Disk Encryption Manager - FAQ
Yes. You can enable Disk Encryption Manager on devices already encrypted by Bitlocker.
Disk Encryption Manager is deployed as if no encryption is in place, and it will take over control of Bitlocker management on the device, updating Bitlocker's settings to match the Protection Policy for disk encryption, with the already set pre-boot credential retained.
System Updates for the most part will be unaffected by Disk Encryption Manager. However, when Windows makes Firmware or BIOS upgrades during a Feature Upgrade it is required to suspend Bitlocker functionality to ensure that the changes can be put in place correctly, however Disk Encryption Manager automatically undoes Suspension of Bitlocker. This is because suspension of Bitlocker makes Bitlocker less secure.
The result is that Windows fails to upgrade successfully due to Bitlocker not being in a suspended state. This has been confirmed in upgrading to 1903 or previous Feature update builds.
Note: Updating from 1903 to 1909 is not impacted here due to 1909 being similar to a cumulative update in nature
As a workaround to install Feature Updates:
Disable Disk Encryption Manager on the device
Perform Feature Upgrade
Enable Disk Encryption Manageron the device
Disk Encryption Manager is a module of BitDefender. Since BitDefender cannot work with other Anti-virus solutions, this is not supported.
Disk Encryption Manager attempts to encrypt at the strongest option, TPM. If it is not possible it reverts to the password option. If Disk Encryption Manager cannot complete the encryption, the Disk Encryption Event service displays a Failed status.
Disk Encryption Manager attempts to encrypt at the strongest option, TPM. If it is not possible it reverts to the password option. If Disk Encryption Manager cannot complete the encryption, the Disk Encryption Service displays a Failed status.
Use the TPM only option.
The end-user must persevere as the encryption will continue. The encryption process will not time out; it will continue at a slow pace. If the system reboots or goes to sleep, the process will resume when the device is turned on again.
There is no way to cancel the encryption process. A limited workaround is to decrypt the volume, provided much less than 50% was already encrypted. Note that decryption is a resource intensive process.
Disk Encryption Manager works at the disk level, not at file or directory level. Disk encryption and file encryption should be able to work harmoniously without issue.
When encryption has been configured, Disk Encryption Manager will keep checking for when the device comes online. Once available, it will begin the encryption process as defined in its MAV-BD Protection Policy.
When the device is brought out of sleep/lock mode, the encryption process will resume.
Encryption begins with the boot disk and, once complete, Disk Encryption Manager continues with the remaining fixed disks. There is no ability to select which drives to encrypt and leave others unencrypted. All Fixed Drives will be encrypted.
Yes. Disk Encryption Manager checks the device regularly, it will detect the new drive and begin the encryption process for the new drive.
No. The encryption is at the volume level, not the file level.
Disk Encryption Manager does not work at file level or at the application level. Cloud Syncing services should not interfere with BitLocker.
If you copy a document from an encrypted volume it will not be encrypted on the USB thumb drive. Encryption is not done at the file level.
Disk Encryption Manager does not detect alternative encryption solutions. If it is unable to encrypt a disk, Disk Encryption Manager reports an error.
If you boot from the drive in the new system, you'll need the Recovery Key to unlock the hard drive in the new system. If old system's encryption was enabled without TPM then, you can use a password.
No. BitLocker to Go is not supported.
Removable drives are ignored by Disk Encryption Manager and are not encrypted.
No, Disk Encryption Manager is not currently compliant with FIPS.
If TPM health is restored, on the next check, the encryption will change from Password Only to TPM, and if required, the user is prompted for a PIN and deletes the original password.
If the recovery key changes, when the Disk Encryption Status service checks the drive, it will recognize the change and add the new recovery key to the MAV-BD database. The end user will not notice any change.
BitLocker authentication occurs before Windows Authentication. As such, it will be one password shared by all to decrypt the disk, and then each user can use their personal password to log into Windows.
Disk Encryption Manager does not use the BitLocker automatic unlock mechanism.
If you do not decrypt your drives or run the recovery key report before removing the RMM service, you will no longer be able to retrieve them. We do not save historical recovery keys for trials or paid contracts. Assuming the end-user can still log into the device (if they have retained their pre-Boot PIN or password), the local BitLocker software can be used. If the disk has been removed from the device (placed in another device, or not) it will need to be returned to the original device in order to access BitLocker.
The user can un-dock to encrypt. The encryption would be recognized after docking.
The TPM is protecting both drives. Your data drive is being auto-unlocked with a key file contained on the encrypted boot drive. A different encrypted boot drive will not be able to unlock a different data drive.
N-sight RMM's MAV-BD and Disk Encryption Manager permissions allow you to control who has access to these Dashboard settings, including changing theMAV-BD Protection Policy and accessing the Disk Encryption Manager Recovery Key. See Set permissions for Disk Encryption Manager for details.
From the end-user perspective, if the end-user decrypts, the encryption will be reapplied at the next check. If the end-user has turned BitLocker off, the system re-enables BitLocker and prompts the user for their password or pin, if required.
Disk Encryption Manager automatically resumes installation and encryption when the device powers back on. The Disk Encryption Manager status is reported in the Dashboard South-pane via the device's Summary tab and the Disk Encryption Manager Checks. The main dashboard also updates the Disk Encryption Manager column to show the device's encryption and current service status.
The key protector strength is shown in the Disk Encryption Manager Disk Level Check. Please see Monitoring Disk Encryption for further details.
Contact your Technical Support team. You can retrieve the recovery key by phone.
You cannot see when a Recovery Key was applied, but you can see when the Recovery Key was retrieved by the technician in the User Audit Report.
The dashboard North-pane view includes the option to view the Disk Encryption column. This provides a multi-device at-a-glance view of the Disk Encryption Manager status across multiple devices.
The Device Encryption History will show when the encryption status has changed. Note that MAV-BD Disk Encryption Manager reapplies encryption at the next status check if the drive has been decrypted.
This functionality is not available.
Use the Recovery Key process to unlock the device.
As long as the device is managed by MAV-BD, the Recovery Key is stored in the RMM dashboard.
Information on when the Disk Encryption ManagerMAV-BD Protection Policy and any dashboard initiated actions are recorded in the User Audit Report.