question

Rahul-7230 avatar image
0 Votes"
Rahul-7230 asked Rahul-7230 edited

Bitlocker Device Encryption ( Used Space Encryption VS Full Disk Encryption) in Intune

Hi Team,

I wanted to understand if we apply used space disk encryption only is it good enough to protect the Windows 10 devices ?

Here's my scenario we are going to issue fresh new devices to end users. Users will enroll into the device via Windows Autopilot and we have a Intune policy to trigger Silent Bitlocker Encryption but we are encountering this issue that device encrypted with Silent Bitlocker encryption is getting encrypted as used disk space only which is our concern here that Drive is not getting full disk encrypted.

Here are our concerns :

Q1. Is there any security risk of having used disk space only encrypted on the fresh new devices as per the documentation I understand that if the disk is not encrypted and we have deleted items it can be recovered but after the encryption is enabled with used disk space only the data still remains encrypted even after deletion ? Does this hold true ?

Q2. Will Intune Compliance policy to have required bitlocker encryption treat used disk space only as non-compliant devices ?

Q3. Any other potential security risk we might see if going ahead with used disk space disk encryption on Win-10 devcies ? example: if the same device get reimage for another user and the user can recover other user data ?

Let us know how to achieve this Device encryption with Full Disk Encryption and 256 bit cypher strength in a silent encryption manner.


windows-10-setupwindows-10-securitymem-intune-device-configurations
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered Rahul-7230 edited
  1. Yes. Once encrypted, always encrypted.

  2. Compliance doesn't make a distinction between the two.

  3. That depends on the process used. Per #1, the data will never be unencrypted unless the volume itself is unencrypted fully. Also, remember though that BitLocker is encryption of data at rest only. If a user can log into the device, then they can access all data on the volume encrypted using the current encryption keys. Thus, unless the volume has been wiped and the BitLocker encryption key has been rotated, the data will be accessible to the user. Simply reimaging doesn't do this.

For a complete A to Z on BitLocker plus Intune, see https://techcommunity.microsoft.com/t5/intune-customer-success/enabling-bitlocker-with-microsoft-endpoint-manager-microsoft/ba-p/2149784.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Rahul-7230 Haven't heard from you for some time, I am currently standing by for further update from you and would like to know how things are going.

0 Votes 0 ·
Rahul-7230 avatar image Rahul-7230 LuDaiMSFT-0289 ·

Tested the #3 - Will Intune Compliance policy to have required bitlocker encryption treat used disk space only as non-compliant devices ?

But still Intune reporting non-compliant raised ticket to Microsoft team and they inform currently they are started seeing this issue that Windows-10 devices are reporting as non-compliant. No more further update from the support engineer, this looks like some error or bug on MS end to evaluate windows 10 device compliance.

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @Rahul-7230

Please see below answers.

  1. There is no security risk having used disk space only encrypted.

  2. No Intune should not.

  3. If the save device gets re imaged for another user then Bitlocker need to run again as it will be formatted.

Hope this helps.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.