Enable Disk Encryption Manager at the Individual Device Level

As Disk Encryption Manager is a module of MAV-BD, MAV-BD must be installed on the device. Enabling Disk Encryption Manager is performed within theMAV-BD Protection Policy configuration settings. As such, to enable or disable Disk Encryption Manager on a single device, a suitable MAV-BD Protection Policy must be used. See Enabling and Disabling Disk Encryption Manager in the Managed Antivirus Protection Policy for details.

Disk Encryption Manager does not support 'BitLocker to Go' for removable storage devices.

Security options

There are three security options (Key Protector Strengths) available when using MAV-BD Disk Encryption Manager:

  • Trusted Platform Module (TPM) - This is a hardware level security available on most new PCs. When enabled, the user does not need to enter a password when starting their computer. They are presented with the Windows login screen. No password is required
  • Trusted Platform Module and PIN - With TPM and PIN, the user must enter a PIN to unlock the disk and proceed to the login screen. This is the most secure method of encrypting and protecting data. Microsoft recommends this security option with disk encryption
  • Password - The password option is the default security mechanism when a device does not include TPM, or TPM is has been disabled on the device. When the user logs into their computer, they must enter a password to unlock the disk and proceed to the Windows login screen

In the event an end-user removes Bitlocker from their system via Add / Remove Features when the device was encrypted with Disk Encryption Manager, the Disk Encryption Service Check (Bitdefender) reports as Failed. The end-user will be required to reinstall Bitlocker.

How to enable Disk Encryption Manager at the Individual Device Level

  1. Once logged into the RMM dashboard, locate the device in the North-pane
  2. Enter the device settings dialog by double-clicking the device, or highlighting and using the device drop-down, or by right-clicking the device and selecting Edit.
  3. Select Managed Antivirus in the left-pane
  4. Change Setting to On in the right-pane (if setting to use the same policy as set in the Device Type, Client or Site level: select Use Parent (On) and skip to step 6)
  5. Select the required policy from the Policy Settings drop-down menu
  6. Click OK to save and close the dialog

Managed Antivirus installs Disk Encryption Manager and begins the encryption process. Disk Encryption Manager starts with encrypting the Boot disk and then proceeds with all other available fixed drives. The user can continue working as normal. If the system is in heavy use, the encryption may continue at a slower pace. The encryption process will not time out. If the system reboots or goes to sleep, the process will resume when the device is turned on again.

The Disk Encryption Manager installation does not require a reboot of the device.

If there are devices with drives already encrypted with BitLocker, when MAV-BD runs the Disk Encryption installation, the system is not required to re-encrypt. The management capability will be taken over by RMM and the Recovery Keys generated and stored in RMM. The end-user does not see any impact on their device.

Once the install has completed, what the user sees depends on whether the device uses TPM and how it is configured:

  • If they do not have TPM on the device, they are prompted to set a disk encryption password. If they do not input the Password, they will see a prompt every few minutes reminding them to complete the installation
  • If they have TPM on the device, they do not have to do anything
  • If they are using TPM plus PIN, the most secure option, they will be asked to enter/select a PIN and not a password. If they do not input the required PIN, they will see a prompt every few minutes reminding them to complete the installation

For more information please see: Disk Encryption End-user Experience