6.1 Encryption Recommendations

The following recommendations apply to the encryption settings for a Disk Encryption policy:

  • Local Fixed Volumes: You can encrypt all volumes or selected volumes. If possible, encrypt all volumes. If you specify volumes, the drive volumes must be the same an all target devices (for example, C: on all devices).

  • Encryption: Use the default algorithm (AES) and key length (256) unless your organization requires a different algorithm and key length. For fastest initial encryption of a device, enable the Encrypt only the used sectors of the drive option. After initial deployment, additional data written to the disk is automatically encrypted.

  • Reboot Behavior: Force a reboot but provide a reasonable time out before the reboot. Provide a custom message with the reboot. Run Windows check disk during the reboot to ensure disk integrity.