Disk Encryption Manager FAQs
Can I use Disk Encryption Manager when devices have already been encrypted using Bitlocker?
Yes. You can enable Disk Encryption Manager on devices already encrypted by Bitlocker.
Disk Encryption Manager is deployed as if no encryption is in place, and it will take over control of Bitlocker management on the device, updating Bitlocker's settings to match the Protection Policy for disk encryption, with the already set pre-boot credential retained.
What happens if a system update takes place during the encryption process?
System Updates for the most part will be unaffected by Disk Encryption Manager. However, when Windows makes Firmware or BIOS upgrades during a Feature Upgrade it is required to suspend Bitlocker functionality to ensure that the changes can be put in place correctly, however Disk Encryption Manager automatically undoes Suspension of Bitlocker. This is because suspension of Bitlocker makes Bitlocker less secure.
The result is that Windows fails to upgrade successfully due to Bitlocker not being in a suspended state. This has been confirmed in upgrading to 1903 or previous Feature update builds.
Note: Updating from 1903 to 1909 is not impacted here due to 1909 being similar to a cumulative update in nature
As a workaround to install Feature Updates:
-
Disable Disk Encryption Manager on the device
-
Perform Feature Upgrade
-
Enable Disk Encryption Manageron the device
Can I use Disk Encryption Manager with other antivirus solutions?
Disk Encryption Manager is a module of BitDefender. Since BitDefender cannot work with other Antivirus solutions, this is not supported.
How does encryption handle a device if the Boot Mode is Legacy and not UEFI ?
Disk Encryption Manager attempts to encrypt at the strongest option, TPM. If it is not possible it reverts to the password option. If Disk Encryption Manager cannot complete the encryption, the Disk Encryption Event service displays a Failed status.
How will Disk Encryption Manager handle a device if TPM is 2.0 and the Boot Mode is Legacy?
Disk Encryption Manager attempts to encrypt at the strongest option, TPM. If it is not possible it reverts to the password option. If Disk Encryption Manager cannot complete the encryption, the Disk Encryption Service displays a Failed status.
I have headless point of sale systems; how do I encrypt them?
Use the TPM only option.
A device is slowing to a crawl trying to encrypt; now what?
The end-user must persevere as the encryption will continue. The encryption process will not time out; it will continue at a slow pace. If the system reboots or goes to sleep, the process will resume when the device is turned on again.
Can I cancel an encryption whilst it is in progress?
There is no way to cancel the encryption process. A limited workaround is to decrypt the volume, provided much less than 50% was already encrypted. Note that decryption is a resource intensive process.
Can I use a file encryption solution on top of a full disk encryption? For example, if there is a shared computer and users can have access to specific files?
Disk Encryption Manager works at the disk level, not at file or directory level. Disk encryption and file encryption should be able to work harmoniously without issue.
Does the encryption process deploy for devices that are offline?
When encryption has been configured, Disk Encryption Manager will keep checking for when the device comes online. Once available, it will begin the encryption process as defined in its MAV-BD Protection Policy.
What happens if a device goes to sleep or is locked in the middle of an encryption process
When the device is brought out of sleep/lock mode, the encryption process will resume.
What is the sequence of encryption when there are multiple disks?
Encryption begins with the boot disk and, once complete, Disk Encryption Manager continues with the remaining fixed disks. There is no ability to select which drives to encrypt and leave others unencrypted. All Fixed Drives will be encrypted.
If I add a new drive to a device, does it get encrypted if the other drives are already encrypted?
Yes. Disk Encryption Manager checks the device regularly, it will detect the new drive and begin the encryption process for the new drive.
If I accidentally email a document from an encrypted volume to a 3rd party, will it be unreadable by the recipient?
No. The encryption is at the volume level, not the file level.
If I use a cloud syncing service such as Dropbox, are my files still encrypted in the cloud?
Disk Encryption Manager does not work at file level or at the application level. Cloud Syncing services should not interfere with BitLocker.
If I copy a document from an encrypted volume to a thumb drive, and subsequently lose the USB thumb drive will it be unreadable by the finder?
If you copy a document from an encrypted volume it will not be encrypted on the USB thumb drive. Encryption is not done at the file level.
A device is encrypted with an alternate encryption solution. What happens when applying BitLocker Encryption?
Disk Encryption Manager does not detect alternative encryption solutions. If it is unable to encrypt a disk, Disk Encryption Manager reports an error.
What happens if a laptop dies and I move the encrypted hard drive into a new system? How does Disk Encryption Manager handle this?
If you boot from the drive in the new system, you'll need the Recovery Key to unlock the hard drive in the new system. If old system's encryption was enabled without TPM then, you can use a password.
Is Disk Encryption Manager compatible with BitLocker to Go for removable storage devices?
No. BitLocker to Go is not supported.
Will Disk Encryption Manager encrypt a removable drive?
Removable drives are ignored by Disk Encryption Manager and are not encrypted.
