Showing results for 
Search instead for 
Did you mean: 
Level 7

Manual deactivation of drive encryption

Our systems group rebuilds computers over the network using SCCM.  They need a way to remove MDE first, as they don't have access to ePO.  I thought the manual removal process was just what I needed until I read that you have to deactivate the system using ePO before you can manually remove MDE.  The whole point of a manual removal process is so that you don't have to use ePO to remove the product.  What is the point in having a manual removal process when there is not a manual decryption/deactivation process to go with it?  I still need to go into ePO to decrypt and deactivate so I may as well remove it at the same time. 

If you are going to have a manual removal process, you should be able to do the whole removal, not just the second half.  Sure you can use DETECH to decrypt it, but once again you can also use it to remove the product.  Plus you have to be physically present at the system in order to run DETECH.  Without a way to manually deactivate/decrypt a system, the whole manual removal process is useless.  Either I have to go in and decrypt every system before it is rebuilt, or I have to give 40 or 50 people access to ePO and the ability to change tags and policies on systems, just so they can remove MDE for a rebuild. 

0 Kudos
2 Replies
Level 9

Re: Manual deactivation of drive encryption

We have had success using these tools when doing an "upgrade" (not really an upgrade) from WinXP to Win7, using Microsoft Deployment Toolkit (MDT).

McAfee KnowledgeBase - How to upgrade a Windows operating system with Drive Encryption installed

Perhaps you can use the same tools with SCCM.


0 Kudos
Level 10

Re: Manual deactivation of drive encryption

For re-imaging a machine (or upgrading the OS) you may want to look at the temporary autoboot feature. It does require it to be allowed in a policy which needs to communicate with ePO prior to using it. That may be an issues in your case.

0 Kudos