Skip to main content

Technical Details regarding DESlock+ and Windows Feature Updates (version 4.9.0+) - Kennisbank / ESET Endpoint Encryption - ESET Tech Center

Technical Details regarding DESlock+ and Windows Feature Updates (version 4.9.0+)

Authors list

Windows Update and WSUS Method

See: KB379 - Installing Windows 10 Feature Updates on an Full Disk Encrypted (FDE) system

For a machine to install Windows Feature updates while Full Disk Encrypted (FDE) with DESlock+, we must make the encryption drivers available to Windows during the installation of an update. To do this we create a file called SetupConfig.ini stored inside the following directory:

C:\Users\Default\AppData\Local\Microsoft\Windows\WSUS\

Please note, if you are already using a customized SetupConfig.ini file as part of your update process, then please ensure it has been fully tested alongside DESlock+ before rolling the update out to end users.

We use the SetupConfig.ini file to pass the /reflectdrivers switch to Windows during the update process. This passes the necessary encryption driver to Windows, in order to access the disk correctly during the update. Without using this switch, Windows would not be able to read the disk correctly due to the encryption and the update process will fail.

After Windows has successfully installed an update, we use the Postoobe switch to run a script. This script creates the necessary entries to allow Windows to update correctly again in future.

Windows Media Creation tool (ISO)

See: KB462 - How to manually install Windows 10 Feature Updates on an Full Disk Encrypted (FDE) system

The DESlock+ Windows Update utility uses the ‘/ConfigFile’ switch to point Windows in the direction of the SetupConfig.ini file. This then works as above.

Additional Information

Windows Setup Automation Overview

Windows Setup Command Line Options

Add a comment

Please log in or register to submit a comment.

Need a password reminder?