Install disk encryption on a single device

Disk Encryption Manager is a module of Security Manager. Use the Security Manager | AV Defender installation page in the device preferences to install Disk Encryption Manager. For information on Security Manager | AV Defender deployment, see Installing Security Manager.

To install Disk Encryption Manager on many devices, see Install disk encryption on multiple devices. Disk Encryption Manager does not support BitLocker to Go for removable devices. For more information on supported operating systems, see Disk encryption supported operating systems.

Be aware that on some devices, if Secure Boot is enabled, the installation of Disk Encryption Manager can prevent the device from booting properly. It is recommended that you turn off Secure Boot in the BIOS then install Disk Encryption Manager. Once the installation is complete and the disk encrypted, you can enable Secure Boot again. For further information, contact Technical Support.



Security options

There are three security options (Key Protector Strengths) available when using Disk Encryption Manager:

  • Trusted Platform Module (TPM) - This is a hardware level security available on some computers. When enabled, the user does not need to enter a password when starting their computer. They are presented the Windows login screen. No password is required.
  • Trusted Platform Module and PIN - With TPM and PIN, the user must enter a PIN to unlock the disk and proceed to the login screen. This is the most secure method of encrypting and protecting data. Microsoft recommends this security option with disk encryption.
  • Password - The password option is the default security when a system does not have TPM available, or TPM is not enabled. When the user logs into their computer, they must enter a password to unlock the disk and proceed to the Windows login screen.

  1. Click ViewAll Devices and click the name of the device.
  2. Click SettingsSecurity Manager.
  3. If not enabled, click the check box for Enable Security Manager and select an update server.
  4. Click the check box for Enable Disk Encryption Manager.
  5. If the device has TPM, select to use it with a PIN.

    Using a PIN provides additional security. This user must select and enter a PIN when starting the system.

  6. Select whether to run the installation right away or during a maintenance window when the device is not in use. You only need to select this option if the device does not have Security Manager | AV Defender already installed.
  7. Select an AV Defender Configuration Profile if Security Manager | AV Defender is not yet installed.
  8. Click Save.

N-able N-central installs Disk Encryption Manager and begins the encryption once the user has entered a decryption PIN or password. Disk Encryption Manager starts with encrypting the Boot disk and then proceeds with all other available drives. The user can continue working as normal. If the system is in heavy use, the encryption may continue at a slower pace. The encryption process will not time out. If the system reboots or goes to sleep, the process will resume when the device is turned on again

Once Disk Encryption Manager is installed on the device, management control of BitLocker is controlled by N-able N-central. The Disk Encryption Manager disables the control of disk encryption from the end user to pause or disable the encryption.

The Disk Encryption Manager installation does not require a reboot of the device. If you install Disk Encryption Manager at the same time as Security Manager | AV Defender, a reboot will be needed for the Security Manager | AV Defender component.

If there are devices that have drives are already encrypted with BitLocker, when N-able N-central runs the installation, a simulated encryption process takes place and the recovery keys are generated. The user does not see any impact on their device unless the user is required to select a PIN. The end user will also no longer have the capability to disable or pause encryption on their device.

Once the install has completed, what the user sees depends on whether the device uses TPM and how it is configured:

  • If they do not have TPM on the device, they are prompted to set a disk encryption password. If they do not input the Password, they will see a prompt every few minutes reminding them to complete the installation.
  • If they have TPM on the device, they do not have to do anything.
  • If they are using TPM plus PIN, the most secure option, they will be asked to enter/select a PIN and not a password. If they do not input the required PIN, they will see a prompt every few minutes reminding them to complete the installation.

For more information, see Disk encryption end-user experience.