DESlock+ Support DESlock+ Support
How do I decrypt a managed system that is unable to start Windows?
Article ID: KB210 email a link to this article

Before you start the recovery procedure, please ensure that you are following the correct recovery article:  

DESlock+ Full Disk Encryption Recovery Overview


This article applies to client workstations that are being managed by an Enterprise Server v2.5.2 or later. 

Please note if you require decryption of a system not managed by an Enterprise Server please see this alternative guide: KB211: How do I decrypt a standalone system that is unable to start Windows?

Should one of your client workstations suffer a Windows error that prevents Windows from starting correctly, you may be required to decrypt the disk in order that Boot ISO and other Windows recovery methods are able to access the disk contents to correct the error.

To do this you can create a Full Disk Encryption recovery ISO image that can be burnt to a CD/USB to boot and decrypt the system without requiring Windows itself to load.


If the CD/USB does not boot at all, please check if your PC uses UEFI in the BIOS. The recovery ISO requires the BIOS in Legacy mode and may require you to change the setting. You will need to remember to set it back afterwards.

Some PCs offer a boot menu that allows you to boot from a CD/USB after pressing a key, if this is not available, you may need to change the boot order in the BIOS to put the CD/USB drive first.


Note: ensure a full sector-by-sector backup of the existing hard drive has been taken before attempting recover.

See this article for details: KB70 - How do I perform a full sector by sector backup of my hard drive?


Generating the Recovery Image

  • Select the workstation you wish to decrypt within the Enterprise Servers workstations list and then click the Details button.

  • Click the Tools button then select the FDE Recovery Image menu item.

  • To protect the decryption image you will need to enter and confirm a password for the image then click the Create button. 

  • After a short while your browser will prompt to download the generated image file.  Choose a location to save the file. 

Decrypting the Workstation

  • It is recommended that where possible a sector level backup of the machine is taken before starting the recovery process.
  • If the machine being recovered is a laptop you should ensure it is connected to its power supply before starting the decryption process.
  • Decryption of the disk will take longer than it took to encrypt it originally and and must only be interrupted by pressing Esc.
  • Take the generated ISO image and make a bootable CD/USB.
  • You should be greeted by a splash screen, press return or wait a short while for the software to launch.

  •  The recovery app will launch, press the Return key to continue.

If you do not reach this prompt within a few minutes, it is likely that your PC hardware is not compatible. If you are using a TPM or have Disabled the PC, follow article KB448 - Recovery on TPM systems with only UEFI boot mode otherwise follow article KB281 - How do I decrypt a system that only has UEFI boot mode?, even if you are not using UEFI.

If the Recovery tool is unable to locate the DESlock+ encryption information, it will offer to search for the required boot files. Please see KB222 - Repairing the DESlock+ Full Disk Encryption MBR using the recovery tool for more details.

  • Type the word DECRYPT then press Enter.

  • Type the password you specified when downloading the image previously then press Enter

  • Providing the correct password is supplied decryption will start.  Note: It is very important you let the process complete and DO NOT shutdown or power the machine off. 

  • Once decryption is complete press Enter to restart the machine. 

  • Remove the CD/USB from the system, when the system restarts it should boot straight to Windows without showing the DESlock+ pre-boot login screen. 


Once you have resolved the problem with the Windows installation if you wish to encrypt the disk again please follow the steps here to update the Enterprise Servers status of the machine in order that it will allow the encryption command to be sent: I made changes to my client configuration, how do I update the Enterprise Servers record of this machine?


If the above did not work, please click here to view the Recovery Overview: KB346 - DESlock+ Full Disk Encryption Recovery Overview




Keywords: recover, windows, error, fail, boot, decrypt, iso

We use cookies on our website to enhance your browsing experience. Read more