the Key. Using the authentication bypass, either the “Pause Authentication” task or the “Disable FDE Authentication” policy, creates a special temporary “user” that is capable of booting the system without a password or TPM. The presence of this “user” causes the system to boot automatically. However, this does as you mentioned mean that the TPM is not used when in this mode. So it is possible to boot when the disk is put in a different computer.
We do understand your observation and we are planning an update to EFDE to use the TPM when the authentication is disabled. At this stage I do not have any information as to when this might be available.
Question: ” I read in this forum post that the ESET Encryption Boot files are stored in EFI System Partition (ESP). Why?” “Please correct me if I’m wrong. What exactly are the ESET Encryption Boot files? Does this include the encryption keys? Are those keys really stored in the TPM? I’m trying to understand why we can boot into the OS on new hardware” Answer: The EFDE boot files reside on the ESP as this is where the UEFI BIOS looks for the primary boot application to begin the boot process. This is quite standard, the same as the Microsoft boot files are on the ESP. The UEFI BIOS loads the EFDE bootloader, which provides the user interface for the user to enter their credentials and to perform the process necessary to decrypt the operating system as it loads. The Disk Encryption Key is not stored on the ESP. The Key is obtained cryptographically using the users credentials, the TPM if used and other information from the system. EFDE uses meta data that is stored in the main system partition.
Question: “One more, I just discovered the EFI is not encrypted so you can boot into another OS and read these files. Why!?” Answer: As mentioned in the previous answer, the UEFI BIOS loads the boot file from the ESP, so it cannot be encrypted otherwise the UEFI would not be able to load and run the primary boot file. The ESP is a small FAT32 partition and should not contain any sensitive data. The main Operating System partition is always encrypted along with other data partitions depending on which policies were set from the ESET Protect console.
Thank you,
Kieran

Hi @Ufoto,
The EEE Server / EEE Client, cannot do this directly at the moment, we may look into this for a future addition to our software.
The reason why it cannot do it at the moment is because RME uses a File System Filter Driver so it works with devices that expose a file system. Mobile Devices do not provide a file system, they use Windows Portable Devices which I can see from your previous messages you have a complete understanding of.
I am afraid at this time you will need to setup Read/Write permissions using your GPO for WPD devices. I do apologize if this causes any inconvenience. 
Thank you.
Kieran

Hi @Ufoto
File Encryption is also not possible, the way I should have put it is that Removable Media Encryption, whether it be FDE or File is not possible on a Mobile Device.
Thank you.

Alrightly then, if anyone else gets this, it seem if you have the dreaded Windows \ Office 365 TPM Issue, like this one https://answers.microsoft.com/en-us/outlook_com/forum/all/error-code-80090016-trusted-platform-module-has/c0588197-a33a-423f-bcb0-4ab5cda58928 then you need to fix that first.

Hello,
Unfortunately the encryption key tied to your Virtual Drive will have been lost in the Windows reset. Without the key, it is not possible to automatically mount the Virtual Drive, this is why you must enter the password manually each time.
I recommend creating a new Virtual Drive and copying/moving all contents from the old one to the new one. This will allow you to automatically mount the Virtual Driveas desired.
Best regards,
Jay Pritchard
Encryption Technical Support Engineer III / Team Lead

Hi Brian, 
Thanks for the report.
Please can you tell me, what were you updating from? A previous Windows 11 or Windows 10?
Also are you using ESET Endpoint Encryption managed by the EEE Server? If so was your laptop encrypted using the TPM? 
We are aware of issues with upgrading to Windows 11 where the TPM becomes disabled during the upgrade. In these cases the TPM needs to be turned back on in the BIOS.
Duncan

Hi @Mr.Gains,
It very much sounds like you are running into an issue we have documented here: https://support.eset.com/en/kb7132-use-eset-endpoint-encryption-with-microsoft-surface-devices#FDE regarding MS Surface Pro 7+ running into a Boot Configuration issue during Safe Start.
Thank you,
Kieran

Hi @Mr.Gains,
It very much sounds like you are running into an issue we have documented here: https://support.eset.com/en/kb7132-use-eset-endpoint-encryption-with-microsoft-surface-devices#FDE regarding MS Surface Pro 7+ running into a Boot Configuration issue during Safe Start.
Thank you,
Kieran

Hi @PaulOkello,
I would advise you format your disk using DiskPart -> clean all (https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clean) which will clean all of the sectors on the disk fully.
Note that the ESET Encryption Boot files are not stored within the BIOS rather the EFI System Partition (ESP), so formatting the Disk completely will remove these files and you will not need to enter your FDE Password again or remove it manually.
You shall then be able to freshly install Windows and start again.
However, we might be able to assist you in decrypting the Disk if we can understand why you were not able to use the Recovery Password, what did it say when you attempted to use the Recovery Password?
Also, have you attempted to use the Recovery Data to decrypt the Disk by any chance: https://help.eset.com/efde/en-US/recovery_data.html using our ESET Recovery Utility?
Thank you,
Kieran