Technical support

Knowledgebase
How do I decrypt a Managed Workstation that is unable to start Windows? (UEFI BIOS ONLY)
Article ID: KB210 email a link to this article
 

To decrypt a Managed UEFI BIOS Workstation, you must boot the Workstation using the ESET Encryption Recovery Utility and follow the on-screen instructions to decrypt the disk(s).

Note: it is possible to decrypt a Managed Workstation using the FDE Admin password instead of generating the dlrecvr.dat file. This method should only be performed by an Administrator, as providing the FDE Admin password to an end-user creates a security risk.

Obtain the FDE Recovery ISO from the ESET Endpoint Encryption Server

  • Select the workstation you wish to decrypt within the ESET Endpoint Encryption Server Workstation list and then click the Details button.

  • Click the Tools button then select the FDE Recovery Image menu item.

  • To protect the decryption image you will need to enter and confirm a password for the image then click the Create button. 

  • After a short while your browser will prompt to download the generated image file.  Choose a location to save the file.
  • Extract or mount the Recovery ISO generated and copy the dlrecvr.dat for later use. This file is found in the isolinux folder inside the ISO

Preparing the ESET Encryption Recovery Utility

  • On another computer, insert an empty USB drive.
  • Format the USB drive as FAT32.
  • Download the ESET Encryption Recovery Utility here: http://download.deslock.com/download/utility/esetencryptionrecovery.zip
  • Extract the ZIP contents and then copy the dlrecvr.dat file generated earlier, to the USB drive so that the final file structure of the drive looks like this:

\efi

\efi\boot

\efi\boot\bootx64.efi

\efi\boot\bootia32.efi

\efi\boot\dlrecvr.dat

  • Safely eject the USB drive.

Decrypting the Workstation using the ESET Encryption Recovery Utility

Please Note: If the Workstation being recovered is a laptop you should ensure it is connected to its power supply before starting the decryption process.

  • Enter the BIOS settings on the Workstation in need of recovery.
  • Disable the Secure Boot setting. This is required for the Recovery tool to work correctly. It is recommended to re-enable the Secure Boot setting after the recovery is finished.
  • Open the Boot manager on the target workstation and select USB as the first boot option. It is recommended to revert this change after the recovery is finished.
  • Save and exit the BIOS and turn the Workstation off.
  • Insert the Recovery USB drive and boot the Workstation.
  • If the device has booted correctly, you will see the image below.
  • Select the option to Decrypt all encrypted disks (managed recovery file)

  • The following warning will be displayed. Enter Y to proceed.

 

  • Enter the Recovery CD password that was specified earlier and then press Enter.

  • Once the Workstation has completed the decryption, follow the on-screen instructions to shutdown.
  • Revert the BIOS setting changes made earlier and remove the USB device before booting normally.

Updating the ESET Endpoint Encryption Server

Decrypting a Managed Workstation outside of Windows will result in an Encryption Discrepancy. This is because the EEE Server thinks the Workstation is encrypted, however the Workstation has been decrypted using the ESET Encryption Recovery Utility. To resolve this discrepancy, follow these instructions.

  • Read the dialog carefully. Selecting No will ERASE the EEE Server's record of all encryption data for this Workstation. Do not do thisif the Workstation is still encrypted.

 


We use cookies on our website to enhance your browsing experience. Read more