This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remove Safeguard Encryption from a device

Hi,

 

i would like to receive some tips to safely remove Safeguard from a full encrypted device. The device is infected, but i need to collect a system image in order to analyze it, so as a first step i need to remove the encryption.

I'm aware that Safeguard removal could be dangerous if not handled in the proper way, so could you kindly tell me how i can remove Safeguard from the machine?

 

Is it necessary to remove the pc from any policy (e.g. no encryption group)? Is it required a particular step-by-step uninstalling procedure?

 

Thank you for your support.

 

Regards



This thread was automatically locked due to age.
Parents
  • Hi - Dependant on how your policies are setup you'll need to check to see if you've allowed the client to be removed?

    If you have prevented this then the policy will prevent it's removal and potentially (again policy dependant) it's decryption too.

    Best to try and remove the "normal" way in control panel. If this is prevented (we prevent this here for compliance) then you'll need to create a policy to allow this.

    I think I've covered this before - I'll dig it up as I think I included screenshots.

    But...

    In simple terms (sorry if I've skipped a few steps..)

    Create a Group on the console - Call it "_Decryption_Uninstall" (I prefix it with an _ to make it appear at the top of the list)

    Create the policy - assign it to the root of the domain. Set the policy ONLY to apply to the "new" group "_Decryption_Uninstall"

    Configure the policy to allow decryption and uninstallation (Machine settings - Installation Options - Uninstallation Allowed - YES AND Device Protection - Local Storage Devices\Internal Storage - Media Encryption Mode - NO ENCRYPTION.

    Make the PC in question a member of the group you created.

    Re-sync the client. "SHOULD" pop up with "New Policies received".

    Attempt uninstall again.

    Once you've removed the client you can also manually decrypt (turn off BitLocker)

     

    Hope this helps?

Reply
  • Hi - Dependant on how your policies are setup you'll need to check to see if you've allowed the client to be removed?

    If you have prevented this then the policy will prevent it's removal and potentially (again policy dependant) it's decryption too.

    Best to try and remove the "normal" way in control panel. If this is prevented (we prevent this here for compliance) then you'll need to create a policy to allow this.

    I think I've covered this before - I'll dig it up as I think I included screenshots.

    But...

    In simple terms (sorry if I've skipped a few steps..)

    Create a Group on the console - Call it "_Decryption_Uninstall" (I prefix it with an _ to make it appear at the top of the list)

    Create the policy - assign it to the root of the domain. Set the policy ONLY to apply to the "new" group "_Decryption_Uninstall"

    Configure the policy to allow decryption and uninstallation (Machine settings - Installation Options - Uninstallation Allowed - YES AND Device Protection - Local Storage Devices\Internal Storage - Media Encryption Mode - NO ENCRYPTION.

    Make the PC in question a member of the group you created.

    Re-sync the client. "SHOULD" pop up with "New Policies received".

    Attempt uninstall again.

    Once you've removed the client you can also manually decrypt (turn off BitLocker)

     

    Hope this helps?

Children