Enable Disk Encryption Manager by Device Type, Client or Site
As Disk Encryption Manager is a module of MAV-BD, MAV-BD must be installed on the device. Enabling Disk Encryption Manager is performed within the MAV-BD Protection Policy configuration settings. As such, to enable or disable Disk Encryption Manager by Device Type, Client or Site, a suitable MAV-BD Protection Policy must be used. See Enabling and Disabling Disk Encryption Manager in the Managed Antivirus Protection Policy for details.
Disk Encryption Manager does not support 'BitLocker to Go' for removable storage devices.
There are three security options (Key Protector Strengths) available when using MAV-BD Disk Encryption Manager:
- Trusted Platform Module (TPM) - This is a hardware level security available on most new PCs. When enabled, the user does not need to enter a password when starting their computer. They are presented with the Windows login screen. No password is required
- Trusted Platform Module and PIN - With TPM and PIN, the user must enter a PIN to unlock the disk and proceed to the login screen. This is the most secure method of encrypting and protecting data. Microsoft recommends this security option with disk encryption
- Password - The password option is the default security mechanism when a device does not include TPM, or TPM is has been disabled on the device. When the user logs into their computer, they must enter a password to unlock the disk and proceed to the Windows login screen
In the event an end-user removes Bitlocker from their system via Add / Remove Features when the device was encrypted with Disk Encryption Manager, the Disk Encryption Service Check (Bitdefender) reports as Failed. The end-user will be required to reinstall Bitlocker.
How to enable Disk Encryption Manager for Clients, Sites or Device Type
- In the RMM dashboard, select Settings > Managed Antivirus > Settings
- In the left-pane, select your target Device Type (Servers or Workstations) or drill down into the hierarchy to select a Client or Site
- In the right-pane, select On or Use Parent in the Setting drop-down (Use Parent refers to the level immediately above the one you have selected, Sites inherit from Clients, Clients inherit from the overall Device Type)
- Once MAV-BD has been set to an enabled status (On or Use Parent (if the Parent level has MAV-BD enabled)) you will see a Warning Advisory message regarding Disk Encryption Manager settings in the Protection Policy. Select the required Protection Policy from the Policies drop-down menu
- Click OK to save and close the policy dialog
MAV-BD installs Disk Encryption Manager and begins the encryption process on all the devices within your selection. The user can continue working as normal. If the system is in heavy use, the encryption may continue at a slower pace. The encryption process will not time out. If the system reboots or goes to sleep, the process will resume when the device is turned on again.
The Disk Encryption Manager installation does not require a reboot of the device.
If there are devices with drives already encrypted with BitLocker, when MAV-BD runs the Disk Encryption installation, the system is not required to re-encrypt. The management capability will be taken over by RMM and the Recovery Keys generated and stored in RMM. The end-user does not see any impact on their device.
Once the install has completed, what the user sees depends on whether the device uses TPM and how it is configured:
- If they do not have TPM on the device, they are prompted to set a disk encryption password. If they do not input the Password, they will see a prompt every few minutes reminding them to complete the installation
- If they have TPM on the device, they do not have to do anything
- If they are using TPM plus PIN, the most secure option, they will be asked to enter/select a PIN and not a password. If they do not input the required PIN, they will see a prompt every few minutes reminding them to complete the installation