> ## Documentation Index
> Fetch the complete documentation index at: https://help.dsalta.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Device encryption should be enabled

> Checks that disk encryption is enabled on all devices managed by Microsoft Defender.

Checks that disk encryption is enabled on all devices managed by Microsoft Defender.

## About

When you connect Microsoft Defender for Endpoint to DSALTA, the platform retrieves the list of resources in your environment using read-only API access. DSALTA then checks whether this configuration is in place. If it is not, DSALTA activates this check so you can remediate it.

## Why This Matters

Data stored without encryption can be read by anyone who gains access to the underlying storage — through a misconfiguration, a stolen disk, or improper decommissioning. Encryption at rest renders that data useless without the key and is required by SOC 2, ISO 27001, HIPAA, and PCI DSS.

## How to Fix

**Before you begin**

* Ensure you have administrator access to Microsoft Defender for Endpoint.

**Enable encryption at rest**

1. Open the encryption settings for the affected resource in Microsoft Defender for Endpoint.
2. Enable encryption at rest using a KMS-managed or customer-managed key.
3. Verify encryption is active in the resource configuration.

Once encryption is configured, DSALTA retrieves the change on the next sync and sets the check status to **Passing**.

## Frequently Asked Questions

<AccordionGroup>
  <Accordion title="How often does this check run?">
    This check runs automatically every 24 hours while the Microsoft Defender for Endpoint integration is connected. You can also trigger a manual sync from **Integrations** in the sidebar.
  </Accordion>

  <Accordion title="What happens if it keeps failing?">
    A failing check appears in your **Data Library → Tests** dashboard. Work through the steps above; once the underlying configuration is fixed, the status updates automatically on the next sync.
  </Accordion>

  <Accordion title="Can I exclude this check?">
    Yes. If it does not apply to your environment, mark it as **Not Applicable** with a justification. The exclusion is documented for auditors.
  </Accordion>

  <Accordion title="Does DSALTA change my Microsoft Defender for Endpoint configuration?">
    No. DSALTA uses **read-only API access** and never modifies, creates, or deletes resources. All remediation is performed by your team directly in Microsoft Defender for Endpoint.
  </Accordion>
</AccordionGroup>