Disk Encryption End-user Experience

Disk Encryption Manager deployments are configured and initiated from RMM. Depending on the computer configuration and/or policy selection, the end-user may be required to enter a PIN or password as part of the installation process and after installation when the computer starts up.


During the install of Disk Encryption Manager, the user will encounter one of three scenarios:

  1. If the device has no TPM, the user is prompted to set an encryption password that they use to unlock the disk to use the computer. The password must be eight characters and include at least one uppercase and lowercase letter and a number. The user can ignore the request. If a user does not input the required Password, they will see a prompt every few minutes reminding them to complete the installation
  2. If the device has TPM, and you selected to prompt the user for a PIN, the user must set a PIN. The encryption PIN must be between six and 21 alphanumeric characters in length
  3. If the device has TPM, and you did not select the user entered PIN option, then no interaction is required by the user

The password configured must conform to EN-US due to keyboard layout limitations of Bitlocker during pre-boot, please see Microsofts article for full details of Bitlocker: MS Bitlocker Drive Encryption - FAQ.

After this step, Disk Encryption Manager first encrypts the Boot drive, then continues with any additional drives. There is no option to only encrypt selected drives.

A message appears informing the user when the encryption process begins including the drive and start time. Another message is displayed to the end-user when the encryption process is completed.

Encrypting a disk can take some time to complete, approximately one minute for every 500 MB. The time taken depends on the capabilities of the device and whether it is currently in use.

Should the user shut down the computer during the encryption process, the encryption will resume once the device is back up and running.

Encryption Process Notifications

If theMAV-BD Protection Policy is set for the end-user to receive notifications, a notification pop-up appears to advise them of the encryption status

MAV-BD User Interface

If the MAV-BD Protection Policy is set so that the end-user can access the MAV-BD Interface, they can see the encryption history as well as change the password or PIN that had been set.

After launching the MAV-BD interface, choose Modules in the top left corner selector. Once in the Modules section you will see a Volume Encryption section on the right which lists the present drives and their encryption state.

To change the password configured, click the Change Password link to show the Set Encryption Password dialog. Enter a new password and click Save.

Computer Start-up

When the user starts their computer, depending whether they have TPM on their device and how its configured, the user can encounter one of three scenarios:

  1. If there is no TPM on the device, the user is prompted for their password, and then the Windows authentication
  2. If there is TPM and if configured, the user is prompted to enter their PIN and then the Windows authentication
  3. If there is TPM and configured with no PIN, the user only needs to complete the Windows authentication

The device will not continue the boot sequence until they enter the correct password. After entering their password, Disk Encryption Manager unlocks their device and the user can then enter their system credentials and continue the startup as normal.

Example: Server 2012

Example: Windows 10

If the user forgets their password, they can press Escape to display the encryption recovery screen that includes a recovery key ID. The User presents the recovery ID key to their Administrator. The Administrator uses this to provide a recovery key. The user enters the recovery key in the field on the Recovery screen to continue.

The user will need to create a new password before unlocking the drive.

Example: Server 2012

Example: Windows 10