A lost laptop without encryption is an open book

A login password protects the operating system session. It does not protect the data on the drive. If someone pulls the hard drive from an unencrypted laptop, or boots it from a USB stick, every file on that machine is readable: customer records, contracts, credentials, personal data. The password screen never even appears.

This is not a theoretical risk. A 2025 Kensington survey of 1,000 IT decision-makers found that 76% had been impacted by device theft in the past two years. (Kensington / Vanson Bourne, 2025). Yet only 7% of security decision makers say they're concerned about a lost device causing a breach, even though such incidents account for 17% of breaches. (Forrester, 2023 State of Data Security report).

For growing SMBs, the exposure goes beyond embarrassment. Under GDPR, a single missing, unencrypted laptop containing personal data can trigger a reportable breach, and breach notifications across Europe have run into the hundreds per day in recent years. (Source: DLA Piper GDPR Data Breach Survey; verify the exact figure and year before publishing.) Frameworks like ISO 27001 and NIS2 treat disk encryption as a baseline expectation. And increasingly, customer security questionnaires and vendor due diligence forms ask one pointed question: are all your company devices encrypted? If the answer is "we think so," that's not good enough.

This guide walks you through enforcing full-disk encryption across your Mac and Windows fleet, centrally, so every device is protected from first login and you can prove it when auditors or customers ask.

What you'll need before you start

• Admin access to macOS (for FileVault) and Windows (for BitLocker via Intune, Group Policy, or another MDM tool)
• An endpoint or device management solution to enforce and verify policies centrally
• A recovery key escrow plan so encrypted devices stay recoverable if someone forgets their password or hardware changes
• An inventory of your current fleet, including OS versions, because Windows Home editions and very old hardware can create blockers

Step 1: Understand what disk encryption actually protects

Full-disk encryption (FDE) protects data at rest. It scrambles everything on the drive so that, without the correct decryption key, the contents are meaningless. On macOS, this is handled by FileVault. On Windows, it's BitLocker.

The key distinction: a login password only blocks the OS session. It stops a casual passerby from sitting down and using the laptop. It does nothing if someone removes the drive, boots from external media, or connects the drive to another machine. Encryption closes that gap entirely. Even with physical access to the hardware, the data stays unreadable.

This matters most when devices leave the office, which is every day for remote and hybrid teams. A laptop left in a taxi, stolen from a café, or lost at an airport becomes a data breach waiting to happen without encryption. With encryption enabled, it's just a lost piece of hardware.

Step 2: Audit your current fleet for encryption gaps

Before you enforce anything, find out where you stand. Check each device's encryption status. On a Mac, you can run fdesetup status in Terminal. On Windows, open a command prompt and run manage-bde -status. Both will tell you plainly whether encryption is on.

Set expectations honestly: FileVault is opt-in on Mac. Users can skip it during initial setup, and many do. BitLocker is not guaranteed on unmanaged Windows machines either. Unless someone actively turned it on, or a policy forced it, you'll find gaps on both platforms.

A 2025 Kensington survey of 1,000 IT decision-makers found that 46% had experienced a data breach as a direct consequence of an unsecured or stolen device. (Kensington / Vanson Bourne, 2025). The audit step is about turning assumptions into facts. Don't assume either platform is covered until you've looked.

If you're managing more than a handful of machines, checking manually is already painful. An endpoint management tool or an IT security platform can pull encryption status across your fleet in seconds.

Step 3: Enable FileVault on macOS

On a single Mac, FileVault can be turned on in System Settings under Privacy & Security. But for a company fleet, you don't want to rely on each employee doing this themselves. The right approach is an MDM configuration profile that enforces FileVault automatically.

When deployed through MDM, the profile activates FileVault at the next user login. The user sees a prompt, enters their password, and encryption begins in the background. There's no option to skip it. That's exactly the point.

The critical detail is recovery key escrow. When FileVault activates, it generates a recovery key. This key is the only way to unlock the drive if the user forgets their password. If that key lives only on the user's machine, you have a problem when they leave the company or lock themselves out. Your MDM or IT platform must store recovery keys centrally, not on the device itself. Apple's T2 and M-series chips handle the encryption in hardware, so there's no meaningful performance impact.

