Install disk encryption on multiple devices

Disk Encryption Manager is a module of Security Manager | AV Defender. Install Disk Encryption Manager manually on devices when managing a small number of devices.

To install Disk Encryption Manager on a single device, see Install disk encryption on a single device. Disk Encryption Manager does not support BitLocker to Go for removable devices. For more information on supported operating systems, see Disk encryption supported operating systems.

Be aware that on some devices, if Secure Boot is enabled, the installation of Disk Encryption Manager can prevent the device from booting properly. It is recommended that you turn off Secure Boot in the BIOS then install Disk Encryption Manager. Once the installation is complete and the disk encrypted, you can enable Secure Boot again. For further information, contact Technical Support.

If you have a large customer or a larger quantity of devices, use a rule to install Disk Encryption Manager across a site.

Security options

There are three security options (Key Protector Strengths) available when using Disk Encryption Manager:

  • Trusted Platform Module (TPM) - This is a hardware level security available on some computers. When enabled, the user does not need to enter a password when starting their computer. They are presented the Windows login screen. No password is required.
  • Trusted Platform Module and PIN - With TPM and PIN, the user must enter a PIN to unlock the disk and proceed to the login screen. This is the most secure method of encrypting and protecting data. Microsoft recommends this security option with disk encryption.
  • Password - The password option is the default security when a system does not have TPM available, or TPM is not enabled. When the user logs into their computer, they must enter a password to unlock the disk and proceed to the Windows login screen.
  1. Click Views > All Devices.
  2. Click the check boxes beside the devices where you want to deploy Disk Encryption Manager and click Edit.
  3. In the Security Manager section, if not enabled, click the check box for Install Security Manager and select an update server.
  4. Click the check box for Enable Disk Encryption Manager.
  5. If any of the selected devices have Disk Encryption Manager installed, N-able N-central will ignore those devices. That is, Disk Encryption Manager will not be installed twice or removed.

  6. If the device has TPM, select to use it with a PIN.

    Using a PIN provides additional security. This user must select and enter a PIN when starting the system.

  7. Select whether to run the installation right away or during a maintenance window when the device is not in use. You only need to select this option if the device does not have Security Manager | AV Defender already installed.
  8. Select an AV Defender Configuration Profile if Security Manager | AV Defender is not yet installed.
  9. Click Save.

N-able N-central installs Disk Encryption Manager and begins the encryption once the user has entered a decryption PIN or password. Disk Encryption Manager starts with encrypting the Boot disk and then proceeds with all other available drives. The user can continue working as normal. If the system is in heavy use, the encryption may continue at a slower pace. The encryption process will not time out. If the system reboots or goes to sleep, the process will resume when the device is turned on again.

Once Disk Encryption Manager is installed on the device, management control of BitLocker is controlled by N-able N-central. The Disk Encryption Manager disables the control of disk encryption from the end user to pause or disable the encryption.

The Disk Encryption Manager installation does not require a reboot of the device. If you install Disk Encryption Manager at the same time as Security Manager | AV Defender, a reboot will be needed for the Security Manager | AV Defender component.

If there are devices that have drives are already encrypted with BitLocker, when N-able N-central runs the installation, a simulated encryption process takes place and the recovery keys are generated. The user does not see any impact on their device unless the user is required to select a PIN. The end user will also no longer have the capability to disable or pause encryption on their device.

Once the install has completed, what the user sees depends on whether the device uses TPM and how it is configured:

  • If they do not have TPM on the device, they are prompted to set a disk encryption password. If they do not input the Password, they will see a prompt every few minutes reminding them to complete the installation.
  • If they have TPM on the device, they do not have to do anything.
  • If they are using TPM plus PIN, the most secure option, they will be asked to enter/select a PIN and not a password. If they do not input the required PIN, they will see a prompt every few minutes reminding them to complete the installation.

For more information, see Disk encryption end-user experience.