Overslaan naar hoofdinhoud

How to start a system that is Full Disk Encrypted - Kennisbank / ESET Endpoint Encryption - ESET Tech Center

How to start a system that is Full Disk Encrypted

Lijst van auteurs

When the system boots you will be presented with a menu that contains three items.  To start the machine and boot into Windows, press the enter key with the 1. Start System item selected.  You will be prompted for your username and password.  Once these are entered correctly the system will continue to load Windows.

When attempting to boot the machine you may receive an error message if the login is unsuccessful. 

The possible error messages are detailed below:

  • User not found - indicates the username being entered is incorrect.  This can also be displayed if the machine has been disabled on purpose from the Enterprise Server.  In most cases the username being entered will be incorrect.
  • ACCESS DENIED - PRESS ANY KEY - indicates the username was recognised but the password is incorrect.
  • User is disabled - indicates that the correct username was entered but previously too many incorrect passwords have been used and the account is now disabled.  Even if the correct credentials for that user are now supplied the system will not boot.  You will need to start the system using a different user account or if it is managed by an Enterprise Server a recovery password as detailed below.
  • No recovery information - This indicates that you have attempted to use option 2. Lost details for a user that exists on the system but does not have recovery information.  The Lost Details menu is used for clients managed by an Enterprise Server only as detailed in the Recovery Logins section below.  Attempting to use this menu with a standalone client will result in this warning.

If you are being returned the ACCESS DENIED message you should check the following:

  • Ensure that the password you are entering is exactly correct.  Passwords are case sensitive
  • Entering your password into the username field will allow the characters to be displayed on screen in order to verify what you are typing is being received by the system as you expect.  You should only do this while no one is observing your entry.  The entry is affected by the keyboard layout being used as detailed below.

Keyboard layout

In the top right corner of the screen the bootloader version number is displayed.  If the system is using UEFI the version number will end with a letter U.  Depending on the version present the key map defining the keyboard layout for entry can be altered as detailed below:

Bootloader v1.99/2.3.13U or earlier (client v4.7.8 or earlier)

The pre-boot login screen uses EN-US keymap by default.  This may be different to the keymap you are used to.  It is possible to switch to EN-UK keymap by pressing the Alt and K keys together.  The current keymap is indicated in the lower left corner of the login screen.  Changes to keymap are not remembered between sessions.

Bootloader v2.8/2.3.23U or later (client v4.7.85 or later)

The pre-boot login screen will use the same keymap as was in effect when the password was entered to start encryption.  The keymap can be cycled through the available options by pressing the F2 key.  The current keyboard map is displayed in the lower left corner of the screen.

Once the user has successfully entered their details and the system started, the keymap used will be remembered the next time the system starts.

When entering your password, pressing the F5 key will show the password you have entered.  You should only do this while no one is able to observe your password entry.

It should be noted that on some keyboards, most commonly laptop keyboards, it is required that you press the Fn key and a number key in order for the F2 keypress to occur.  Please check with your machines documentation if you are unsure.

 

Recovery logins

If the system is managed by an Enterprise Server then it is possible to boot the machine using a recovery password and set a new password for the user.  Recovery passwords are obtained from your Enterprise Server help desk.  Please see this article for details of the recovery process: How do I reset a managed user's Full Disk Encryption password?

On a standalone system the Lost Details menu item does not perform any action.

 

Administrator logins

When starting Full Disk Encryption there are two login accounts created as part of the start process.  These will be an admin login and a user login.  Further user logins can be added once encryption has started.

The admin login can be used in the circumstance that the user logins are not functioning.  Depending if the system is managed by an Enterprise Server or standalone the procedure to find the admin password that was used is different as detailed below.

Enterprise Server Managed

Normally the recovery logins would be used in a managed environment.  However if for some reason that is not possible the admin account will allow the system to boot.  Your admin should know the details of this login and be able to use them to boot the system.  If they are unable to remember the admin password that was specified, it can be viewed from the Enterprise Server by following the steps below:

  • Login to your Enterprise Server.
  • Select the Workstations branch of the left hand tree view.
  • Select the workstation in the list.
  • Click the Details button.
  • Select the FDE Logins tab.
  • Select the admin user in the FDE Logins list (they will have a red user icon and type of Admin).
  • Click the Change button.
  • Click the Set Password tickbox.
  • Click the Show button.
  • The admin password that was set when you sent the encryption command will be displayed.
  • Click Cancel.

 

 

Standalone

The standalone client forces the admin password to be saved when Full Disk Encryption is started.  This account is linked to the username 'admin'.  There are more details of this login here: Why do I need an admin password?

 

Can I use a Wireless or Bluetooth Keyboard?

You may have a wireless or bluetooth that you use with your PC or tablet. Bluetooth keyboards cannot be used in the full disk encryption (FDE) login screen due to the required bluetooth stack not running until Windows starts. Due to the FDE login screen launching before Windows does, a bluetooth device will not work with it.

However, a wireless keyboard may work. If the wireless keyboard works correctly in the BIOS then it should work in the pre-boot FDE login screen. You may need to ensure that the BIOS allows Legacy USB Emulation.

Alternatively, an external keyboard that is physically connected to the machine will work, such as a USB cabled keyboard.

 

Keywords: forgotten locked keyboard wireless bluetooth start fde full disk encrypted pre boot login access denied user is disabled not found

Reactie toevoegen

Log in of registreer om een reactie te plaatsen.

Heeft u een wachtwoordherinnering nodig?