MDE

How To Remove Encryption With The Option Force Crypt Sector

This option is mostly used when the Crypt List Count is set to 0 or other methods for recovery have failed. Force Crypt Sector should be the last option to be used to remove McAfee Drive Encryption.  This option if it fails or is interrupted, the disk will be partially encrypted and almost impossible to recover. Before attempting to ran this option, it is recommended to make sector-by-sector backup of the disk. Some tools to do this type of backup are Acronis or Ghost.

The reason to have a sector by sector backup,  you’ll have the opportunity to try “Froce Crypt Sector” several times, by restoring the image. If this process fails and you have very important data, you will need to contact a data recovery agency that specialize in recovery.

Before attempting to run this option and if your Crypt List Count is 1, you should try the following first:

  1. Emergency Boot
  2. Restore MBR
  3. Remove DE
  4. WinPE

You will need to Authenticate and Authorize, before proceeding with the next steps.

Note: If you are removing MDE from a laptop, make sure is plugin to an electrical outlet. This is to prevent from interrupting the process to decrypt the disk drive.

  1. Boot the system with the DETech tool. After the system is authorize and authenticated, click on “Force Crypt Sector”.
  2. The next screen will let you know that we are doing permanent changes, and  it is recommended to do a backup of the disk image. Click on “OK”, to continue.
  3. The following example of the disk information is what we are going to use for the next steps. Make a note of the Start Sector and Sector count.
  4. If this is the only disk on the system, under Disk number select “Disk 0”, under Start Sector type “2048”, and for number of sectors enter the sector count 83881984. This is the information we gather based on the Disk Information. Make sure you go over the information your typing twice, any mistake on this step will leave the system in a partial encrypted state. Once all the information has been  enter click “Decrypt”.
  5. The process to Decrypt will start. This can take several hours, in my experience working with Drive Encryption, I had a system that took 4 weeks to remove encryption. This is because sometimes some sectors might be damage, the tool will continue to try to decrypt the sector several times. Then it will move to the next sector, and if you have several bad sectors, this process can take couple of days or weeks.
  6. Never turn off the system during this operation, or cancel. Wait until you get an error, as I said before this can take weeks. If this process is cancel or there is a lost of power, we won’t be able to know what was the last sector that it was decrypted, and ending up with a partial encrypted disk. You must Wait! Until you get an error or the process complete.
  7. Once the process is completed click “Close”.
  8. The next process after removing Drive Encryption from a disk, is to restores the original Windows MBR. Click on “Restore MBR”.
  9. Next select to restore “Original MBR” and mark “Keep the current Partition Tables”, then click “OK”.
  10. Once the Windows MBR has been restores, click “OK”.
  11. To exit and reboot the system click “Quit”.
  12. Next you will get a warning letting you know that the system will restart, click “OK”.

Once the system reboots, you should be able to login to Windows without any issues. Make sure that the Drive Encryption policy for this system is disable, or as soon as it connect to ePO, the drive will start encrypting again.

This concludes this guide on how to remove encryption with the option Force Crypt Sector, using EETech/DETech tool, if you have any question or comments please let me know in the comment area.

Leave a Reply

Your email address will not be published. Required fields are marked *