[KB7160] Decrypt a Managed system that is unable to start Windows in ESET Endpoint Encryption

• After entering the correct FDE credentials, Windows fails to boot and you cannot log in to Windows

II. Create the FDE Recovery Data File

1. Select the Workstation you need to decrypt from the EEE Server Workstation list and click Details.

   

2. Click Tools → FDE Recovery → Recovery File.

   

3. Create a password and click Download. This password will be required to start the decryption process later.

   

4. Your browser will prompt you to download the generated file. Select a location to save the file.

III. Create the ESET Encryption Recovery Media Creator

1. Insert an empty USB drive into your computer.

   USB Media

   Ensure that the USB device has a FAT32 formatted partition. The partition is required to set up the ESET Recovery Media Creator.

2. Download the ESET Encryption Recovery Utility.

3. Run the utility and click Next to continue.

   

4. Click Win RE USB 64 bit. For a TPM encrypted system, click EFI USB 32 & 64 bit, as WIN RE ISO 64 bit is not compatible with TPM systems.

   Architecture of host system

   When creating a Win RE USB, the architecture (x86/x64) of the host system running the utility must match the target system needing recovery.

   

5. Select the Destination disk for the recovery media and click Next.

   

6. Click EEES Managed.

   

7. Click Browse.

   

8. Locate the FDE Recovery Data File (DLPRecovery_*.dat) file and click Open.

   

9. Click Next. If instructed by ESET Support, select additional support files.

   

10. Click Start.

    

11. Click Yes.

    

12. Allow the utility to complete the creation process.

    

13. Click Finish.

    

14. Safely eject the USB drive.

IV. Decrypt the Workstation

1. Insert the ESET Encryption Recovery USB drive and boot the Workstation from the USB.

2. Select Decrypt all encrypted disks (managed recovery file).

   

3. Click Yes.

   

4. Type the password created in Section II and press Enter.

   

5. Choose Secure or Performance mode to initiate the decryption process.

   Do not shut down

   Ensure that you let the process complete and do not shut down or power the machine off.

   

6. After the computer has been successfully decrypted, click Ok.

   

7. Click Shutdown.

   

V. Update the ESET Endpoint Encryption Server

Decrypting a Managed Workstation outside of Windows will result in an encryption discrepancy. The EEE Server sees the Workstation as encrypted. However, the Workstation has already been decrypted using the ESET Encryption Recovery utility. To resolve this discrepancy, follow the instructions below:

1. After the issue with the Windows installation has been resolved, update the server status of the machine so that a new encryption command can be sent.

2. After re-synchronizing the EEE Server, click Resolve Encryption Discrepancy.

   

3. Click Yes.

   Review dialog

   Review the dialog before clicking Yes, No or Cancel. Clicking No will erase the EEE Server's record of all the encryption data for this Workstation. Do not click No if the Workstation is still encrypted.