Uninstall Encryption
and Encryption on Server Operating System
To reduce decryption time, run the Windows Disk Cleanup Wizard to remove temporary files and other unneeded data.
Plan to decrypt overnight, if possible.
Turn off sleep mode to prevent an unattended computer from going to sleep. Decryption cannot occur on a sleeping computer.
Shut down all processes and applications to minimize decryption failures because of locked files.
Once the uninstall is complete and decryption is in progress, disable all network connectivity. Otherwise, new policies may be acquired that re-enable encryption.
Follow your existing process for decrypting data, such as issuing a policy update.
Encryption and Encryption External Media update the
Dell Server to change the status to
Unprotected at the beginning of a client uninstall process. However, in the event that the client cannot contact the
Dell Server, regardless of the reason, the status cannot be updated. In this case, you will need to manually
Remove Endpoint in the Management Console. If your organization uses this workflow for compliance purposes, Dell recommends that you verify that
Unprotected has been set as expected, either in the Management Console or Managed Reports.
Process
Before beginning the uninstall process, see
(Optional) Create an Encryption Removal Agent Log File. This log file is useful for troubleshooting an uninstall/decryption operation. If you do not intend to decrypt files during the uninstall process, you do not need to create an Encryption Removal Agent log file.
The Key Server (and
Security Management Server) must be configured prior to uninstallation if using the
Encryption Removal Agent's Download Keys from Server option. See
Configure Key Server for Uninstallation of Encryption Client Activated Against Security Management Server for instructions. No prior action is needed if the client to uninstall is activated against a
Security Management Server Virtual, as
Security Management Server Virtual does not use the Key Server.
You must use the Dell Administrative Utility (CMGAd) prior launching the Encryption Removal Agent if using the
Encryption Removal Agent's Import Keys from a file option. This utility is used to obtain the encryption key bundle. See
Use the Administrative Download Utility (CMGAd) for instructions. The utility can be located in the Dell installation media.
Run WSScan to ensure that all data is decrypted after uninstallation is complete, but before restarting the computer. See
Use WSScan for instructions.
Periodically
Check Encryption Removal Agent Status. Data decryption is still in process if the Encryption Removal Agent service still exists in the services panel.
Command Line Uninstallation
Once extracted from the
master installer, the Encryption installer can be located at
C:\extracted\Encryption\DDPE_XXbit_setup.exe.
The following table details the parameters available for the uninstallation.
Parameter
Selection
CMG_DECRYPT
Property for selecting the type of Encryption Removal Agent installation:
3 - Use LSARecovery bundle
2 - Use previously downloaded forensics key material
1 - Download keys from the
Dell Server
0 - Do not install Encryption Removal Agent
CMGSILENTMODE
Property for silent uninstallation:
1 - Silent - required when running with msiexec variables containing /q or /qn
0 - Not Silent - only possible when msiexec variables containing /q are not present in the command line syntax
Required Properties
DA_KM_PATH
The fully qualified path to the keybundle.
DA_KM_PW
The password set on the keybundle.
DA_SERVER
FQHN for the
Security Management Server hosting the negotiate session.
DA_PORT
Port on the
Security Management Server for request (default is 8050).
SVCPN
User name in UPN format that the Key Server service is logged on as on the
Security Management Server.
DA_RUNAS
User name in SAM compatible format under whose context the key fetch request is made. This user must be in the Key Server list in the
Security Management Server.
DA_RUNASPWD
Password for the runas user.
FORENSIC_ADMIN
The forensic administrator account on the
Dell Server, which can be used for forensic requests for uninstalls or keys.
FORENSIC_ADMIN_PWD
The password for the forensic administrator account.
Optional Properties
SVCLOGONUN
User name in UPN format for Encryption Removal Agent service log on as parameter.
SVCLOGONPWD
Password for log on as user.
The following example silently uninstalls Encryption and downloads the encryption keys from the
Security Management Server.
The following example silently uninstalls Encryption using pre-downloaded keys located at C:\Users\administrator\Desktop\Admin\ using the forensic administrator password and writing logs to C:\SheildUninstall.