Removing Disk Encryption Manager with or without Decrypting Devices

At some point you may want to remove Disk Encryption Manager and either:

1. Decrypt a device's hard disks
2. Leave a device's hard disks in an encrypted state

In either case, encryption management is returned to the target device's BitLocker installation and is no longer managed by RMM.

Disabling Disk Encryption Manager in the MAV-BDProtection Policy is the only point when the option to decrypt a device is given. As such, care must be taken to ensure only the target devices are using the policy in which Disk Encryption Manager is being disabled. Confirm that there are no other devices, clients or sites using the policy as these will also have Disk Encryption Manager disabled and, if selected, the devices will decrypt. As long as the device remains in the RMM Dashboard, the Recovery Key information remains available via the Recovery Key Report for 90 days only.

As disabling Disk Encryption Manager, and therefore decrypting devices, is controlled via the MAV-BDProtection Policy care must be taken to not disable it on unintended devices which may be using the same policy. Depending on your situation, one of two methods must be used to disable Disk Encryption Manager with or without decryption via the MAV-BD Protection Policy safely.

The first step in either case is to run the Recovery Key Report, then confirm that the policy where you will disable Disk Encryption Manager is only in use by the devices where you want to disable Disk Encryption Manager with or without decryption.

How to disable Disk Encryption Manager with or without Decrypting Devices

Where the policy is set at Device Type, Client, Site or Individual Device level AND:

• All devices using the policy are targets to disable Disk Encryption Manager - use Scenario 1
• Not all devices using that policy are targets to disable Disk Encryption Manager- use Scenario 2

Ensure all devices are online and have no communication issues during the below process. An offline device will not update to the new policy until it has come back online and checked in with the RMM dashboard. If you have continued on and removed Disk Encryption Manager and have then changed the policy again, or have set the Client, Site or Device type to another policy while devices are offline, those offline devices will take the newest settings policy when they come back online.

Scenario 1

1. Run the Recovery Key Report for all target devices, and store securely for future use by following Disk Encryption Manager Reporting
2. Disable Disk Encryption Manager in the Managed Antivirus Protection Policy by following Enabling and Disabling Disk Encryption Manager in the Managed Antivirus Protection Policy

The devices will now update their settings on the next check cycle, and then uninstall Disk Encryption Manager. Where decryption was selected, all disks in all devices will decrypt first, and then Disk Encryption Manager will uninstall.

Scenario 2

1. Create a new policy and configure it to have Disk Encryption Manager enabled by following Enabling and Disabling Disk Encryption Manager in the Managed Antivirus Protection Policy
2. Apply this new policy at the appropriate level for the target devices:
   • Device Type, Client or Site Level by following Enable Disk Encryption Manager by Device Type, Client or Site
   • Individual Device Level by following Enable Disk Encryption Manager at the Individual Device Level
3. Allow any Disk Encryption Manager processes to complete as Disk Encryption Manager takes over from the previous policy and generates any new Recovery Keys
4. Run the Recovery Key Report for all target devices, and store securely for future use by following Disk Encryption Manager Reporting
5. Disable Disk Encryption Manager in the Managed Antivirus Protection Policy by following Enabling and Disabling Disk Encryption Manager in the Managed Antivirus Protection Policy

The devices will now update their settings on the next check cycle, and then uninstall Disk Encryption Manager. Where decryption was selected, all disks in all devices will decrypt first, and then Disk Encryption Manager will uninstall.

Note that when you decrypt a device, you remove all encryption from all drives. If you need to re-enable encryption, you need to run a the encryption process again.

BitLocker is a native part of the device system. If you chose to remove the Disk Encryption Manager from a device and leave the disk encrypted, you will lose the management capabilities. Ensure you collect all recovery keys before choosing this option. You should ALWAYS obtain the Recovery Keys prior to taking any action with Disk Encryption Manager. RMM does not store or backup Recovery Keys. If something goes wrong with the decryption, and you deleted the device from RMM, there is no way to recall the Recovery Keys or unlock the drive.