On a machine running the same release of Encryption Desktop 10.5.1 as the machine you wish to recover, browse to the Windows 10 Assessment and Deployment Kit (ADK) page and download the ADK for Windows 10 version 2004 and above. The direct link is here. Note that the machine used to create the WinPE media does not need to have its drive encrypted. 

The ADK setup dialog has over seven components selected by default. These components will require over 1 GB of disk space. However, only the Deployment Tools are required and they require under 100 MB of disk space, so please deselect the other components if you wish to save disk space and time.

After you have installed the ADK, download and install the Windows PE add-on from the Windows 10 Assessment and Deployment Kit (ADK) page. The direct link is here. WinPE requires about 5.5 GB of disk space.

Do the following to create the WinPE recovery media:

1. Click on the Windows start button then right click on the Deployment and Imaging Tools Environment shortcut and choose More / Run as administrator.

2. Enter this command to run the Microsoft copype.cmd script which creates working directories for WinPE image customization and media creation:

copype amd64 \winpe_amd64

3. Download the attached 1695338925856__makewinpeiso.cmd.txt file, rename it makewinpeiso.cmd and then open a user command prompt (not an administrative command prompt) and run the script. The script automates the steps contained in the Customizing the Windows Preinstallation Environment for Symantec Drive Encryption Technical Note:

• Creates the c:\wde folder.
• Copies all the necessary files from the "C:\Program Files (x86)\PGP Corporation\PGP Desktop" folder to the c:\wde folder.
• Prepares all the files for the creation of a bootable ISO by running the pgppe.exe utility. At this point you will be prompted to allow it to run:

• Copies the customized c:\winpe_amd64\winpe.wim file over the c:\winpe_amd64\media\sources\boot.wim file.

4. Run the following command from the Deployment Tools prompt to create the bootable ISO c:\WinPE_amd64\WinPE_amd64.iso. The size of the ISO file will be about 325 MB. You can burn the ISO file to CD or DVD if you wish by right clicking on the ISO file In Windows Explorer and choosing Burn disc image / Burn:

makewinpemedia /iso \WinPE_amd64 \WinPE_amd64\WinPE_amd64.iso

5. Run the following command to create a bootable WinPE USB drive. The drive will be formatted. If the USB drive letter is F run this:

makewinpemedia /ufd \WinPE_amd64 f:

If the makewinpemedia command fails to create the bootable USB drive, you may need to clean and prepare the USB drive first. To do this, run the following command to find out the disk number of the USB drive. Usually the USB drive is disk 1:

reg query HKLM\SYSTEM\CurrentControlSet\Services\disk\Enum

Assuming the USB drive is disk 1, download the attached 1601459827665__diskpart.txt file, rename it diskpart.txt and run the following command:

diskpart /s diskpart.txt

Then run the makewinpemedia command from step 5 again.

If you need to roll back to step 2, the point at which you run the copype command, run these commands to remove the folders you created:

cd\
rd /s /q \winpe_amd64
rd /s /q \wde

When you boot from the WinPE media you should see this. If you do not, the WinPE media has not been created successfully:

X:\windows\system32>wpeinit

In the X:\windows\system32 directory you will have these two executables:

1. PGPwde.exe
2. PGPRecoveryGui.exe

Use the PGPwde utility to authenticate to the encrypted disk. Then copy the important files that the user needs to another USB drive. For example, to authenticate to the C drive with a user's passphrase, a disk administrator passphrase or a WDRT (Whole Disk Recovery Token), enter any of these authentication items at the Passphrase prompt:

pgpwde --auth --disk 0 --interactive
Enter Passphrase:
Request sent to Authenticate disk was successful

If you cannot authenticate to the drive, you will not be able to copy files from it or decrypt it.

Further information about the --auth switch and additional pgpwde commands are in the PGP Whole Disk Encryption Command Line User's Guide.

Only consider decrypting the drive after first copying the user's important files from the encrypted drive. If you do not do this, you may find that there is a hardware issue with the drive and the decryption attempt will fail. This may render the drive and the user's important files permanently inaccessible.

PGPRecoveryGui allows you to decrypt the disk using a graphical utility. You will need to authenticate to the disk using a user's passphrase, a disk administrator passphrase or a WDRT. Therefore, if you cannot authenticate with PGPwde, you will not be able to authenticate with PGPRecoveryGui either.