Disk Encryption Manager - FAQ

This is not supported.

Disk Encryption Manager attempts to encrypt at the strongest option, TPM. If it is not possible it reverts to the password option. If Disk Encryption Manager cannot complete the encryption, the Disk Encryption Event service displays a Failed status.

Disk Encryption Manager attempts to encrypt at the strongest option, TPM. If it is not possible it reverts to the password option. If Disk Encryption Manager cannot complete the encryption, the Disk Encryption Event service displays a Failed status.

If a device comes with Bitdefender and the user removes BitLocker from their system, the Disk Encryption Manager will be installed and the Disk Encryption Event service will report it as Failed. The user needs to reinstall BitLocker.

Use the TPM only option.

The encryption will continue. The user can continue working as normal. The encryption process will not time out; it will continue at a slow pace. If the system reboots or goes to sleep, the process will resume when the device is turned on again.

There is no way to cancel the encryption process. A limited workaround is to decrypt the volume, provided much less than 50% was already encrypted. Note that decryption is a resource intensive process.

Disk Encryption Manager works at the disk level, not at file or directory level. Disk encryption and file encryption should be able to work harmoniously without issue.

When encryption has been configured, N-able N-central will keep checking for when the device comes online. Once available, it will begin the encryption process as defined in the device settings and rules.

When the device is brought out of sleep/lock mode, the encryption process will resume.

Microsoft's Bitlocker is compatible with Microsoft's System Updates. Microsoft suspends the encryption during an update and resumes once the updates have been installed. We are not aware of any incompatibilities.

Encryption begins with the boot drive and, once complete, Disk Encryption Manager continues with the remaining disks. There is no ability to select which drives to encrypt and leave others unencrypted.

Disk Encryption Manager checks the device regularly. At next check it will detect the new drive and begin the encryption process for the new drive.

No. The encryption is at the volume level, not the file level.

Disk Encryption Manager does not work at file level or at the application level. Cloud Syncing services should not interfere with Bitlocker.

If you copy a document from an encrypted volume, it will not be encrypted on the USB thumb drive. Encryption is not done at the file level.

Disk Encryption Manager does not detect alternative encryption solutions. If it is unable to encrypt a disk, Disk Encryption Manager reports an error.

If you accidentally remove Disk Encryption Manager or AV Defender, the Recovery Key report's top table still display the recovery keys.

The Recovery Key process on the end user device will have to be executed to change the password/PIN.

The Recovery Key process on the end user device will have to be executed to change the password/PIN.

If you boot from the drive in the new system, you'll need the recovery key to unlock the hard drive in the new system. If old system's encryption was enabled without TPM then, you can use a password.

At the next maintenance window, N-able N-centralreapplies the rule to install Disk Encryption Manager and encrypt the drive again.

This is not supported.

While BitLocker will recognize the removable drive on the device, it does not encrypt the drive. It will appear as unencryptable.

No, Disk Encryption Manager is not compliant with FIPS.

Disk Encryption Manager attempts to encrypt at highest option possible and adjusts to what is available on the device. For example, Disk Encryption Manager tries to encrypt with 256-bit and if that is not available, it will work it's way through the levels to the best strongest option for the device.

A license does not take effect until you enable encryption.

If TPM health is restored, on the next check, the encryption will change from Password Only to TPM, and if required, the user is prompted for a PIN and delete the original password.

If the recovery key changes, when the Disk Encryption Status service checks the drive, it will recognize the change and add the new recovery key to the N-able N-central database. The end user will not notice any change.

BitLocker authentication occurs before Windows Authentication. As such, it will be one password shared by all to decrypt the disk, and then each user can use their personal password to log into Windows.

Disk Encryption Manager does not use the BitLocker automatic unlock mechanism.

No. The moment your trial has ended, if you don't decrypt your drives or run the recovery key report before that time, you will no longer be able to retrieve them. We do not save historical recovery keys for trials or paid contracts.

The user can un-dock to encrypt. The encryption would be recognized after docking.

The TPM is protecting both drives. Your data drive is being auto-unlocked with a key file contained on the encrypted boot drive. A different encrypted boot drive will not be able to unlock a different data drive.

In N-able N-centralthe MSP can control who has access to the Disk Encryption Manager using permissions: the ability to Edit Devices, and access Disk Encryption Manager for the recovery key.

From the end user perspective, if the end user decrypts, the encryption will be reapplied at the next check. If the end user has turned BitLocker off, the system re-enables BitLocker and prompts the user for their password or pin, if required.

Disk Encryption Manager will automatically resume the installation and encryption. The Raw Monitored Data and Detailed Status reports can inform you when the encryption process has completed. The main dashboard also updates the status for device being encrypted and its current service status.

