Configuring Full Disk Encryption Rules

The following procedure explains the configurable options for policy rules affecting Full Disk Encryption devices.


Encryption Management for Apple FileVault and Encryption Management for Microsoft BitLocker do not require authentication and are not affected by authentication policies. Client, login, password, and authentication policies, or allowing the user to uninstall the Endpoint Encryption agent software only affects the Full Disk Encryption and File Encryption agents.

  1. Create a new Endpoint Encryption policy.

    See Creating a Policy.

  2. Click Full Disk Encryption.

    The Full Disk Encryption policy rules settings appear.

    Figure 1. Full Disk Encryption Policy Rules

  3. Under Encryption, select the following options:
    • Select Encrypt device to start full disk encryption when the Endpoint Encryption agent synchronizes policies with PolicyServer.


      Do not deploy encryption to Full Disk Encryption agents without first preparing the endpoint's hard drive.

      For information about preparing the hard drive, see Full Disk Encryption Deployment Outline in the Endpoint Encryption Installation Guide.

    • Select Encrypt only used space to encrypt only the used space.

    • Select Select encrypt key size to specify a device encryption key size in bits.

  4. Under Agent Settings, select the following options:
    • Select Bypass Full Disk Encryption Preboot to allow the user to authenticate directly into Windows without protection from preboot authentication.

    • Select Users are allowed to access system recovery utilities on the device to allow the user to access the Recovery Console.

      For information about configurable options and available tools in Full Disk Encryption, see Recovery Console.

    • Select Allow user to configure Wi-Fi to allow users to configure Wi-Fi policies on the device during preboot.

    • Select Enable Wi-Fi configuration to use a predetermined Wi-Fi configuration during preboot. Specify the following details:

      • Network name (SSID)

      • User name

      • Password

      • Security type

    • Select Enable logon background color to specify the background color during logon.

    • Select Enable logon banner to specify a logon banner image.

      Image should not exceed 128 KB in size and should measure 512 x 64 pixels. Accepted file formats are PNG with transparency (recommended), JPG and GIF

  5. Under Notifications, configure the following options:
    • Select If found, display the following message on the device to show a message when the If Found policy is active.

    • Select Display Technical Support contact information to show a message after the user logs on to the Full Disk Encryption agent.

    • Select Show a legal notice to show the specific legal message at start up or only after installing the Full Disk Encryption agent.