The Automatic Full Disk Encryption (FDE) feature allows the ESET Endpoint Encryption (EEE) client to immediately begin FDE after being installed on a workstation. Usually a command would need to be sent from the EEE Server to a target workstation in order to start the FDE process after activating a user.

In this mode, no credentials will be required to boot the system until the first user has activated. During activation the first user with an Pro licence on this workstation will be prompted to choose a password with which to boot the system. At which point the FDE username, recovery information and Admin FDE credentials will be visible in the Server and the workstation will operate normally.

Although you can use FDE in this manner, it is strongly recommended that you activate a Pro licence as soon as possible to ensure the workstation is fully secured. Automatic FDE is not a replacement for starting FDE from the Server as shown in the article below:

KB101 - Starting Full Disk Encryption using the ESET Endpoint Encryption Server (managed)

It is designed to ensure the workstation is encrypted prior to user Activation, for example where a system administrator prepares the laptops before distributing to end users or if the end users are currently unknown.

Note: This feature is available from the Server version 2.9.0 and Client version 4.9.0 onwards, and will only work when performed as a 'fresh' install, not an upgrade from a previous version.

What will be encrypted?

• Only the 'Boot' disk will be encrypted. If you have more than one disk to encrypt, the secondary disk will need to be encrypted manually.
• Only compatible Partitions with drive letters will be encrypted.
• Only Software encryption mode is used, OPAL is not available.
• Only standard Username and Password authentication is used, TPM modes are not available.

Step 1: Enabling the feature

• Open the ESET Endpoint Encryption Server Program Files folder (Program Files (x86) on a 64bit OS).
• Edit config.cfg with a text editor.
• Add the following to the bottom of the file:  
      EnableAutoEncryptPolicy=true
• Save the file and Login to the EEE Server.

Step 2: Configuring the Workstation Policy

• Navigate to your workstation policy Full Disk Encryption settings. Please see the article below for more information:

KB229 - How do I modify workstation policy?

• Change the configuration of Automatically start encryption after installation to Yes.
• Enter the number of Password and Recovery attempts you wish the user to have at the pre-boot FDE login page.
• Enter the number of Recovery uses you wish the user to have.
• Enter an FDE Administrator Username by default this is set to 'admin'.
• Select whether you would like to enable the user with Single (Sign-On SSO) (Requires the user to be activated with Self Enrolment) Please see the article below for more information:

KB187 - What is Single Sign-On (SSO)?

Note: If you are using Self-Enrolment to activate workstations and have previously sent an FDE command to another machine, the FDE Administrator password that was used will be set as a default. If not, a randomly generated password will be created which can be seen in the FDE logins window. Please see the article below for more information:

KB316 - How do I change my Full Disk Encryption password?

Step 3: Install Client Software

• Install the EEE client software by pushing the install over a LAN or downloading an MSI from the EEE Server manually. Please see the article below for more information:

KB253 - Installing a managed version of ESET Endpoint Encryption

• Once the software has installed, on reboot Safe Start will take place. Please see the article below for more information:

KB177 - What is Full Disk Encryption Safe Start?

• The FDE process will then begin, indicated by the warning dialog and progress bar.

Step 4: Activation

Note: This step is not necessary if you have activated using Self Enrolment.

• You will then be required to supply the activation details.

KB216 - How do I activate a managed version of ESET Endpoint Encryption?

Step 5: Enter FDE pre-boot password details

Once you have entered the activation details you will be required to enter a pre-boot password. If you have Self Enrolment enabled and have chosen to set your user with an SSO type login, you will be required to verify your domain login credentials.

• Normal user dialog:

• SSO enabled dialog: (Self Enrolment Only)

Kewords: auto start fde full disk encryption automatically automatic