Road to a new major Full Disk Encryption version
Overview
We have been working on a new version of Full Disk Encryption for some time and have started a controlled rollout. To keep everyone informed and make it easier to track progress, we created this Knowledge Base (KB) article. Here you will find regular updates on the current status, including resolved issues, known limitations, and improvements as we move through the rollout phases.
Update 30.10.2025
Over the past two weeks, we have implemented several corrections related to User Capture. These improvements are now included in a new Full Disk Encryption version 25.4.0.1, which is available for download from the Marketplace for all Controlled Rollout participants. The update includes the following changes:
- Improved handling of user switching during active User Capture - Fixed an issue where switching the default user while User Capture was active was ignored. The underlying cause was that the Windows “Other User” option bypassed the Credential Provider. This has been corrected to ensure proper capture behavior even when selecting a different user.
- Improved password capture for newly added users - Resolved an issue that could occur when new users were added to Pre-Boot Authentication (PBA) through the Management Console. In cases where Single Sign-On failed and the user did not enter a password within 120 seconds, the password was not captured. This has been addressed by improving how the Credential Provider maintains user and PIN information during the login process.
Update 13.10.2025
While focusing on the public API with one of our partners, we made good progress in other areas of the solution. The result is a new Full Disk Encryption Release 25.4. This new version is available to download from the Marketplace for all Controlled Rollout participants and addresses the following topics:
- Improved User Capturing and Password Sync – Password changes and new user additions are now fully synchronized with Pre-Boot Authentication using the modern Windows Credential Provider, eliminating previous login issues.
- Enhanced Emergency Recovery Tool – Volumes are now properly loaded in Windows 11 environments, ensuring reliable recovery in critical scenarios.
- Simplified Log Capturing for Support – The log capture tool now automatically requests administrative privileges, enabling complete and accurate logs for faster support troubleshooting.
Please refer to Release Notes Full Disk Encryption 25.4 for additional information.
Update 14.08.2025
One of our partners encountered an authentication issue with the public API and we are currently investigation this issue with a higher priority.
Update 11.08.2025
Microsoft has signed off our latest submission. We will now proceed with internal testing before publishing the version to the Marketplace.
Update 08.08.2025
An updated submission request for signing the EFI Files has been started.
Update 04.08.2025
Since the first update in July, we focussed on the issue with Friendly Network that in some cases prevent clients from booting. This issues is fixed and requires an updated submission request for signing the updated EFI Files on Microsoft Side. We intend to start the submission within this week and we will post an update when we have started the process.
In addition, we took a look at one reported issue, where the ERI file could not be stored in the cache. It turned out that the file is correctly stored, but there are sometimes issues with loading volume tables and that is what we are investigating at the moment. In any case, this is not affecting the storage and loading of the ERI file on media other than the cache.
Update 24.07.2025
We received the feedback that on the model Fujitsu Lifebook u9312x, the error ‘ Failed to draw: error -9223372036854775806’ appears and the user does not see the input fields for user name and password. We will investigate this issue soon after having a chance to review the log files.
Update 03.07.2025
A new Full Disk Encryption Version is available and downloadable from the Marketplace for all Controlled Rollout participants. With this new Hotfix, we addressed two important topics related to systems that could not boot after encryption of system partition.
Additional Information:
- If you have the option in UEFI (e.g. on Microsoft Surface devices), ensure to use Secure Boot with enabled with Microsoft & 3rd party CA.
- If you report any issues, please try to collect as much as logs files for us. They are most likely stored under C:\
- In addition, when you report issues, please keep the Product Management with beta_UEM@matrix42.com in the loop.
| Log File | Content |
|---|---|
| FDE.log | Contains the FDE Installation and Initialization logs. |
| fde_driver_setup.log | Contains the FDE installation and driver setup, including driver runtime data, meaning that the driver will print out logs at runtime. |
| LogCustom.txt | Contains installation data. The file is an addition to the file saved directly where the installer is stored. |
| Logfile.log | Contains logs that are related to the Tool in general sense. |
| PBA.log | Contains PBA related operations, like user capturing logs etc. |
| TPM.log | Contains TPM related operations like creating the TPM key, accessing TPM, checking if TPM is active etc. |
- Remote installations via the console may fail. In this case, we recommend installing Full Disk Encryption locally on the system. The status reported to the Management Console may be insufficient for remote analysis of the issue.
- We received a feedback that after the PBA initialization, the fingerprint logon takes effect, but it is initialized again the next time the computer is restarted. Please note that user capturing is only available for users not using Windows Hello for Business or accounts with Microsoft/Live ID enforcement. Please review your configuration under Windows Settings >Accounts > Sign-In options > Fingerprint recognition (Windows Hello). If you are using a custom provider, please drop us a message under beta_UEM@matrix42.com.
- Starting from today, we are working on known issues with Friendly Network that in some cases prevent clients from booting. In parallel, we are analyzing a reported issue where the ERI file could not be stored in the cache. We expect to have an update withing the next 2 weeks.
Update 29.06.2025
Microsoft has signed off our latest submission. We will now proceed with internal testing before publishing the version to the Marketplace.
Update 27.06.2025
While extending pilot support to additional device manufacturers, we discovered that firmware implementations vary significantly. This affects how FDE driver data is stored in memory, which can ultimately prevent successful decryption of encrypted drives. Since we can't rely on consistent firmware behavior, we've adopted a proven approach—similar to what GRUB or SHIM uses—by standardizing how this data is loaded across all devices. An updated submission request for signing the EFI Files has been started.
Update 09.06.2025
Microsoft has signed off our latest submission. We will now proceed with internal testing before publishing the version to the Marketplace.
Update 27.05.2025
After the first feedback during the controlled rollout, an issue was identified where systems failed to boot after encryption due to esboot.efi not being loaded and OpenVolume not working on encrypted drives. This has been resolved by implementing a check to handle encrypted volumes correctly. A fix has been made and an updated submission request for signing the updated EFI Files has been started.
Update 21.05.2025
The controlled rollout for Full Disk Encryption 25.0 Update 1 has been officially launched.
Update 14.03.2025
An announcement for the planned controlled rollout for Full Disk Encryption 25.0 Update 1 has been published via the Release Notes of Endpoint Data Protection 25.0.
Update 19.02.205
Microsoft has signed off our latest submission where we replaced the previous shim-based approach with a Microsoft-signed bootloader. We will now proceed with internal testing before we will launch a controlled rollout targeting Full Disk Encryption 25.0 Update 1.