Release Notes Full Disk Encryption 25.0 Update 1

About Full Disk Encryption

Matrix42 Full Disk Encryption provides strong authentication and protection for standard hard disks via sector-based Full Disk Encryption (FDE) and Pre-Boot Authentication (PBA). This provides perfect ‘turn-off-protection’, which means that the implemented security mechanisms provide the highest security for the operating system, as well as for the data – provided the computer is turned off at the time of theft. The optional use of a security token or smart card at pre-boot is the high-end solution for secure key management in conjunction with two-factor authentication.

Release Process

We are preparing the rollout of a new version of Full Disk Encryption, with several security, compatibility, and platform updates. This release will initially be made available via a Controlled Rollout, and this article provides all relevant technical background and changes.

We are planning to begin the Controlled Rollout on May 21st, 2025. While the new Full Disk Encryption version may technically be accessible via the Marketplace, it is only officially released for customers who are approved participants of the Controlled Rollout. Please ensure that you do not deploy the new version in production environments unless you have received explicit clearance from Matrix42. 

As announced in the latest Endpoint Data Protection Release Notes, you can signup for the Controlled Rollout by dropping an e-mail to product@matrix42.com. 

Key Highlights

• Secure Boot is now fully supported
• Microsoft-signed bootloader replaces previous shim-based approach
• Updated Linux kernel with security improvements
• Support for Windows 11 24H2 and user capturing in Pre-Boot Authentication (PBA)
• 32-bit support has been dropped

Bootloader and Secure Boot Changes

The previous used SHIM certificate expired in December 2022. As of August 2024, Microsoft has also updated the root certificate authority (CA) used to sign third-party shims, which affected compatibility with Secure Boot. After a long journey with Microsoft and the SHIM Review Board, which ultimately consumed significant time without delivering the necessary outcomes, we decided to take a different path. This new approach includes the following changes:

• We no longer use a custom-built shim.
• Instead, we have implemented our own bootloader which is Microsoft-signed.
• This bootloader replaces the default Microsoft bootloader during installation.
• This approach ensures Secure Boot compatibility without relying on expired or third-party shims.

System and Kernel Updates

• Linux IMA (Integrity Measurement Architecture) has been enabled to further strengthen system integrity during boot.
• The Linux Kernel has been upgraded from version 5.1.4 to 6.6.9

Pre-Boot Authentication and User Capturing

We have improved support for user capturing during the PBA process:

Architecture and Packaging Changes

• We have dropped 32-bit support in this release.
• The 32-bit binaries have been removed from the FDE .zip package.
• Please ensure you are deploying only to supported 64-bit systems.

Recommended Approaches for Updating

Before updating to the latest Full Disk Encryption version, please review the Update Guide: Full Disk Encryption and the recommended approaches below before you start with the update. 

• Assess Your Environment and Feature Requirements
  Determine whether features like Secure Boot or Pre-Boot Authentication (PBA) are required in your environment. Both are supported, but optional.

• Pilot in a Controlled Group
  Begin with a small test group to validate boot behavior, deployment compatibility, and feature configurations—especially when using Secure Boot or PBA.

• Update Deployment Package
  Download and use the latest FDE deployment .zip package from the Technical Preview section, which includes the Microsoft-signed bootloader and 64-bit binaries. Ensure no legacy boot components or 32-bit files are used.

• Use EgoSecure Data Protection Console (Optional)
  If you plan to remotely deploy FDE via the EgoSecure Data Protection Console, ensure that your environment is running Endpoint Data Protection version 25.0 or higher, as earlier versions are not compatible with this release.

• Check User Account Configurations (PBA Only)
  For environments using PBA, verify that target user accounts are not tied to Windows Hello for Business or enforced Microsoft/Live IDs, as these are not supported for password capturing.

• Communicate Password Change Handling (PBA Only)
  When users change their Windows password, the new password will be captured after their next interactive login. Until then, the PBA screen will be bypassed.

• Remove Legacy 32-bit Deployments
  Ensure all deployment targets are 64-bit systems, as 32-bit support has been discontinued and removed from the new package.

• Track and Document the Rollout
  Maintain a deployment record, including pilot results, rollout status, and update history to support compliance and internal reporting.

Questions and Support

As this release is being rolled out as part of a Controlled Rollout, unforeseen issues may still occur in certain environments. If you experience problems or have questions during testing or deployment, please do not hesitate to contact Matrix42 Support. We are committed to assisting you as quickly as possible and will work with you to analyze any issues that arise. Please note, however, that due to the early rollout phase, we cannot guarantee immediate fixes in all cases. We greatly appreciate your feedback and cooperation as we continue to stabilize and improve the release.