Disable Disk Encryption Manager and Decrypt by Device Type, Client or Site

 

At some point you may want to remove Disk Encryption Manager and either:

  1. Decrypt a device's hard disks
  2. Leave a device's hard disks in an encrypted state

In either case, encryption management is returned to the target device's BitLocker installation and is no longer managed by RMM.

Disabling Disk Encryption Manager in the Managed AntivirusProtection Policy is the only point when the option to decrypt a device is given. As such, care must be taken to ensure only the target devices are using the policy in which Disk Encryption Manager is being disabled. Confirm that there are no other devices, clients or sites using the policy as these will also have Disk Encryption Manager disabled and, if selected, the devices will decrypt. As long as the device remains in the RMM Dashboard, the Recovery Key information remains available via the Recovery Key Report. If the device is removed from the RMM dashboard, the last known valid Recovery Key is retained for 90 days only.

As disabling Disk Encryption Manager, and therefore decrypting devices, is controlled via the Managed AntivirusProtection Policy, care must be taken to not disable it on unintended devices which may be using the same policy. Your situation will fall into one of 2 scenarios, either only devices to be amended are using the policy, or those devices use a mixture of policies and will need to be amenbded onto one policy before Disk Encryption Manager can be removed safely.

The first step in either case is to run the Recovery Key Report, then confirm that the policy where you will disable Disk Encryption Manager is only in use by the devices where you want to disable Disk Encryption Manager with or without decryption.

BitLocker is a native part of the device system. If you chose to remove the Disk Encryption Manager from a device and leave the disk encrypted, you will lose the management capabilities in RMM. Ensure you collect all recovery keys before choosing this option. You should ALWAYS obtain the Recovery Keys prior to taking any action with Disk Encryption Manager. RMM only retains the last known valid Recovery Keys for removed devices for up to 90 days only. If something goes wrong with the decryption, and you deleted the device from RMM, there is no way to recall the Recovery Keys or unlock the drive after the 90 day period.

Please ensure you are following the Disk Encryption Manager Disable process as outlined in Removing Disk Encryption Manager with or without Decrypting Devices before proceeding with the below process.

How to Disable Disk Encryption Manager at the Device Type, Client or Site Level with or without Decrypting

Ensure the devices are the ONLY devices using the Managed AntivirusProtection Policy that will have Disk Encryption Manager disabled before proceeding.

  1. Select SettingsManaged Antivirus > Protection Policy
  2. Either double-click the target policy or highlight it and select Edit
  3. In the policy dialog, select Disk Encryption Manager in the left-pane
  4. Untick the Enable Disk Encryption Manager tick box
  5. An advisory warning appears, read through this so you fully understand the action being taken and then click Confirm
  6. A new section for Decrypt Devices will appear in the policy
    1. Tick the Decrypt hard drives option if required. All devices configured with this policy will be set to decrypt and uninstall Disk Encryption Manager when the policy is saved
    2. Leave Decrypt hard drives unticked to disable Disk Encryption Manager and leave the devices encrypted. Control of BitLocker is returned to the device, with its encryption settings set as they were when Disk Encryption Manager was installed. Ensure that the Recovery Key Report has be run and saved securely for these devices. See Disk Encryption Manager Reporting for details
  7. Click Save to save the configuration and close the dialog

If the Decrypt hard drives option was selected, BitLocker begins the decryption process on the disk drives of the devices. The users will see a message indicating that the decryption process has started. Once the decryption has completed, Disk Encryption Manager is uninstalled and management is returned the devices BitLocker Installation.

Note that when you decrypt a device, you remove all encryption from all drives. If you need to re-enable encryption, you need to run the encryption process again.

When removing Disk Encryption Manager but leaving devices encrypted, the Boot drive of the devices will have Bitlocker enabled and active, but all other fixed Drives will have Bitlocker enabled and Suspended. This is due to Disk Encryption Manager tying the protector of all non-boot drives to the Boot Drive. When Disk Encryption Manager is removed, Bitlocker requires manual Protectors to be configured (password/pin etc.) via the local Bitlocker instance.

When you remove Disk Encryption Manager and leave the device decrypted, the encryption management is returned to BitLocker on the device. You need to have a record of the current set of Recovery Keys and associated Key ID / Protector ID / Recovery Key ID. Ensure that the Recovery Key Report has been run and saved securely before removing encrypted drives, as these keys are retained for 90 days only after removal.

BitLocker is a native part of the device system. If you chose to remove the Disk Encryption Manager from a device and leave the disk encrypted, you will lose the management capabilities in RMM. Ensure you collect all recovery keys before choosing this option. You should ALWAYS obtain the Recovery Keys prior to taking any action with Disk Encryption Manager. RMM only retains the last known valid Recovery Keys for removed devices for up to 90 days only. If something goes wrong with the decryption, and you deleted the device from RMM, there is no way to recall the Recovery Keys or unlock the drive after the 90 day period.