Skip to main content

Troubleshooting Windows Disk Encryption

S
Written by Shannon DeLange
Updated this week

You have installed the Vanta Device Monitor and followed the steps to encrypt the disk on a Windows device. Vanta is still reporting that the disk is not encrypted.

  1. Confirm that the disk is fully encrypted with PowerShell Before proceeding, it is recommended to run the Vanta CLI reset command to ensure the Vanta agent is properly initialized. Open Command Prompt as an Administrator and execute the following command:

    C:\ProgramData\Vanta\vanta-cli reset
  • After opening PowerShell as an administrator, run the following command: Encryption verification ensures that your device complies with security requirements and that Vanta can monitor your system accurately.

manage-bde -status
PowerShellEncryption.png

  • Ensure that the Percentage Encrypted is "100.0%" and that the Protection Status is "On." If this is not the case, there may have been an issue encrypting the disk, and you should attempt to re-encrypt it

  1. If you've confirmed with the instructions above that the disk is fully encrypted, please follow the steps below: Reinstallation of the Vanta Device Monitor may be necessary if the agent fails to detect encryption even after verifying that the disk is fully encrypted using PowerShell.

  • Uninstall the Vanta Device Monitor from the control panel or by running the following commands in PowerShell:

$application = Get-WmiObject -Class Win32_Product -Filter "Name = 'Vanta Device Monitor'"
$application.Uninstall()
  • Optional Re-encrypt your machine to verify everything has been encrypted correctly

  • Restart your machine

  • Reinstall the Vanta Device Monitor

  • Wait up to 24 hours for Vanta to update the encryption requirement status before verifying again.

If you've performed all of the steps above and disk encryption is still not showing correctly in Vanta for a machine, please send Vanta Support the following information: Alternatively, if severe issues persist, consider contacting Microsoft for advanced troubleshooting. Additionally, refer to guides like "Encrypting Your Computer Hard Drives" and "Encryption on Windows Home Edition" for detailed setup instructions.

  • A screenshot of the output of the manage-bde -status command run in step 1 above

  • A screenshot of the following command run in Command Prompt as an administrator:

C:\PROGRA~1\Vanta\vanta-cli list encryption
VantaCliEncryptionStatus.png

  • A zipped file containing all available Vanta Device Monitor Logs from C:\PROGRA~1\Vanta\log

Related Topics

  • Setting Up Vanta Agent on macOS and Windows

  • Common Troubleshooting for Vanta Encryption Alerts

  • Using Kandji for Device Management and Integration with Vanta

Verifying Encryption on macOS

To verify that your macOS device encryption and Vanta agent setup are functioning correctly:

  1. Run the Vanta CLI Command:

    • Open Terminal by pressing Cmd + Space, typing "Terminal" and pressing Enter.

    • Execute the following command:

         sudo /usr/local/vanta/vanta-cli doctor
    • Review the output. If all checkups (e.g., platform, directory contents, communication with Vanta servers) pass, the Vanta setup is working correctly.

  2. Check Encryption Recognition in Vanta:

    • Verify that Vanta detects your laptop as encrypted by reviewing the encryption status under your account. If you receive alerts regarding encryption issues, confirm that these are not related to other devices linked to your account. For example, an unencrypted Windows machine could trigger alerts even if your macOS laptop is compliant.

  3. Resolve Kandji-Tagging Issues: If your laptop was added via Kandji but is incorrectly tagged as unencrypted:

    • Go to the Kandji device page (Kandji administrators only).

    • Click on the "Details" tab and navigate to the "Volumes" section.

    • If volumes are marked as unencrypted, ensure the device has been restarted after enabling FileVault. This step often resolves tagging discrepancies.

Common Issues and Resolutions

  • Device Mistakenly Tagged as Unencrypted: If Vanta is sending alerts suggesting your device is not encrypted while the disk is encrypted, ensure that the linked devices do not include unencrypted machines (e.g., older Windows laptops lacking encryption).

  • Issues After Enabling Encryption: Some devices may need to be restarted to reflect encryption changes (e.g., macOS laptops using FileVault).

VantaLogs.png