This article is focused on demonstrated how you can manually uninstall the SEE for BitLocker client from an endpoint in the event that the client has failed in some manner. Whether this is generic client issues with normal operations, or failure of the uninstall/install process. It can also be used in smaller environments for testing, or where automation of the uninstall process is not an option. This method will also avoid the need for a 3rd part piece of software. This can be used when communication to the management server has been lost due to certificate expiration.
It should be noted, that before using this method, you should follow the uninstall instructions from within the SEE Installation guide for the specific version of SEE you are using. However in the event that those methods do not work. It is then possible to use this approach to remove the endpoint client.
It is also worth noting, that although this method can be used to uninstall all versions of the SEE Client, it is primarily focused at the BitLocker version of the client.
Finally, all commands used in this guide must be ran from an elevated command prompt or PowerShell Prompt.
Before Uninstalling.
Prior to uninstalling the client, you will need to ensure all of the drives in the endpoint machine have been fully decrypted. To check whether a drive is encrypted, you can either use the management console, Manage BitLocker settings in Windows, or by running the following command.
manage-bde C: -status
You can replace "C:" with the relevant drive number.
Upon running this command you will see the following:
manage-bde C: -status
Running this command is recommended, since it allows you to see the additional values from BitLocker which we need to take a note of to progress the uninstall process. You can see in the image above, that the current Conversion Status is set to Fully Encrypted. This clearly shows the drive is encrypted. Additionally, below this, we can see the drive is unlocked, and the protection status is turned on. These two values are important, since both will need to be set to unlocked, and off respectively
In order to turn these off we can run additional commands. Before running these commands, you must make sure you either have access to your BitLocker recovery key, either by having the key saved, or by having the Recovery Key file. The key is required in order to unlock the drive.
Firstly you will need to run the following command, in order to unlock the drive:
manage-bde -unlock C: -RecoveryKey “YOUR_BITLOCKER_RECOVERY_KEY"
Once again, you can replace "C:" with the relevant drive, and replace “YOUR_BITLOCKER_RECOVERY_KEY" with the correct Recovery Key for the drive.
This will unlock the drive and allow you to take off the protection.
Next you can turn off BitLocker, this will also decrypt your drive. Run the following command:
manage-bde C: -off
You will now see a message saying decryption is now in progress.
At this stage, you can re-run the -status command from earlier to see the status of the drive encryption. It is worth leaving this to decrypt. This can take some time, depending on the type of drive you are decrypting. Once this is complete, the status command will show something like the following:
Decryption Status
Once your drive is decrypted, you will now be ready to run the uninstall process.
Uninstalling the Client.
At this point, you should be able to simply uninstall the client from Apps and Features, within Windows. However, this may give you an error if you have Removable Drive Encryption Enabled. When RME is enabled, you must first install a client that has RME turned on over the top, but has the ability to have RME turned off via the SEE management console. This usually takes the form of an "Uninstall Policy" within the SEE management console.
Once you have generated a new client working client, with RME. Youc an then copy the msi file to the affected endpoint to run the uninstall command.
Run the following uninstall command to remove the existing client, and install the working client.
MSIEXEC /i [UninstallClientPath.msi] REINSTALLMODE=vemus ADDLOCAL=all /l*v “Uninstall_Log01.log”
Where [UninstallClientPath.msi] is the path of the new client. This also created an output log file in case of issues.
Once this is ran, the uninstall process will continue as normal. You can verify the product has been uninstall by accessing the Apps and Features settings in Windows, checking the client has been removed.
If any issues during this process are encountered, you can consult the uninstall log file created during the uninstall to review the errors.
I hope this guide assists you in removing a SEE client from an endpoint which has experienced some form of app or OS failure preventing you from exercising the normal uninstall methods.