Install Disk Encryption Manager using a rule
The Disk Encryption Manager install rule provides any easy way to install Disk Encryption Manager on many devices. Using a Security Manager | AV Defender rule or a disk encryption rule, N-able N-central automates the installation with no user intervention, ensuring all devices automatically have a disk encryption solution installed.
Disk Encryption Manager does not support BitLocker to Go for removable devices. For more information on supported operating systems, see Disk encryption supported operating systems.
You need to create a filter that selects devices based on the criteria you have for deploying disk encryption.
There are three security options (Key Protector Strengths) available when using Disk Encryption Manager:
- Trusted Platform Module (TPM) - This is a hardware level security available on some computers. When enabled, the user does not need to enter a password when starting their computer. They are presented the Windows login screen. No password is required.
- Trusted Platform Module and PIN - With TPM and PIN, the user must enter a PIN to unlock the disk and proceed to the login screen. This is the most secure method of encrypting and protecting data. Microsoft recommends this security option with disk encryption.
- Password - The password option is the default security when a system does not have TPM available, or TPM is not enabled. When the user logs into their computer, they must enter a password to unlock the disk and proceed to the Windows login screen.
- Click Configuration > Monitoring > Rules and click Add.
- Enter a Name and Description.
- Click the Devices to Target tab and select the filters to add to the Selected Filters box.
- Click the Network Device Configuration Options tab, then Security Manager.
- Select Install Security Manager from the Action drop-down menu. If Security Manager is installed, you can skip this step.
- Click the check box for Enable Disk Encryption Manager.
- If the device has TPM, select to use it with a PIN.
Using a PIN provides additional security. This user must select and enter a PIN when starting the system.
- Select when to start the installation.
- If creating this rule at the Service Organization level, click the Grant Customers & Sites Access tab, and select how to propagate the rule to other customers and sites and select the customer/sites from the list.
- Click Save.
N-able N-central installs Disk Encryption Manager and begins the encryption once the user has entered a decryption PIN or password. Disk Encryption Manager starts with encrypting the Boot disk and then proceeds with all other available drives. The user can continue working as normal. If the system is in heavy use, the encryption may continue at a slower pace. The encryption process will not time out. If the system reboots or goes to sleep, the process will resume when the device is turned on again.
Once Disk Encryption Manager is installed on the device, management control of BitLocker is controlled by N-able N-central. The Disk Encryption Manager disables the control of disk encryption from the end user to pause or disable the encryption.
If there are devices that have drives are already encrypted with BitLocker, when N-able N-central runs the installation, a simulated encryption process takes place and the recovery keys are generated. The user does not see any impact on their device unless the user is required to select a PIN. The end user will also no longer have the capability to disable or pause encryption on their device.
When new devices are added to the site, N-able N-central runs the Disk Encryption Manager rule to install Disk Encryption Manager.