As you configure Microsoft Data Encryption policies and apply them to devices, be aware of the following:
The Microsoft Data Encryption policy is a device-only policy. It cannot be assigned to users.
The Microsoft Data Encryption policy does not support inheritance. The Microsoft Data Encryption policy that is assigned closest to the device becomes the effective policy for the device. For example, if a Microsoft Data Encryption policy is assigned to a device and to a group in which the device is a member, the device-assigned policy becomes the effective policy and the policy assigned to the device group is ignored.
NOTE:The Microsoft Data Encryption policy takes precedence over the Data Encryption policy. If both policies are concurrently assigned to the same device, the Microsoft Data Encryption policy will override the Data Encryption policy for encryption of removable data drives.
When the policy is applied to a managed device, users are automatically notified upon drive insertion of the policy’s enforcement. The notification can take several forms depending upon the state of the removable drive and the settings in the policy.
Microsoft BitLocker is native to the operating systems listed below:
Windows 7 Ultimate and Enterprise (cannot encrypt used sectors only)
Windows 8 and 8.1 Professional and Enterprise
Windows 10 Professional, Enterprise, and Education
You can enforce a Data Encryption policy and a Microsoft Data Encryption policy (BitLocker) on a device concurrently. When this condition exists, the latter of these two policies takes precedence and the following apply:
If a user inserts an unencrypted removable drive, BitLocker encryption will be enforced.
If a user inserts a drive already encrypted with the Data Encryption policy, the user will be prompted to update the drive’s encryption to BitLocker. Canceling this prompt makes the drive Read Only on the managed device. Continuing with the action copies the drive’s data to the manage-device while reformatting and then restoring it after BitLocker encryption completes.
If a user inserts a drive already encrypted with BitLocker either native or from the Microsoft Data Encryption policy, the policy’s settings on the managed device will determine if any of the BitLocker settings need to change.
IMPORTANT:In the event that a user inserts a removable drive encrypted with the Data Encryption policy on a managed device that only has the Microsoft Data Encryption policy enforced, the drive cannot be updated to the new policy and BitLocker encryption without reformatting the drive and erasing all the data on the drive. In this scenario, the user will be prompted to contact the ZENworks administrator to decrypt the drive, or continue to use the drive in Read Only mode.