We are excited to announce that the Release Candidate for Disk Encryption Manager a new feature added to our Managed Antivirus (MAV-BD) is now rolling out this week starting March 9th and available in all territories by the end of the week. This Release Candidate is available to try out, at no charge, for the month of March.
Disk Encryption Manager helps secure customer data by rendering the information on their disk drives unreadable to unauthorized users if their end device is lost or stolen. This feature offers scalable deployment, management/monitoring, reporting and the ability to determine the encryption status of the last checked-in device – all from the same console customers or MSPs use today.
Disk Encryption Manager is leveraging the encryption mechanisms provided by Windows® (BitLocker®) and taking advantage of the native device encryption to help ensure compatibility and performance.
In order to participate you will need the following:
- A license for Managed Antivirus – Bitdefender (MAV-BD)
- Supported Operating System:
- Windows 7 Enterprise/Ultimate (with TPM)
- Windows 8 Pro/Enterprise
- Windows 8.1 Pro/Enterprise
- Windows 10 Education/Enterprise or Pro
- Windows Server 2008 R2 (with TPM)
- Windows Server 2012/2012 R2
- Windows Server 2016/2019
Our Help section has already been updated for Disk Encryption Manager and can be found at: https://s3.amazonaws.com/documentation.solarwindsmsp.com/remote-management/preview/DiskEnc_Overview.htm
Let’s get you started! The Permissions for enabling Disk Encryption are inherited through the Managed Security > Managed AV Settings and Policies. We have also added three new Permissions already enabled for Administrators and Super Users surrounding the Recovery Key Management, and our two new Reports (Recovery Key and Disk Encryption).
DEPLOYING DISK ENCRYPTION
You can turn on Disk Encryption easily through your Managed Antivirus Protection Policy. Selecting the option ‘Enable Disk Encryption Manager’ will automatically roll out Disk Encryption to all eligible devices using the Key Protector strength of TPM or Password based on TPM being available and enabled on a device. TPM is a Trusted Platform Module, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys right at the hardware level installed on the motherboard. Secure your device even further by adding an additional PIN required at pre-boot authentication for your devices with TPM.
All eligible devices with the applied policy change will automatically roll out with the next check. The end user will be notified of the update through their console. If a Password or PIN is required, the end user must enter this information for the Encryption process to complete.
A few fun facts:
- The encryption process on average takes 500 mb a minute.
- The encryption process will auto discover all fixed drives.
- This process will not time out or quit if the system is shut down. It will simply resume where it left off the moment the system is back online.
- When encryption is complete, the control of Microsoft Bitlocker is no longer with the end user preventing them from pausing or turning off Bitlocker ensuring your encryption policy is enforced.
- Devices already encrypted by Bitlocker do not need to be re-encrypted. They will simply take over the safe keeping of the Recovery key and take over the management of Bitlocker to RMM.
MONITORING DISK ENCRYPTION
Having rolled out Disk Encryption, it’s time to check into your dashboard and monitor the process. We have now added a new Padlock icon right next to your Managed AV icon in the North Pane making it easy to track all your devices using Disk Encryption. The Status flag will begin as a yellow information triangle indicating that Disk Encryption is in process (either encrypting or decrypting). The green check mark will let you know all your devices are encrypted.
Moving to the South Pane, you will notice two new checks for Disk Encryption packed with valuable information. The Disk Encryption Manager Service Check (Bitdefender) – offering you full device level information and for each volume on your device you will also have an associated ‘Disk Encryption Manager (Bitdefender) -C: check.
MANAGING DISK ENCRYPTION:
In the event an end user cannot recall their PASSWORD or PIN, they will require their Recovery Key. With the ‘Recovery Key Management’ permission enabled, a Technician can right click on the locked device to select ‘Retrieve Recovery Key’ and using the Key ID provided by the end user the Recovery Key can be returned and provided to the end user allowing them to unlock their device. The ability to retrieve all Recovery Keys for large number of devices, without requiring the Key ID from end users, can be handled in our Recovery Key Report.
REPORTING ON DISK ENCRYPTION:
Disk Encryption Manager brings with it two new reports; Recovery Key and Disk Encryption.
Recovery Key Report
Recovery Keys are stored in RMM for as long as the device is managed within RMM or up to 90 days after a device has been removed from RMM. It is important to ensure you collect all Recovery Keys before off boarding (removing) the device, removing Managed Antivirus or removing Disk Encryption Manager. This report can be exported in csv or pdf.
Disk Encryption Report
The Disk Encryption Manager Report provides an easy to read view of all your devices current encryption status; breaking down your device class, encryption state, supported state and much more.
But wait there’s more…
You will also find we have included Disk Encryption Manager into your current existing RMM reports such as the Executive Summary, User Audit Report, Device Inventory Report, Feature Policy Report.
OFFBOARDING DISK ENCRYPTION MANAGER
In the event you do have to offboard Disk Encryption Manager, you will want to start first by ensuring you have gathered your related Recovery Keys. Once the keys have been safely stored, you can then either edit the existing policy or move to a separate policy that does not include Disk Encryption. We have also provided the ability to choose between two options; You can break the management from RMM returning it to the end user leaving the device encrypted or you can select to remove Disk Encryption Manager and decrypt the drives at the same time.
It’s important to note that when moving devices between clients/sites/policies to always consider the impact this will have on your devices regarding disk encryption policy settings.
It’s very valuable for us to have you check out all the areas above and let us know what you think. Any issues found please be sure to log a support case
Thanks in advance!