This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Decrypt slave drive

I have a need to decrypt a drive I have slaved to my workstation.  The drive was not able to boot into Windows due to the SGNAuthService not running during login.  I tried to access the computer remotely so I could edit the registry but during this process the workstation lost its trust to our domain.  I needed some data off the disk so I slaved it to my workstation, found the key and assigned it to my user in the Management Center.  I was able to get the data I needed.  Now I want to reimage the drive, but fist get the encryption off of it to recover all the space.  I created a decryption policy so I could decrypt the drive while attached to my workstation but I can't get it to work.  The encryption stays greyed out.  To verify that I setup the policy correctly and added my machine correctly I created another to decrypt my local drive.  This policy works correctly. 



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hello Andrew,

    The machine might be picking up an overriding policy saying you don't have permission to decrypt, if you do an RSOP of the current user on that machine does it say you should be able to decrypt?

    Do you have your Decryption policy pointing to Local Storage Devices Internal Storage > Non-boot volumes?

  • Thank you for the reply.  The RSOP for my user has the non boot volumes set for no encryption.  The default policy is set for users to be able to unencrypt drives, my decryption policy is set to priority 1 with no overrides checked.  I can decrypt my boot drive as I also included a policy for that.  I can't decrypt a slave drive.  I have also tried making a policy for the drive letter.  Still a no go.

Reply
  • Thank you for the reply.  The RSOP for my user has the non boot volumes set for no encryption.  The default policy is set for users to be able to unencrypt drives, my decryption policy is set to priority 1 with no overrides checked.  I can decrypt my boot drive as I also included a policy for that.  I can't decrypt a slave drive.  I have also tried making a policy for the drive letter.  Still a no go.

Children
  • Solved my problem.  The slaved drive was being recognized as removable media, but creating a policy just to decrypt that still didn't work.  I had to make a removable media policy that allowed users to decrypt just as with bootable drives.  Even though a removable media policy was never created or pushed to my workstations to disallow users to decrypt.  Note to people who may run into this.

     

    Edit the default removable media policy to allow users to decrypt, also give the options for users to select encryption or not.  Create a removable media policy with "no encryption" and add both policies to your decryption policy group. 

     

    I wasted entirely too much time on this...

  • FormerMember
    0 FormerMember in reply to Andrew Sarratore

    Hi Andrew,

    How the drive reports in will depend on how you plug it into the machine, typically we recommend plugging the drive directly into the machine as USB caddy doesn't always get accepted. A slaved drive added like any other in the machine should be detected as internal storage and take policies from:
    Local Storage Devices Internal Storage > Non-boot volumes

    If you plug the drive in via a USB caddy/drive enclosure this should work most of the time too, policies will be accepted from:
    Local Storage Devices > Removable Media

    Users are never allowed to decrypt anything unless they are specifically given permission to do so, we always err on the side of most secure.