Bitlocker Device Encryption ( Used Space Encryption VS Full Disk Encryption) in Intune

Rahul 241 Reputation points
2021-09-14T18:55:00.557+00:00

Hi Team,

I wanted to understand if we apply used space disk encryption only is it good enough to protect the Windows 10 devices ?

Here's my scenario we are going to issue fresh new devices to end users. Users will enroll into the device via Windows Autopilot and we have a Intune policy to trigger Silent Bitlocker Encryption but we are encountering this issue that device encrypted with Silent Bitlocker encryption is getting encrypted as used disk space only which is our concern here that Drive is not getting full disk encrypted.

Here are our concerns :

Q1. Is there any security risk of having used disk space only encrypted on the fresh new devices as per the documentation I understand that if the disk is not encrypted and we have deleted items it can be recovered but after the encryption is enabled with used disk space only the data still remains encrypted even after deletion ? Does this hold true ?

Q2. Will Intune Compliance policy to have required bitlocker encryption treat used disk space only as non-compliant devices ?

Q3. Any other potential security risk we might see if going ahead with **used disk space ** disk encryption on Win-10 devcies ? example: if the same device get reimage for another user and the user can recover other user data ?

Let us know how to achieve this Device encryption with Full Disk Encryption and 256 bit cypher strength in a silent encryption manner.

Windows 10 Setup
Windows 10 Setup
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Setup: The procedures involved in preparing a software program or application to operate within a computer or mobile device.
1,919 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,837 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,807 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jason Sandys 31,186 Reputation points Microsoft Employee
    2021-09-14T19:25:53.467+00:00
    1. Yes. Once encrypted, always encrypted.
    2. Compliance doesn't make a distinction between the two.
    3. That depends on the process used. Per #1, the data will never be unencrypted unless the volume itself is unencrypted fully. Also, remember though that BitLocker is encryption of data at rest only. If a user can log into the device, then they can access all data on the volume encrypted using the current encryption keys. Thus, unless the volume has been wiped and the BitLocker encryption key has been rotated, the data will be accessible to the user. Simply reimaging doesn't do this.

    For a complete A to Z on BitLocker plus Intune, see https://techcommunity.microsoft.com/t5/intune-customer-success/enabling-bitlocker-with-microsoft-endpoint-manager-microsoft/ba-p/2149784.


1 additional answer

Sort by: Most helpful
  1. Limitless Technology 39,501 Reputation points
    2021-09-15T16:02:55.58+00:00

    Hello @Rahul

    Please see below answers.

    1. There is no security risk having used disk space only encrypted.
    2. No Intune should not.
    3. If the save device gets re imaged for another user then Bitlocker need to run again as it will be formatted.

    Hope this helps.

    0 comments No comments