Using Decrypt Disk in Preboot

Selecting Decrypt Disk in preboot decrypts an encrypted Full Disk Encryption hard disk, but does not remove any of the encryption drivers.

Warning:
  • Read all instructions first before using Decrypt Disk. Data loss may occur if performed incorrectly.

  • Use the preboot's Decrypt Disk function only if you have problems booting into Windows. Do not use Decrypt Disk to remove Full Disk Encryption from any Endpoint Encryption device that is functioning normally. Use TMFDEUninstall.exe instead.

To decrypt the Full Disk Encryption device, the user must have sufficient rights to access the recovery console. To allow all users in a group/policy to access the recovery console, enable the following policy:

Management Console

Menu Path

PolicyServer MMC

Go to Full Disk Encryption > Agent > Allow User Recovery.

Control Manager

Create or edit a policy, then go to Full Disk Encryption > Users are allowed to access system recovery utilities.

With an Administrator, Authenticator, or permitted User, perform the following to decrypt a disk.

  1. Log on to Recovery Console.

    See Accessing the Recovery Console from Full Disk Encryption Preboot.

    Recovery Console opens to the Manage Disk page.

  2. Do one of the following:
    • Click Decrypt All to decrypt all encrypted drives in the device.

    • Click Summary, select a disk, and click Decrypt to decrypt only the selected disk.

    Decryption begins immediately and the Manage Disk page shows the decryption progress.

  3. When decryption completes, Full Disk Encryption displays the following options:
    • For system disks, Full Disk Encryption displays Restore Boot Partition or Unlock SED, depending on the disk type.

      For details, see Restore Boot.

    • For data disks, Full Disk Encryption displays Detach Disk. Click to exclude the disk from being managed by Full Disk Encryption.

  4. Click Exit to reboot the Endpoint Encryption device.
  5. Log on the Full Disk Encryption preboot.
  6. Log on to Windows.

    Verify that all disks selected for decryption are no longer encrypted.