Removing Disk Encryption Manager with or without Decrypting Devices

At some point you may want to remove Disk Encryption Manager and either:

  1. Decrypt a device's hard disks
  2. Leave a device's hard disks in an encrypted state

In either case, encryption management is returned to the target device's BitLocker installation and is no longer managed by RMM.

Disabling Disk Encryption Manager in the MAV-BDProtection Policy is the only point when the option to decrypt a device is given. As such, care must be taken to ensure only the target devices are using the policy in which Disk Encryption Manager is being disabled. Confirm that there are no other devices, clients or sites using the policy as these will also have Disk Encryption Manager disabled and, if selected, the devices will decrypt. As long as the device remains in the RMM Dashboard, the Recovery Key information remains available via the Recovery Key Report. If the device is removed from the RMM dashboard, the last known valid Recovery Key is retained for 90 days only.

As disabling Disk Encryption Manager, and therefore decrypting devices, is controlled via the MAV-BDProtection Policy, care must be taken to not disable it on unintended devices which may be using the same policy. Your situation will fall into one of 2 scenarios, either only devices to be amended are using the policy, or those devices use a mixture of policies and will need to be amenbded onto one policy before Disk Encryption Manager can be removed safely.

The first step in either case is to run the Recovery Key Report, then confirm that the policy where you will disable Disk Encryption Manager is only in use by the devices where you want to disable Disk Encryption Manager with or without decryption.

When removing Disk Encryption Manager but leaving devices encrypted, the Boot drive of the devices will have Bitlocker enabled and active, but all other fixed Drives will have Bitlocker enabled and Suspended. This is due to Disk Encryption Manager tying the protector of all non-boot drives to the Boot Drive. When Disk Encryption Manager is removed, Bitlocker requires manual Protectors to be configured (password/pin etc.) via the local Bitlocker instance.

How to disable Disk Encryption Manager with or without Decrypting Devices

Where the policy is set at Device Type, Client, Site or Individual Device level AND:

  • All devices using the policy are targets to disable Disk Encryption Manager - use Scenario 1
  • Not all devices using that policy are targets to disable Disk Encryption Manager- use Scenario 2

Ensure all devices are online and have no communication issues during the below process. An offline device will not update to the new policy until it has come back online and checked in with the RMM dashboard. If you have continued on and removed Disk Encryption Manager and have then changed the policy again, or have set the Client, Site or Device type to another policy while devices are offline, those offline devices will take the newest settings policy when they come back online.

Scenario 1

  1. Run the Recovery Key Report for all target devices, and store securely for future use by following Disk Encryption Manager Reporting
  2. Disable Disk Encryption Manager in the Managed Antivirus Protection Policy by following Enabling and Disabling Disk Encryption Manager in the Managed Antivirus Protection Policy

The devices will now update their settings on the next check cycle, and then uninstall Disk Encryption Manager. Where decryption was selected, all disks in all devices will decrypt first, and then Disk Encryption Manager will uninstall.

Scenario 2

  1. Create a new policy and configure it to have Disk Encryption Manager enabled by following Enabling and Disabling Disk Encryption Manager in the Managed Antivirus Protection Policy
  2. Apply this new policy at the appropriate level for the target devices:
  3. Allow any Disk Encryption Manager processes to complete as Disk Encryption Manager takes over from the previous policy and generates any new Recovery Keys
  4. Run the Recovery Key Report for all target devices, and store securely for future use by following Disk Encryption Manager Reporting
  5. Disable Disk Encryption Manager in the Managed Antivirus Protection Policy by following Enabling and Disabling Disk Encryption Manager in the Managed Antivirus Protection Policy

The devices will now update their settings on the next check cycle, and then uninstall Disk Encryption Manager. Where decryption was selected, all disks in all devices will decrypt first, and then Disk Encryption Manager will uninstall.

Note that when you decrypt a device, you remove all encryption from all drives. If you need to re-enable encryption, you need to run a the encryption process again.

BitLocker is a native part of the device system. If you chose to remove the Disk Encryption Manager from a device and leave the disk encrypted, you will lose the management capabilities in RMM. Ensure you collect all recovery keys before choosing this option. You should ALWAYS obtain the Recovery Keys prior to taking any action with Disk Encryption Manager. RMM only retains the last known valid Recovery Keys for removed devices for up to 90 days only. If something goes wrong with the decryption, and you deleted the device from RMM, there is no way to recall the Recovery Keys or unlock the drive after the 90 day period.