Using Decrypt Disk

Selecting Decrypt Disk decrypts an encrypted Full Disk Encryption hard disk, but does not remove any of the encryption drivers. If using Decrypt Disk, disable the Full Disk Encryption "DrAService" service before booting into Windows.


Read this procedure before using Decrypt Disk. Data loss may occur if performed incorrectly. Do not use Decrypt Disk to remove Full Disk Encryption from any Endpoint Encryption device that is functioning normally. Use TMFDEUninstall.exe instead.

To decrypt the Full Disk Encryption device, the user must have Endpoint Encryption Enterprise or Group Administrator rights. To allow all users in a group/policy to access the recovery console, enable the following policy:

Management Console

Menu Path

PolicyServer MMC

Go to Full Disk Encryption > Agent > Allow User Recovery.

Control Manager

Create or edit a policy, then go to Full Disk Encryption > Users are allowed to access system recovery utilities.

With an Administrator, Authenticator, or permitted User, perform the following to decrypt a disk.

  1. Log on to Recovery Console.

    See Accessing the Recovery Console from Full Disk Encryption Preboot.

    Recovery Console opens to the Decrypt Disk page.

  2. Click Decrypt to begin decrypting the drive.

    Decryption begins immediately and the Decrypt Disk page shows the decryption progress.

  3. When decryption completes, click Exit to reboot the Endpoint Encryption device.
  4. Do one of the following:
    • If booting a repair tool CD, DVD, or USB key:

      1. After exiting Full Disk Encryption, press F12 (or the appropriate button to enter the boot options).

      2. Insert the Repair CD and select the CD/DVD drive from the boot options screen.

      3. Proceed with established recovery actions.

    • If booting into Windows:

      1. Reboot the endpoint and hold F8.

      2. Select Safe Mode before the system begins booting into Windows.


      If the Windows boot options screen is missed, immediately turn off the device. If Windows boots normally (not in Safe Mode), DrAService will immediately start encrypting the drive again. Any recovery actions taken at this point will risk irreparable damage to data on the drive.

  5. Open Computer Management and go to Services and Applications > Services.

    The Services screen appears.

  6. Locate and double-click Trend Micro Full Disk Encryption to open the Trend Micro Full Disk Encryption Properties window.
  7. On the General tab, change Startup type to Disabled.
  8. Click Apply, then click OK.
  9. Reboot the endpoint.
  10. Log on the Full Disk Encryption preboot.
  11. Log on to Windows.
  12. After all recovery actions are complete, set DrAService to Automatic. The device automatically re-encrypts the hard disk after the next reboot.