You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: memdocs/intune/protect/encrypt-devices.md
+39Lines changed: 39 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -146,6 +146,45 @@ Depending on the type of policy that you use to silently enable BitLocker, confi
146
146
> [!TIP]
147
147
> While the setting labels and options in the following two policy types are different from each other, they both apply the same configuration to Windows encryption CSPs that manage BitLocker on Windows devices.
148
148
149
+
### Full disk vs Used Space only encryption
150
+
151
+
Three settings determine whether an OS drive will be encrypted using used space only or full disk encryption:
152
+
- Whether the hardware of the device is [modern standby](/windows-hardware/design/device-experiences/modern-standby) capable
153
+
- Whether silent enablement has been configured for BitLocker
154
+
- ('Warning for other disk encryption' = Block or 'Hide prompt about third-party encryption' = Yes)
155
+
- Configuration of the [SystemDrivesEncryptionType](/windows/client-management/mdm/bitlocker-csp)
156
+
- (Enforce drive encryption type on operating system drives)
157
+
158
+
Assuming that SystemDrivesEncryptionType has not been configured, the following is the expected behaviour. When silent enablement is configured on a modern standby device, the OS drive will be encrypted using used space only encryption. When silent enablement is configured on a device which is not capable of modern standby, the OS drive will be encrypted using full disk encryption. The result is the same whether you are using an [Endpoint Security disk encryption policy for BitLocker](/mem/intune/protect/encrypt-devices#create-an-endpoint-security-policy-for-bitlocker) or a [Device Configuration profile for endpoint protection for BitLocker](/mem/intune/protect/encrypt-devices#create-an-endpoint-security-policy-for-bitlocker). If a different end state is required, the encryption type can be controlled by configuring the SystemDrivesEncryptionType using settings catalog as shown below.
159
+
160
+
To verify whether the hardware is modern standby capable, run the following command from a command prompt:
161
+
162
+
```console
163
+
powercfg /a
164
+
```
165
+
If the device supports modern standby, it will show that Standby (S0 Low Power Idle) Network Connected is available
166
+
167
+
:::image type="content" source="./media/encrypt-devices/docs_bl_powercfg_surface_s0_possible.png" alt-text="Screenshot of command prompt displaying output of powercfg command with Standby state S0 available.":::
168
+
169
+
If the device does not support modern standby, such as a virtual machine, it will show that Standby (S0 Low Power Idle) Network Connected is not supported
170
+
171
+
:::image type="content" source="./media/encrypt-devices/docs_bl_powercfg_surface_nos0possible.png" alt-text="Screenshot of command prompt displaying output of powercfg command with Standby state S0 un-available.":::
172
+
173
+
To verify the encryption type, run the following command from an elevated (admin) command prompt:
174
+
175
+
```console
176
+
manage-bde -status c:
177
+
```
178
+
The 'Conversion Status' field will reflect the encryption type as either Used Space Only encrypted or Fully Encrypted.
179
+
180
+
:::image type="content" source="./media/encrypt-devices/docs_bl_usedspaceonly.png" alt-text="Screenshot of administrative command prompt showing output of manage-bde with conversion status reflecting fully encrypted.":::
181
+
182
+
:::image type="content" source="./media/encrypt-devices/docs_bl_fullyencrypted.png" alt-text="Screenshot of administrative command prompt showing output of manage-bde with conversion status reflecting used space only encryption.":::
183
+
184
+
To change the disk encryption type between full disk encryption and used space only encryption, leverage the'Enforce drive encryption type on operating system drives' setting within settings catalog.
185
+
186
+
:::image type="content" source="./media/encrypt-devices/docs_bl_settingscatalog_control_encryption.png" alt-text="Screenshot of Intune settings catalog displaying Enforce drive encryption type on operating system drives setting and drop-down list to select from full or used space only encryption types.":::
187
+
149
188
#### TPM startup PIN or key
150
189
151
190
A device **must not require** use of a startup PIN or startup key.
0 commit comments