2 Replies Latest reply on Jan 13, 2016 7:42 AM by mitch_reid

    Manual deactivation of drive encryption


      Our systems group rebuilds computers over the network using SCCM.  They need a way to remove MDE first, as they don't have access to ePO.  I thought the manual removal process was just what I needed until I read that you have to deactivate the system using ePO before you can manually remove MDE.  The whole point of a manual removal process is so that you don't have to use ePO to remove the product.  What is the point in having a manual removal process when there is not a manual decryption/deactivation process to go with it?  I still need to go into ePO to decrypt and deactivate so I may as well remove it at the same time. 


      If you are going to have a manual removal process, you should be able to do the whole removal, not just the second half.  Sure you can use DETECH to decrypt it, but once again you can also use it to remove the product.  Plus you have to be physically present at the system in order to run DETECH.  Without a way to manually deactivate/decrypt a system, the whole manual removal process is useless.  Either I have to go in and decrypt every system before it is rebuilt, or I have to give 40 or 50 people access to ePO and the ability to change tags and policies on systems, just so they can remove MDE for a rebuild.