[KB7160] Decrypt a Managed system that is unable to start Windows


ESET Endpoint Encryption (EEE) Client and EEE Server are separate products from ESET Full Disk Encryption (EFDE)

The article below applies only to the EEE Client or EEE Server and not EFDE.

Visit What's new in ESET Full Disk Encryption to view EFDE content.

  • After entering the correct FDE credentials, Windows fails to boot and you cannot log in to Windows


Before you begin

Before decrypting, make sure you are following the appropriate instructions for your system. Visit our Full Disk Encryption Recovery Overview article.

Decrypt managed workstation

An Administrator can decrypt a Managed Workstation using the FDE Admin password instead of generating the FDE Recovery Data File (DLPRecovery_*.dat) file.

Back up your existing hard drive before attempting recovery

Make sure a full sector-by-sector backup of the existing hard drive has been created before attempting recovery.

Obtaining the FDE Recovery Data File

  1. Select the Workstation you need to decrypt from the EEE Server Workstation list and click Details.
Figure 1-1
  1. Click Tools, select FDE Recovery and click Recovery File.
Figure 1-2
  1. Type a password into both fields to protect the decryption file and then click Download. This password will be required to start the decryption process later.

Figure 1-3

  1. Your browser will prompt you to download the generated file. Select a location to save the file.

Using the ESET Encryption Recovery Media Creator

  1. Insert an empty USB drive into your computer.
USB Media

Ensure that the USB device has a FAT32 formatted partition. The partition is required to set up the ESET Recovery Media Creator.

  1. Download the ESET Encryption Recovery Utility.

  2. Run the utility and click Next to continue.
Figure 2-1
  1. Click Win RE USB 32/64 bit.
    • Note: For TPM Encrypted systems please use the EFI USB 32 & 64 bit option instead as WIN RE is not compatible with these systems.
Architecture of host system

When creating a Win RE USB, the architecture (x86 / x64) of the host system running the utility must match the target system in need of recovery.

Figure 2-2
  1. Select the Destination disk for the recovery media and click Next.
Figure 2-3
  1. Click EEES Managed.
Figure 2-4
  1. Click Browse and locate the FDE Recovery Data File (DLPRecovery_*.dat) file generated earlier.
Figure 2-5
  1. Optional: only select additional support files if you have been instructed to by ESET support.

  2. Click Next.
Figure 2-6
  1. Click Start to create the recovery media.
Figure 2-7
  1. A format dialog will appear, click Yes to format the USB drive and create the recovery media.
Figure 2-8
  1. Allow the utility to complete the creation process.
Figure 2-9
  1. Click Finish.
Figure 2-10
  1. Safely eject the USB drive.

Decrypting the Workstation

  1. Insert the ESET Encryption Recovery USB drive and boot the Workstation from the USB.
  2. If the device has booted correctly, you will see the image below.
Figure 3-1
  1. Select the desired language to continue.

  2. Select the option to Decrypt all encrypted disks (managed recovery file).
Figure 3-2
  1. The following warning will be displayed. Select Yes to proceed.
Figure 3-3
  1. Type the password you specified previously and press the Enter key.
Figure 3-4
  1. Choose from Secure or Performance mode to initiate the decryption process.
Figure 3-6
DO NOT shut down

Make sure that you let the process complete and DO NOT shut down or power the machine off.

  1. After the computer has been successfully decrypted, press Ok and then Shutdown.
Figure 3-7
Figure 3-8

Updating the ESET Endpoint Encryption Server

Decrypting a Managed Workstation outside of Windows will result in an Encryption Discrepancy. This is because the EEE Server thinks the Workstation is encrypted, however the Workstation has been decrypted using the ESET Encryption Recovery utility. To resolve this discrepancy, follow these instructions.

  1. After you have resolved the issue with the Windows installation, update the server status of the machine so that a new encryption command can be sent.

  2. After re-synchronizing the EEE Server, you will see a Resolve Encryption Discrepancy button on the top panel. Click Resolve Encryption Discrepancy.
Figure 4-1
  1. Read the dialog carefully. Selecting No will ERASE the EEE Server's record of all encryption data for this Workstation. Do not do this if the Workstation is still encrypted.
Figure 4-2