ESET Online Help

Select the category
Select the topic

Full Disk Encryption Recovery Overview

Full Disk Encryption Recovery Overview for standalone ESET Endpoint Encryption Client

Managed Full Disk Encryption

If you can boot Windows normally, decrypt a managed workstation:

1.Log in to ESET Endpoint Encryption Server.

2.Click Workstations, select the workstation you want to decrypt and click Details.

3.Click Full Disk Encryption.

4.Click Decrypt to select disks or disk partitions that you want to decrypt.

5.Click Decrypt at the bottom right of the window to send the decryption command to the workstations.

6.Type the password to confirm the operation and click OK.

The workstation will begin the decrypting process when it is synchronized with the server.


Decrypt a managed UEFI BIOS workstation

When Windows fails to boot, and you cannot log in to Windows, decrypt a workstation in the following steps:

Obtain the FDE Recovery Data File

1.Select the workstation you need to decrypt from the ESET Endpoint Encryption Server Server Workstations list and click Details.

2.Click Tools, select FDE Recovery and click Recovery File.

3.Type a password into both fields to protect the decryption file, and click Download.

This password is required to start the decryption process later.

The browser prompts you to download the generated file. Select a location to save the file.

Use the ESET Recovery Media Creator

1.Insert an empty USB drive into your computer.


Ensure that the USB device has a FAT32 formatted partition. The partition is required to set up the ESET Recovery Media Creator.

2.Download the ESET Recovery Media Creator.

3.Run the utility and click Next to continue.

4.Click Win RE USB 32 & 64 bit.

When you create a Win RE USB, the architecture (x86 / x64) of the utility´s host system must match the target system needing recovery.

For TPM Encrypted systems, use the EFI USB 32 & 64-bit option, as WIN RE is incompatible with these systems.

5.Select the Destination disk for the recovery media and click Next.

6.Click EEES Managed.

7.Click Browse and locate the FDE Recovery Data File (DLPRecovery_*.dat) file generated earlier.

8.Optionally, if ESET support instructs you, select support files.

9.Click Next.

10. Click Start to create the recovery media.

11. In Confirm window, click Yes to format the USB drive and create the recovery media.

12. Wait until the utility completes the creation process.

13. Click Finish.

14. Safely eject the USB drive.

Decrypt the workstation

1.Insert the ESET Encryption Recovery USB drive and boot the workstation from the USB.

If the device has booted correctly, the Language selection window displays.

2.Select the desired language to continue.

3.Select the option to Decrypt all encrypted disks (managed recovery file).

4.A warning message displays; click Yes to continue.

5.Type the password you specified and click OK.

6.Select Secure or Performance mode to initiate the decryption process.

Secure: Throughout the recovery process, a checkpoint will be saved to minimize data loss if the recovery process is interrupted. We recommend selecting this modes when recovering critical data. Depending on the size of the disks(s), this may take a long time to complete.

Performance: The recovery process is optimized for speed and will complete quicker than Secure mode. Data may be lost if the recovery process is interrupted.


Let the process complete and do not shut down or power the machine off.

7.When the computer is successfully decrypted, click OK.

8.Click Shutdown.

Update ESET Endpoint Encryption Server

Decrypting a managed workstation outside of Windows will result in an Encryption Discrepancy. ESET Endpoint Encryption Server Server thinks the workstation is encrypted; however, the workstation was decrypted with ESET Encryption Recovery utility. To resolve this discrepancy, follow the procedure:

1.Update the server status of the machine to enable sending a new encryption command.

2.After re-synchronizing the ESET Endpoint Encryption Server Server, you will see a Resolve Encryption Discrepancy button on the top panel. Click Resolve Encryption Discrepancy.

3.Read the Resolve Encryption Discrepancy dialog window carefully.


Selecting No will erase the ESET Endpoint Encryption Server Server´s record of all encryption data for this workstation. Do not click No if the workstation is still encrypted.


Other Scenarios

If the Recovery Tool does not allow decryption because it reports that the master disk is missing required data, create a support ticket including as much detail as possible. If the system is managed, include a workstation log. It may still be possible to recover the system, but it may require access to the disk in another system.

If the ESET Endpoint Encryption Pre-Boot authentication is not shown, repair the MBR using the recovery tool.