Is Disk Encryption Manager FIPS compliant?
No, Disk Encryption Manager is not currently compliant with FIPS.
If a system's TPM was not healthy then the Password Only option will be used. If the TPM health is restored what happens?
If TPM health is restored, on the next check, the encryption will change from Password Only to TPM, and if required, the user is prompted for a PIN and deletes the original password.
The end user has the ability to change recovery keys through the local BitLocker interface; what happens in MAV-BD?
If the recovery key changes, when the Disk Encryption Status service checks the drive, it will recognize the change and add the new recovery key to the MAV-BD database. The end user will not notice any change.
Five people use the same computer. Can they each have our own password?
BitLocker authentication occurs before Windows Authentication. As such, it will be one password shared by all to decrypt the disk, and then each user can use their personal password to log into Windows.
BitLocker offers Non-system volumes Automatic Unlock; why does this not work for me?
Disk Encryption Manager does not use the BitLocker automatic unlock mechanism.
I ran a trial and did not convert to a paid contract, and did not run a recovery key report. The drives are still encrypted. I need to recover the drive. Can I buy the Disk Encryption Service to then retrieve the recovery keys?
If you do not decrypt your drives or run the recovery key report before removing the RMM service, you will no longer be able to retrieve them. We do not save historical recovery keys for trials or paid contracts. Assuming the end-user can still log into the device (if they have retained their pre-Boot PIN or password), the local BitLocker software can be used. If the disk has been removed from the device (placed in another device, or not) it will need to be returned to the original device in order to access BitLocker.
I have a device using a Thunderbolt docking station that impacts the ability to encrypt the disk drive; what are my options?
The user can un-dock to encrypt. The encryption would be recognized after docking.
I am using TPM only on my system and I have two encrypted drives - boot and data. If the data drive is stolen, and the thief places the drive in another encrypted system with an encrypted boot drive, would they then have access to my data drive?
The TPM is protecting both drives. Your data drive is being auto-unlocked with a key file contained on the encrypted boot drive. A different encrypted boot drive will not be able to unlock a different data drive.
Is there a "no tamper' setting for encryption policies?
N-sight RMM's MAV-BD and Disk Encryption Manager permissions allow you to control who has access to these Dashboard settings, including changing theMAV-BD Protection Policy and accessing the Disk Encryption Manager Recovery Key. See Set permissions for Disk Encryption Manager for details.
From the end-user perspective, if the end-user decrypts, the encryption will be reapplied at the next check. If the end-user has turned BitLocker off, the system re-enables BitLocker and prompts the user for their password or pin, if required.
If a laptop loses power in the middle of encryption will it resume? As an MSP, how can I see where the process ended?
Disk Encryption Manager automatically resumes installation and encryption when the device powers back on. The Disk Encryption Manager status is reported in the Dashboard South-pane via the device's Summary tab and the Disk Encryption Manager Checks. The main dashboard also updates the Disk Encryption Manager column to show the device's encryption and current service status.
As an MSP, when I have laptops with older 128 Encryption it appears BitLocker will encrypt them but it won't pick them up in reporting as compliant. I need to be able to determine the strength of encryption.
The key protector strength is shown in the Disk Encryption Manager Disk Level Check. Please see Monitoring Disk Encryption for further details.
I have MAV-BD with Disk Encryption Manager enabled and I am locked out. I don't have my password and my computer can't connect to the internet how do I get my recovery key
Contact your Technical Support team. You can retrieve the recovery key by phone.
Can I see when a Recovery Key has been applied?
You cannot see when a Recovery Key was applied, but you can see when the Recovery Key was retrieved by the technician in the User Audit Report.
How can I see what devices do not have Disk Encryption Manager enabled?
The dashboard North-pane view includes the option to view the Disk Encryption column. This provides a multi-device at-a-glance view of the Disk Encryption Manager status across multiple devices.
How can I find out if the end user manually decrypted their drive or tampered with the configuration?
The Device Encryption History will show when the encryption status has changed. Note that MAV-BD Disk Encryption Manager reapplies encryption at the next status check if the drive has been decrypted.
Can I control how end users can use BitLocker when a Bitdefender Encryption has been applied, such as pausing the encryption process.
This functionality is not available.
I have a device with Disk Encryption Manager installed and the user is locked out after a BIOS/DOC update. What do I do?
Use the Recovery Key process to unlock the device.
MAV-BD lost my Recovery Key. What can I do?
As long as the device is managed by MAV-BD, the Recovery Key is stored in the RMM dashboard.
I am managing a device and keeping MAV-BD, and removing Disk Encryption Manager. If I configure it to decrypt, or configure it to leave devices encrypted, will I have a record to indicate that action took place? I would like to have an audit trail to know this action took place if I am keeping the device.
Information on when the Disk Encryption ManagerMAV-BD Protection Policy and any dashboard initiated actions are recorded in the User Audit Report.