How do I decrypt a managed system that is unable to start Windows?
This article applies to client workstations that are being managed by an Enterprise Server v2.5.2 or later.
Please note if you require decryption of a system not managed by an Enterprise Server please see this alternative guide: KB211: How do I decrypt a standalone system that is unable to start Windows?
Should one of your client workstations suffer a Windows error that prevents Windows from starting correctly, you may be required to decrypt the disk in order that Boot ISO and other Windows recovery methods are able to access the disk contents to correct the error.
To do this you can create a Full Disk Encryption recovery ISO image that can be burnt to a CD/USB to boot and decrypt the system without requiring Windows itself to load.
If the CD/USB does not boot at all, please check if your PC uses UEFI in the BIOS. The recovery ISO requires the BIOS in Legacy mode and may require you to change the setting. You will need to remember to set it back afterwards.
Some PCs offer a boot menu that allows you to boot from a CD/USB after pressing a key, if this is not available, you may need to change the boot order in the BIOS to put the CD/USB drive first.
Note: ensure a full sector-by-sector backup of the existing hard drive has been taken before attempting recover.
See this article for details: KB70 - How do I perform a full sector by sector backup of my hard drive?
Generating the Recovery Image
Decrypting the Workstation
If you do not reach this prompt within a few minutes, it is likely that your PC hardware is not compatible. If you are using a TPM or have Disabled the PC, follow article KB448 - Recovery on TPM systems with only UEFI boot mode otherwise follow article KB281 - How do I decrypt a system that only has UEFI boot mode?, even if you are not using UEFI.
If the Recovery tool is unable to locate the DESlock+ encryption information, it will offer to search for the required boot files. Please see KB222 - Repairing the DESlock+ Full Disk Encryption MBR using the recovery tool for more details.
Once you have resolved the problem with the Windows installation if you wish to encrypt the disk again please follow the steps here to update the Enterprise Servers status of the machine in order that it will allow the encryption command to be sent: I made changes to my client configuration, how do I update the Enterprise Servers record of this machine?
If the above did not work, please click here to view the Recovery Overview: KB346 - DESlock+ Full Disk Encryption Recovery Overview
Keywords: recover, windows, error, fail, boot, decrypt, iso