8 Replies Latest reply on Dec 5, 2011 11:58 AM by SafeBoot

    Cannot remove EEPC

      Hi

       

      We have a problem on an encrypted laptop and we desperately need to get to the data. The lapto will not boot into Windows anymore and I believe that the MBR was damaged. When we use the EETech disk to Remove EE (After authorising and Authenticating of course), it tells us that "Endpoint Encryption is not currently active". We have version 6.1 installed.

       

      Please excuse my ignorance, but I have never decrypted a disk any other way. I have read the manual where they mention Force Crypt sectorsbut never tell you exactly how to do it. Also, how do you know what sectors you need to decrypt if you need to get data from C:\Users\%userprofile% for example? I have used the BartPE disk with A43 and tried looking at the files once authenticated, but Drive C: still shows as empty and unformatted

       

      Many thanks

        • 1. Re: Cannot remove EEPC

          Did you login in with the XML export from the ePO server or with the user credentials?

          • 2. Re: Cannot remove EEPC

            that won't help if EEPC is not active - it sounds like the OP has a rootkit or some other MBR malware.

             

            You're going to have to do a manual decryption of the sectors AFTER checking you have the right key - you can get the sector range from the disk info, and as long as you have the right key (and the whole partition was encrypted), you'll have 100% success.

             

            It's all about how much validation of your sector ranges and keys though - if you're unfamilier, find the person who got trained on this when the product was purchased, or get professional services in to help you.

            • 3. Re: Cannot remove EEPC

              What is strange is that after this incident, I took one of my test laptops that is fully encrypted with version 6.1 and tried the same thing (booted off the EETech disk, authorised and authenticated successfully with the XML file and code of the day) but cannot see any data on A43. Am I doing something wrong here because this seems simple enough to do? Are there any specific settings in the product policies that need to be enabled for this to work?

              • 4. Re: Cannot remove EEPC

                Hi Safeboot, you mention that "if I have the correct key" it will work. Does it necesarily mean if it accepts the XML file to authenticate it has the right key?

                • 5. Re: Cannot remove EEPC

                  Hi Westede, I used the XML file. The pre-boot section is damaged or non-existent so It won't allow me to use associated users

                  • 6. Re: Cannot remove EEPC

                    no - it just means the XML file is valid - to test whether it's the correct one or not, decrypt the partition boot sector in the workspace and make sure it looks good.

                    • 7. Re: Cannot remove EEPC

                      Please excuse my ignorance once again, but how do I find the exact sectors to identify the boot partition? Also, if it has decrypted successfully, will that mean I will see files on the encrypted volume?

                      • 8. Re: Cannot remove EEPC

                        look in the disk information and get the partition start sector.

                         

                        yes, if it's decrypted you'll see the files without doing anything in a43, and you'll also see the files if the disk information is valid and you supply the right XML file.

                         

                        If the disk info is invalid though (as it would be if the MBR was damaged), you won't see any files until you decrypt the correct sectors with the correct key.