You can decrypt and remove Disk Encryption Manager from multiple devices. Note that when you decrypt devices, you remove all encryption from all drives. If you need to re-enable decryption, you need to run the encryption process again.
Using a rule, N-able N-central automates the decryption and uninstall of Disk Encryption Manager with no user intervention, ensuring all selected devices automatically have a disk encryption solution removed.
You need to create a filter that selects devices based on the criteria you have for deployed disk encryption.
- Click Configuration > Monitoring > Rules and click Add.
- Enter a Name and Description.
- Click the Devices to Target tab and select the filters to add to the Selected Filters box.
- Click the Network Device Configuration Options tab, then Security Manager.
- Click to deselect the check box for Enable Disk Encryption.
- You have the option to Leave the device encrypted or Decrypt all volumes.
Bitlocker is natively part of the device system. If you chose to remove the Disk Encryption Manager from a device and leave the disk encrypted, you will lose the management capabilities. Ensure you collect all recovery keys before choosing this option. You should ALWAYS obtain the recovery key. N-able does not store or backup recovery keys. If something goes wrong with the decryption, and you removed the device from N-able N-central, there is no way to recall the recovery keys or unlock the drive. N-able N-central stores deleted device recovery keys for 90 days.
- If creating this rule at the Service Organization level, click the Grant Customers & Sites Access tab and select how to propagate the rule to other customers and sites and select the customer/sites from the list.
- Click Save.
Note that decryption cannot occur during a maintenance window.
BitLocker begins the decryption process on the disk drives of selected devices. The user will see a message indicating that the decryption process has started.