Road to Full Disk Encryption 25.0 Update 1
Overview
We have been working on a new version of Full Disk Encryption for some time and have started a controlled rollout. To keep everyone informed and make it easier to track progress, we created this Knowledge Base (KB) article. Here you will find regular updates on the current status, including resolved issues, known limitations, and improvements as we move through the rollout phases.
Update 03.07.2025
A new Full Disk Encryption Version is available and downloadable from the Marketplace for all Controlled Rollout participants. With this new Hotfix, we addressed two important topics related to systems that could not boot after encryption of system partition.
Additional Information:
- If you have the option in UEFI (e.g. on Microsoft Surface devices), ensure to use Secure Boot with enabled with Microsoft & 3rd party CA.
- If you report any issues, please try to collect as much as logs files for us. They are most likely stored under C:\
- In addition, when you report issues, please keep the Product Management with beta_UEM@matrix42.com in the loop.
| Log File | Content |
|---|---|
| FDE.log | Contains the FDE Installation and Initialization logs. |
| fde_driver_setup.log | Contains the FDE installation and driver setup, including driver runtime data, meaning that the driver will print out logs at runtime. |
| LogCustom.txt | Contains installation data. The file is an addition to the file saved directly where the installer is stored. |
| Logfile.log | Contains logs that are related to the Tool in general sense. |
| PBA.log | Contains PBA related operations, like user capturing logs etc. |
| TPM.log | Contains TPM related operations like creating the TPM key, accessing TPM, checking if TPM is active etc. |
- Remote installations via the console may fail. In this case, we recommend installing Full Disk Encryption locally on the system. The status reported to the Management Console may be insufficient for remote analysis of the issue.
- We received a feedback that after the PBA initialization, the fingerprint logon takes effect, but it is initialized again the next time the computer is restarted. Please note that user capturing is only available for users not using Windows Hello for Business or accounts with Microsoft/Live ID enforcement. Please review your configuration under Windows Settings >Accounts > Sign-In options > Fingerprint recognition (Windows Hello). If you are using a custom provider, please drop us a message under beta_UEM@matrix42.com.
- Starting from today, we are working on known issues with Friendly Network that in some cases prevent clients from booting. In parallel, we are analyzing a reported issue where the ERI file could not be stored in the cache. We expect to have an update withing the next 2 weeks.
Update 29.06.2025
Microsoft has signed off our latest submission. We will now proceed with internal testing before publishing the version to the Marketplace.
Update 27.06.2025
While extending pilot support to additional device manufacturers, we discovered that firmware implementations vary significantly. This affects how FDE driver data is stored in memory, which can ultimately prevent successful decryption of encrypted drives. Since we can't rely on consistent firmware behavior, we've adopted a proven approach—similar to what GRUB or SHIM uses—by standardizing how this data is loaded across all devices. An updated submission request for signing the EFI Files has been started.
Update 09.06.2025
Microsoft has signed off our latest submission. We will now proceed with internal testing before publishing the version to the Marketplace.
Update 27.05.2025
After the first feedback during the controlled rollout, an issue was identified where systems failed to boot after encryption due to esboot.efi not being loaded and OpenVolume not working on encrypted drives. This has been resolved by implementing a check to handle encrypted volumes correctly. A fix has been made and an updated submission request for signing the updated EFI Files has been started.
Update 21.05.2025
The controlled rollout for Full Disk Encryption 25.0 Update 1 has been officially launched.
Update 14.03.2025
An announcement for the planned controlled rollout for Full Disk Encryption 25.0 Update 1 has been published via the Release Notes of Endpoint Data Protection 25.0.
Update 19.02.205
Microsoft has signed off our latest submission where we replaced the previous shim-based approach with a Microsoft-signed bootloader. We will now proceed with internal testing before we will launch a controlled rollout targeting Full Disk Encryption 25.0 Update 1.