Skip to main content

How do I decrypt a managed system that is unable to start Windows? - Kennisbank / ESET Endpoint Encryption - ESET Tech Center

How do I decrypt a managed system that is unable to start Windows?

Authors list

This article applies to client workstations that are being managed by an Enterprise Server v2.5.2 or later. 

Please note if you require decryption of a system not managed by an Enterprise Server please see this alternative guide: KB211: How do I decrypt a standalone system that is unable to start Windows?

Should one of your client workstations suffer a Windows error that prevents Windows from starting correctly, you may be required to decrypt the disk in order that Boot CD and other Windows recovery methods are able to access the disk contents to correct the error.

To do this you can create a Full Disk Encryption recovery ISO image that can be burnt to a CD to boot and decrypt the system without requiring Windows itself to load.

 

If the CD does not boot at all, please check if your PC uses UEFI in the BIOS. The recovery CD requires the BIOS in Legacy mode and may require you to change the setting. You will need to remember to set it back afterwards.

Some PCs offer a boot menu that allows you to boot from a CD after pressing a key, if this is not available, you may need to change the boot order in the BIOS to put the CD/DVD drive first.

 

Generating the Recovery Image

  • Select the workstation you wish to decrypt within the Enterprise Servers workstations list and then click the Details button.

  • Click the Tools button then select the FDE Recovery Image menu item.

  • To protect the decryption image you will need to enter and confirm a password for the image then click the Create button. 

  • After a short while your browser will prompt to download the generated image file.  Choose a location to save the file. 

Decrypting the Workstation

  • It is recommended that where possible a sector level backup of the machine is taken before starting the recovery process.
  • If the machine being recovered is a laptop you should ensure it is connected to its power supply before starting the decryption process.
  • Decryption of the disk will take longer than it took to encrypt it originally and and must only be interrupted by pressing Esc.
  • Burn the generated CD image to a blank CD and use this to boot the Workstation.
  • You should be greeted by a splash screen, press return or wait a short while for the software to launch.

  •  The recovery app will launch, press the Return key to continue.

If the Recovery tool is unable to locate the DESlock+ encryption information, it will offer to search for the required boot files. Please see http://support.deslock.com/KB222 for more details.

  • Type the word DECRYPT then press Enter.

  • Type the password you specified when downloading the image previously then press Enter

  • Providing the correct password is supplied decryption will start.  Note: It is very important you let the process complete and DO NOT shutdown or power the machine off. 

  • Once decryption is complete press Enter to restart the machine. 

  • Remove the CD from the systems CD tray, when the system restarts it should boot straight to Windows without showing the DESlock+ pre-boot login screen. 

 

Once you have resolved the problem with the Windows installation if you wish to encrypt the disk again please follow the steps here to update the Enterprise Servers status of the machine in order that it will allow the encryption command to be sent: I made changes to my client configuration, how do I update the Enterprise Servers record of this machine?

 

Keywords: recover, windows, error, fail, boot, decrypt, iso

Add a comment

Please log in or register to submit a comment.

Need a password reminder?