Technical support

How do I decrypt a managed system that is unable to start Windows?
Article ID: KB210 email a link to this article

Before you start the recovery procedure, please ensure that you are following the correct recovery article:  

Full Disk Encryption Recovery Overview


Please note if you require decryption of a system not managed by an ESET Endpoint Encryption Server please see this alternative guide: KB211: How do I decrypt a standalone system that is unable to start Windows?

Should one of your client workstations suffer a Windows error that prevents Windows from starting correctly, you may be required to decrypt the disk in order that Boot ISO and other Windows recovery methods are able to access the disk contents to correct the error.

To do this you can create a Full Disk Encryption recovery ISO image that can be burnt to a CD/USB to boot and decrypt the system without requiring Windows itself to load.

If the CD/USB does not boot at all, please check if your PC uses UEFI in the BIOS. The recovery ISO requires the BIOS in Legacy mode and may require you to change the setting. You will need to remember to set it back afterwards.

Some PCs offer a boot menu that allows you to boot from a CD/USB after pressing a key, if this is not available, you may need to change the boot order in the BIOS to put the CD/USB drive first.

Note: ensure a full sector-by-sector backup of the existing hard drive has been taken before attempting recover.

See this article for details: KB70 - How do I perform a full sector by sector backup of my hard drive?


Generating the Recovery Image

  • Select the workstation you wish to decrypt within the ESET Endpoint Encryption Server Workstation list and then click the Details button.

  • Click the Tools button then select the FDE Recovery Image menu item.

  • To protect the decryption image you will need to enter and confirm a password for the image then click the Create button. 

  • After a short while your browser will prompt to download the generated image file.  Choose a location to save the file. 

Decrypting the Workstation

  • It is recommended that where possible a sector level backup of the machine is taken before starting the recovery process.
  • If the machine being recovered is a laptop you should ensure it is connected to its power supply before starting the decryption process.
  • Decryption of the disk will take longer than it took to encrypt it originally and and must only be interrupted by pressing Esc.
  • Take the generated ISO image and make a bootable CD/USB.
  • You should be greeted by a splash screen, press return or wait a short while for the software to launch.

  •  The recovery app will launch, press the Return key to continue.
ESET Endpoint Encryption FDE Recovery Tool
Version 1.10.0 (Build 42)
Copyright (c) ESET, spol. s r.o.

This software is bound by the standard Licence Agreement terms

Press Return to continue

If you do not reach this prompt within a few minutes, it is likely that your PC hardware is not compatible. If you are using a TPM or have Disabled the PC, follow article KB448 - Recovery on TPM systems with only UEFI boot mode otherwise follow article KB281 - How do I decrypt a system that only has UEFI boot mode?, even if you are not using UEFI.

If the Recovery tool is unable to locate the encryption information, it will offer to search for the required boot files. Please see KB222 - Repairing the ESET Endpoint Encryption Full Disk Encryption MBR using the recovery tool for more details.

  • Type the word DECRYPT then press Enter.
Using libparted version   : 2.3
Using DiskManager version :

Detecting devices...

Encrypted drives or partitions found

**                        !WARNING!                        **
**                                                         **
**                                                         **

Please Note : Keyboard input is US English ONLY

Please type DECRYPT and press Return to continue, anything else will abort.
  • Type the password you specified when downloading the image previously then press Enter
Please enter the password for this recovery image.
NOTE: Password characters WILL be displayed on screen
Enter password: _
  • Providing the correct password is supplied decryption will start.  Note: It is very important you let the process complete and DO NOT shutdown or power the machine off. 
Encrypted items: 1
Decrypt disk 0:0 (/dev/sda)
Decryption in progress, do not shutdown or power off, press ESC to stop.
Decrypting : please wait
Decrypting : sector 12345 of 678901 (est. time 0h3m01s)
  • Once decryption is complete press Enter to restart the machine. 
Decryption : device complete

Zero cachced status block
Zero status block @ 34567

Decryption of disk complete
Everything decrypted. Restore system mbr
Restoring master MBR on disk 0:0...

Your system has been successfully decrypted
  • Remove the CD/USB from the system, when the system restarts it should boot straight to Windows without showing the ESET Endpoint Encryption pre-boot login screen. 


Once you have resolved the problem with the Windows installation, if you wish to encrypt the disk again please follow the steps here to update the Server status of the machine in order that it will allow the encryption command to be sent: KB182 - I made changes to my client workstation, how do I update the ESET Endpoint Server of this?


Note: Decrypting the machine outside of Windows will cause a Encryption Discrepancy which needs to be resolved within the ESET Endpoint Encryption Server

You will see 'Resolve Discrepancy' along the tab of the Workstation that has been decrypted.

Selecting 'Yes' will mean that EEES will retain all encryption information.

Selecting 'No' will mean that EEES will erase all encryption information and will display the Workstation as not encrypted.


If the above did not work, please click here to view the Recovery Overview: KB346 - Full Disk Encryption Recovery Overview

Keywords: recover, windows, error, fail, boot, decrypt, iso

We use cookies on our website to enhance your browsing experience. Read more