Skip to main content
Matrix42 Self-Service Help Center

Release Notes Full Disk Encryption 25.4

  1. Last updated
  2. Save as PDF

About Full Disk Encryption

Matrix42 Full Disk Encryption provides strong authentication and protection for standard hard disks via sector-based Full Disk Encryption (FDE) and Pre-Boot Authentication (PBA). This provides perfect ‘turn-off-protection’, which means that the implemented security mechanisms provide the highest security for the operating system, as well as for the data – provided the computer is turned off at the time of theft. The optional use of a security token or smart card at pre-boot is the high-end solution for secure key management in conjunction with two-factor authentication.

Release Process

This release will initially be made available via a Controlled Rollout, and this article provides all relevant technical background and changes. While the new Full Disk Encryption version may technically be accessible via the Marketplace, it is only officially released for customers who are approved participants of the Controlled Rollout. Please ensure that you do not deploy the new version in production environments unless you have received explicit clearance from Matrix42.  As announced in the Endpoint Data Protection 25.0 Release Notes, you can signup for the Controlled Rollout by dropping an e-mail to product@matrix42.com

Before you Start

Please note that this version is not yet publicly available and is provided only to participants in the Controlled Rollout. Before proceeding, we strongly recommend that you review the Release Notes from the previous version to familiarize yourself with the key changes and improvements. In addition, please refer to the relevant KB article for details on updates and instructions specific to the Controlled Rollout. Following these steps will help ensure a smooth update and proper understanding of all changes included in this version.

User Capturing Improvements

Due to differences between Windows 10 and Windows 11, not all scenarios for adding or updating users and changing passwords were fully covered in previous Technical Previews. To aling the functionality with the latest official Full Disk Encryption 22.0 Update 1 release, the user capturing procedure has been aligned in Full Disk Encryption 25.4 using the modern Windows Credential Provider (GetSerialization) instead of the older logon event hooks.

For password changes, the following scenarios are now fully supported:

  • User changes their password on their own workstation via CTRL + ALT + DEL
  • User changes their password on a different machine
  • Administrators change the password for a user in Active Directory

It is important to bear in mind that users need to enter their old password to pass the pre-boot authentication. Afterwards, Windows Authentication will fail due to the old password. Then, users can log in to their machine with the updated password, which will be in sync with the Pre-Boot Authentication the next time the machine boots. From then on, users can use their current password to pass the pre-boot authentication.

For adding first-time or additional users to Pre-Boot Authentication, the following scenario is now supported:

  • Adding users from Active Directory via the Management Console

The issue we addressed here applies when an administrator adds a new user from the Active Directory to pre-boot authentication. In most cases, the administrator would leave the password field empty because they do not know it. The newly added users will then need to enter an empty password to pass the pre-boot authentication. Windows Authentication will then fail due to the incorrect password. The user will then log in with their current credentials, at which point the issue occurs. Typically, you would expect that, after rebooting the system, the updated password would be synchronized with the pre-boot authentication. This was not the case in previous technical releases. This new version covers this use case, and the entered password is now synchronized with the pre-boot authentication immediately. 

Emergency Recovery Tool

The Emergency Recovery Tool allows machine recovery in critical scenarios using Windows Preinstallation Environment (WinPE). Between Windows 10 and Windows 11, volumes are no longer preloaded on Windows 11, which previously could cause issues accessing Emergency Recovery Information from the cache or physical storage. In this update, volumes are now loaded directly by the application, ensuring recovery scenarios work reliably across both Windows versions.

Log Capturing Improvements

In support cases, pe_erd_w32.exe can be used to capture logs from all Full Disk Encryption components, including UEFI and the Windows Recovery Tool. In the Full Disk Encryption release, you will find the compressed Extension Packages archive containing winpe-x86-64.zip, which includes pe_erd_w32.exe under the DE or EN folder. The improvement in this update ensures the tool automatically attempts to acquire administrative privileges to capture all relevant logs, preventing empty or incomplete log entries. This simplifies log collection and review for support cases, especially when the “Run as Administrator” option is unknown.

Recommended Approaches for Updating

Before updating to the latest Full Disk Encryption version, please review the Update Guide: Full Disk Encryption and the recommended approaches below before you start with the update. 

  • Assess Your Environment and Feature Requirements
    Determine whether features like Secure Boot or Pre-Boot Authentication (PBA) are required in your environment. Both are supported, but optional.

  • Pilot in a Controlled Group
    Begin with a small test group to validate boot behavior, deployment compatibility, and feature configurations—especially when using Secure Boot or PBA.

  • Update Deployment Package
    Download and use the latest FDE deployment .zip package from the Technical Preview section, which includes the Microsoft-signed bootloader and 64-bit binaries. Ensure no legacy boot components or 32-bit files are used.

  • Use EgoSecure Data Protection Console (Optional)
    If you plan to remotely deploy FDE via the EgoSecure Data Protection Console, ensure that your environment is running Endpoint Data Protection version 25.0 or higher, as earlier versions are not compatible with this release.

  • Check User Account Configurations (PBA Only)
    For environments using PBA, verify that target user accounts are not tied to Windows Hello for Business or enforced Microsoft/Live IDs, as these are not supported for password capturing.

  • Communicate Password Change Handling (PBA Only)
    When users change their Windows password, the new password will be captured after their next interactive login. Until then, users need to use one time their old password to pass the PBA screen.

  • Remove Legacy 32-bit Deployments
    Ensure all deployment targets are 64-bit systems, as 32-bit support has been discontinued and removed from the new package.

  • Track and Document the Rollout
    Maintain a deployment record, including pilot results, rollout status, and update history to support compliance and internal reporting.

Questions and Support

As this release is being rolled out as part of a Controlled Rollout, unforeseen issues may still occur in certain environments. If you experience problems or have questions during testing or deployment, please do not hesitate to contact Matrix42 Support. We are committed to assisting you as quickly as possible and will work with you to analyze any issues that arise. Please note, however, that due to the early rollout phase, we cannot guarantee immediate fixes in all cases. We greatly appreciate your feedback and cooperation as we continue to stabilize and improve the release.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.