Skip to content

Device Encryption Policy

Device Encryption allows you to manage BitLocker Drive Encryption on Windows computers and FileVault on Macs. Encrypting hard disks keeps data safe, even when a device is lost or stolen.


If an option is locked, your partner or Enterprise Administrator have applied global settings.

Go to My Products > Encryption > Policies to manage device encryption.

You set up encryption as follows:

  1. The Device Encryption agent is installed on Windows computers automatically when you use the standard Windows agent installer (if you have the required license). You must manually install the Device Encryption agent on Macs.
  2. Create a Device Encryption policy and apply the policy to users as described below.

    Computers are encrypted when those users log in.


    FileVault encryption is user-based; every user of an endpoint must have encryption turned on.

For full details of how computers are encrypted, see Device Encryption administrator guide.


You can apply device encryption to boot volumes and fixed data volumes, but not to removable media.

To set up a policy, do as follows:

  1. Click Add Policy to create a Device Encryption policy. See Create or Edit a Policy.
  2. Open the policy's Settings tab and configure it as described below. Make sure the policy is turned on.


  • Device Encryption is on: A computer is encrypted as soon as one of the users the policy applies to logs in.

    A Windows endpoint stays encrypted even if a different user who isn't included in the policy logs in.


    You must apply an encryption policy to all users of a specific macOS endpoint to ensure that it is fully protected.

  • Encrypt boot volume only: This option allows you to encrypt the boot volume only. Data volumes are ignored.

Advanced Windows settings

  • Require startup authentication: This option is turned on by default. It enforces authentication via TPM+PIN, passphrase, or USB key. If you turn it off, TPM-only logon protection is installed on supported computers. For more information on authentication methods, see Device Encryption administrator guide.

  • Require new authentication password/PIN from users: This option is turned off by default. It forces a change of the BitLocker password or PIN after the specified time. An event is logged when users change their password or PIN.

    If users close the dialog without entering a new password or PIN, it reappears after every computer restart. We log an alert after users close the dialog five times without changing the password or PIN.


    On the endpoint, the feature is only available in Central Device Encryption 2.0 or later.

  • Encrypt used space only:This option is turned off by default. It allows you to encrypt used space only instead of encrypting the whole drive. You can use it to make initial encryption (when the policy is first applied to a computer) much faster.


    If you encrypt used space only, deleted data on the computer might not be encrypted, so you should only do this for newly set up computers.


    This option does not affect Windows 7 endpoints.

Password protect files for secure sharing (Windows only)


On the endpoint, the feature is only available in Central Device Encryption 2.0 or later.

You can protect files up to 50 MB.

  • Enable right-click context menu: If you turn on this option, a Create password-protected file option is added to the right-click menu of files. Users can attach password-protected files to emails when sending sensitive data to recipients outside your corporate network. Files are wrapped in a new HTML file with encrypted content.

    Recipients can open the file by double-clicking it and entering the password. They can send the received file back and protect it with the same or a new password, or they can create a new password-protected file.

  • Enable Outlook add-in: This option adds encryption of email attachments to Outlook. Users can protect attachments by selecting Protect Attachments on the Outlook ribbon. All unprotected attachments are wrapped in a new HTML attachment with encrypted content, and the email is sent.

  • Always ask how to proceed with attached files: If you turn on this option, users must choose how to send attachments whenever the message contains one. They can send them password protected or unprotected.

    You can enter excluded domains for which the Always ask how to proceed with attached files option does not apply. For example, your organization's domain. If recipients belong to such a domain, the senders aren't asked how they want to handle attachments.

    Enter only complete domain names and separate them by commas.