Encryption management

Management of encrypted workstations consists of pre-boot login management.

You can access these options from Computer Details -> Overview -> Encryption tile -> Manage:

Or by executing the efde_policy_winmaintenance mode tasks and policy options.


Important information

All EFDE tasks are executed only after the ESET Management Agent receives the task during the agent replication process (Usually next time the agent connects to the management server after the task is executed). The computer requires to be booted into the windows for the agent to receive the information about the task. The pre-boot login screen is not sufficient enough state for the agent to execute these tasks.

efde_policy_winInvalidate FDE login password - This task will immediately invalidate the current login password and prompt the user to change their login password in the EFDE client GUI. If the user does not change their password in the EFDE client GUI and shuts down the device, they will be prompted to change the password on the pre-boot login screen, the next time the device is booted.

efde_policy_winGenerate new FDE recovery password - This task will immediately invalidate the current login password and generate a new one that can be provided for the user by the administrator.

efde_policy_win efde_policy_macosRestore Access

oefde_policy_win efde_policy_macosRecovery password - generates the recovery password for the user to use to setup a new login password.

oefde_policy_win efde_policy_macosRecovery data - generates the decryption file required for encryption recovery.

efde_policy_winBlock Access

oefde_policy_winBlock FDE login password - This task will disable the pre-boot login on the device after the device's next reboot. The Recovery password is required to set a new pre-boot login password for the user to be able to login on the device. The user is not able to change his login password (even if this is enabled by EFDE configuration policy) at the pre-boot login screen at this state.

oefde_policy_winWipe FDE login password - This task will BSOD the device immediately after it is executed on the device. The FDE login is wiped on the device, and the user is blocked from any attempt to login. User login, password change, and password recovery is disabled in this state. The only option is encryption recovery with encryption recovery drive.