Windows 11 Insider Preview 22593.1 (ni_release) update failure trashes FDE drivers.

[bcraigie 0]

This is a heads-up for you.  Before you say it, I know that you're going to say that you don't support insider builds, but if someone doesn't test it, how are you going to know the problems that will come up?

So yesterday, I tried to apply Windows 11 Insider Preview 22593.1 (ni_release) update to my laptop which was Full Disk Encrypted with ESET Endpoint Encryption 5.1.1.14.  The update failed and tried to roll back, but left the machine un-bootable as the rollback also removed the FDE boot login.

I was able to recover by using a USB stick with the ESET recovery tool on it to decrypt the drive, but that took 8 hours on my 2TB NVMe drive.

I just wanted to let you know.  I have also provided feedback to M$.  If you wish more information about my setup, just let me know.  I hope you'll pass this on to the developers.

Thanks

Brian

[DuncanH 1]

Hi Brian, 

Thanks for the report.

Please can you tell me, what were you updating from? A previous Windows 11 or Windows 10?

Also are you using ESET Endpoint Encryption managed by the EEE Server? If so was your laptop encrypted using the TPM? 

We are aware of issues with upgrading to Windows 11 where the TPM becomes disabled during the upgrade. In these cases the TPM needs to be turned back on in the BIOS.

Duncan

[bcraigie 0]

Hi Duncan,

Yes, it was just an update to an existing Windows 11 (Insider) version.  This is a standalone ESET encryption and the TPM is still enabled.

🙂

Brian

[JPritchard 11]

Hi Brian

I have run a test in a virtual environment this morning and I did not encounter any issues installing the afforementioned update on an encrypted virtual machine.

In my attached screenshots, you can see I installed the same Insider Preview 22593.1 (ni_release) update:

I did nothing special, I simply installed Windows 11 from scratch, installed EEE v5.1.1.14, performed FDE using the TPM in PIN mode, joined the Windows Insider Program (on the beta branch) and then checked for updates to allow the computer to download and install the update.

During the update, the computer rebooted several times which required me to enter my pre-boot credentials (PIN code), but the actual update was successful and I could sign into Windows as normal. My second screenshot shows the update was successfully installed and shows the build number:

If you can reproduce the issue, then please let me know the exact steps you have taken and I'll try again 🙂

And if you do manage to reproduce the issue, then there might be some log files that will help us identify what environmental variables are involved to help us reproduce the issue.

Best regards,

Jay Pritchard
Encryption Technical Support Engineer III / Team Lead

Edited April 11, 2022 by JPritchard

[bcraigie 0]

Thanks for checking it out. :-)

I think the difference is that for whatever reason, the windows update on mine failed, then rolled back, and it seems that in the process of it rolling back it also removed the FDE login drivers, so the partition was no longer unlocked/unlockable.

I'm speculating that the update failed at a crucial point that left the FDE driver missing from the system.

I'll re-encrypt the drive and see what happens when the next Windows update comes along.

Warmest regards,

Brian