What is the best method to test and apply a full-disk encryption update to endpoints with preboot enabled, while minimizing user disruption?

• A. Access the API of the encryption server, write a custom script, and update all endpoints.
• B. Access the web UI portal of the encryption server, apply the update to a test group, validate, and then update all endpoints.
• C. Add the update to the standard desktop configuration image, apply to a test VM, and reimage clients.
• D. Access the web UI of the encryption server and disable preboot, apply the update, test, and deploy.

Answer: (B)

Testing and deploying a full-disk encryption update on endpoints with preboot enabled requires a controlled, staged approach using the management platform. The best method is to use the encryption server’s web UI, apply the update first to a test group, validate that it installs cleanly and that the preboot authentication still functions correctly, then rollout to all endpoints once verification passes. This approach minimizes user disruption by containing changes to a small subset, allowing you to catch compatibility or boot issues before affecting the entire workforce. It keeps the preboot environment intact, ensuring users still authenticate before the OS loads and that encryption policies remain enforced.

Using a custom script via an API can introduce drift and risk if the update isn’t tested in a sanctioned process, and it bypasses the standardized change-control workflow. Adding the update to a standard desktop image and reimaging all clients is far more disruptive and unnecessary when a managed, staged update is available. Disabling preboot to apply the update undermines the security model and can create inconsistencies, so it’s not a suitable long-term solution.