The key protector strength is shown in the Status Details page as well as the Raw Monitored Data report.

Call Technical Support. You can retrieve the recovery key by phone.

N-able N-central will work the same way with the current Security Manager | AV Defender license. N-able N-central will stop applying Disk Encryption Manager if the licenses are used up. There is no notification of the limit being reached. The MSP will need watch for the lock icon on devices that they expect to have Disk Encryption Manager installed.

Yes. You can use Maintenance Windows if you are installing Security Manager | AV Defender at the same time. If you are only installing Disk Encryption Manager, it needs to be on demand.

No, this information is not available.

The Disk Encryption Status service displays the information on the encrypted disk volume and enables you to confirm the last time it was accessed, and the current status. The Detailed Status report shows the running status. The services cannot tell the last time the end user entered their password, when they unlocked the disk, or who last logged n the system.

Create a filter that filters on devices without Disk Encryption Manager installed, then add dashboard that will use that filter to display all devices without Disk Encryption Manager installed. The Disk Encryption Status service also includes the supported feature table.

When Disk Encryption Manager is used on a device, the capability to decrypt is not allowed at the end user level. You control it from the N-able N-central settings.

The Detailed Status report will show when the encryption status has changed. Note that N-able N-central reapplies encryption at the next status check if the drive has been decrypted.

This functionality is not available.

Use the Recovery Key process to unlock the device.

As long as the device is managed by N-able N-central, the recovery key is stored in the system.

This type of tracking is not currently available.

N-able N-central stores the Boot Drive (System) latest recovery Key. BitLocker stores a history of your recovery keys. You may have multiple recovery keys visible in BitLocker for your C drive, for example, but N-able N-central only requires the current Boot (System) Recovery key, which unlocks that drive and all additional data drives

The installation of Disk Encryption Manager does not require a reboot. You can roll out Disk Encryption Manager using Maintenance Windows if AV Defender has not yet been applied through Maintenance windows.

If AV Defender is already applied, then Disk Encryption Manager will install on demand as a module of AV Defender. If you install Disk Encryption Manager at the same time as Security Manager | AV Defender, a reboot will be needed for the Security Manager | AV Defender component.

At this time we cannot prevent you from rolling out on devices that do not have TPM. However, using the Disk Encryption Report you can see which devices are encrypted by "Password", meaning no TPM is available. You can use this information as a conversation tool with the end user to encourage a replacement device. Or they can then remove those devices from Disk Encryption Manager after the fact.

You need to contact support to free up the license.

A reboot will not be required when installing Disk Encryption Manager. If you install Disk Encryption Manager at the same time as Security Manager | AV Defender, a reboot will be needed for the Security Manager | AV Defender component.

If the Recovery key is changed, the next check will recognize the change and send the new Recovery key. Disk Encryption Manager actually simulates a new Encryption process under the hood. The End User will not notice any change.

Start with retrieving your recovery key, and then you can chose to leave your devices encrypted. A reinstall right after will pick up the device when Disk Encryption Manager is reapplied and transition to encrypted. It does not have to complete the decryption first before encrypting.

Not at this time.

No.

N-able N-central stores the Recovery Keys for 90 days for deleted devices.

Microsoft’s solution for their standalone BitLocker Device is to unencrypt any SSD that has self encryption and then encrypt it using Bit Locker. There is a Bitlocker GPO policy that controls it. If enabled, Bitlocker uses hardware encryption provided it is supported by the hard drive. Otherwise BitLocker uses software encryption. N-able N-central cannot determine if the encryption is hardware or software encryption. The service only reports that the device is encrypted.

The devices does not store the password in any way. It only passes it to BitLocker.

Currently our implementation can only return TPM, TPM+PIN or PassPhrase.

You can schedule the Recovery Key report to run for your customers. Note that the agent checks every 30 minutes. If there has been a change and should send it to the server, Recovery Key report will then generate on demand from server. If you need to give reduced permission and role in N-able N-central, the user would have access to all N-able N-central reports, or the ability to edit devices.

No. The requirements for PIN and password are predefined.

Uninstalling Gravity Zone will break the management capability, removing the Volume Encryption module. The operating system volume remains encrypted, while non-operating system volumes will move to a suspended encryption, as they rely on the operating system volume to unlock them.

Install AV Defender and Disk Encryption Manager. It generates new recovery keys for all volumes and prepare for encryption. Internally, no re-encryption takes place, however the recovery keys are changed for use with Disk Encryption Manager.

This is not possible. Modifying the registry can cause unpredictable results.