You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adding section on Used space vs full disk encryption
Based on testing results from Daisuke Takabe and Sanesh Vig, adding details regarding used space only vs full disk encryption, including multiple screenshots.
Copy file name to clipboardExpand all lines: memdocs/intune/protect/encrypt-devices.md
+39-1Lines changed: 39 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -149,6 +149,44 @@ Depending on the type of policy that you use to silently enable BitLocker, confi
149
149
> [!TIP]
150
150
> While the setting labels and options in the following two policy types are different from each other, they both apply the same configuration to Windows encryption CSPs that manage BitLocker on Windows devices.
151
151
152
+
### Full disk vs Used Space only encryption
153
+
154
+
Three settings determine whether an OS drive will be encrypted using used space only or full disk encryption:
155
+
- Whether the hardware of the device is [modern standby](/windows-hardware/design/device-experiences/modern-standby) capable
156
+
- Whether silent enablement has been configured for BitLocker
157
+
- ('Warning for other disk encryption' = Block or 'Hide prompt about third-party encryption' = Yes)
158
+
- Configuration of the [SystemDrivesEncryptionType](/windows/client-management/mdm/bitlocker-csp)
159
+
- (Enforce drive encryption type on operating system drives)
160
+
161
+
Assuming that SystemDrivesEncryptionType has not been configured, the following is the expected behaviour. When silent enablement is configured on a modern standby device, the OS drive will be encrypted using used space only encryption. When silent enablement is configured on a device which is not capable of modern standby, the OS drive will be encrypted using full disk encryption. The result is the same whether you are using an [Endpoint Security disk encryption policy for BitLocker](/mem/intune/protect/encrypt-devices#create-an-endpoint-security-policy-for-bitlocker) or a [Device Configuration profile for endpoint protection for BitLocker](/mem/intune/protect/encrypt-devices#create-an-endpoint-security-policy-for-bitlocker). If a different end state is required, the encryption type can be controlled by configuring the SystemDrivesEncryptionType using settings catalog as shown below.
162
+
163
+
To verify whether the hardware is modern standby capable, run the following command from a command prompt:
164
+
165
+
```console
166
+
powercfg /a
167
+
```
168
+
If the device supports modern standby, it will show that Standby (S0 Low Power Idle) Network Connected is available
If the device does not support modern standby, such as a virtual machine, it will show that Standby (S0 Low Power Idle) Network Connected is not supported
To change the disk encryption type between full disk encryption and used space only encryption, leverage the'Enforce drive encryption type on operating system drives' setting within settings catalog.
0 commit comments