Step 4: Enable BitLocker on Windows

On Windows, BitLocker can be enforced through Microsoft Intune (for cloud-managed devices) or Group Policy (for on-prem Active Directory environments). Like FileVault, the goal is a policy that activates encryption automatically, without relying on the user.

BitLocker typically relies on a Trusted Platform Module (TPM) to store its keys, and works best with TPM 2.0 on modern machines. Most business laptops manufactured in the last five years have this. Windows 11 requires TPM 2.0 as a system requirement, so if you're running Windows 11, you're covered on the hardware side.

There's one procurement pitfall that catches many SMBs: Windows Home does not support managed BitLocker or centralized MDM enforcement, only a limited automatic Device Encryption. You need Windows Pro or Enterprise. This isn't a settings problem you can fix later; it's a decision you need to make at the point of purchase. If your fleet includes Home editions, you'll need to upgrade those licenses before BitLocker enforcement is possible. When evaluating Mac vs. Windows for business, encryption manageability is worth factoring into the comparison.

As with FileVault, recovery keys must be escrowed centrally. Intune and Active Directory both support this, but it needs to be configured explicitly.

Step 5: Enforce encryption as a policy, not a request

Here's where the real work begins. Turning on encryption for a handful of devices is straightforward. Keeping it enforced across 30, 50, or 200 machines, with new hires joining every month and devices being replaced, is a different challenge entirely.

Asking employees to enable encryption themselves breaks down past about 20 devices. People skip it. New starters slip through onboarding without it. Someone reinstalls their OS and the policy doesn't reapply. You have no easy way to know who's compliant and who isn't.

The native path also gets painful at scale because you're managing two completely separate systems. FileVault policies live in your Mac MDM. BitLocker policies live in Intune or Group Policy. That's two consoles, two sets of configuration, and two places to check when something drifts. Every new device is a manual step in the right system.

A unified IT platform changes the equation. In the deeploi setup, encryption policies for both macOS and Windows are applied automatically as part of device enrollment. When a new laptop is added, encryption is on from first login, not chased afterward. One console covers both Mac and Windows, closing the gap between "we have a policy" and "the policy is actually running." This approach is built for teams without dedicated IT staff, not for people who want to spend their days in Intune.

Step 6: Verify and document encryption for audits

Enforcing encryption once is not enough. You need ongoing visibility. Devices get replaced. Operating systems get reinstalled. New machines join the fleet. Without continuous monitoring, unencrypted devices quietly appear in your environment.

For cybersecurity compliance, you need more than a policy document. You need proof that the policy is actually applied, device by device, right now. ISO 27001 auditors and enterprise customers running vendor due diligence expect evidence: a clear list of devices and the current encryption status of each one.

In the deeploi dashboard, per-device encryption status is visible in one live view. You can see which machines are encrypted and which aren't, and pull up that status the moment a customer questionnaire or auditor asks for it.

Troubleshooting common issues

BitLocker prompts for the recovery key after a firmware update

UEFI or firmware updates can change the boot measurements that BitLocker checks on startup. When the measurements don't match, BitLocker assumes the boot process has been tampered with and asks for the recovery key. This is expected behavior, not a bug. To handle it, make sure recovery keys are escrowed centrally so IT can provide the key quickly. To prevent it, suspend BitLocker before applying firmware updates, then resume it afterward.

FileVault not activating after the policy is deployed

FileVault requires the user to log out and back in after the MDM profile is installed. If the user hasn't logged out since deployment, encryption won't start. The fix is simple: remind the user to restart their Mac. For new device enrollments, this happens naturally during setup.

Older hardware without TPM 2.0 blocking BitLocker

Machines without TPM 2.0 can't run BitLocker in its standard configuration. Windows 11 already requires TPM 2.0, so this mostly affects aging Windows 10 fleets. If you have older machines that can't be upgraded, plan to replace them. In the meantime, a comprehensive security strategy should flag these devices as higher risk.

FAQ

Is disk encryption enough to secure company endpoints?

It's one essential layer, but not the only one. Encryption protects data at rest, meaning it guards against physical theft and unauthorized drive access. A complete endpoint security approach also includes regular patching, endpoint protection software, access controls, and employee awareness training.

Does encryption slow down laptops?

On modern hardware, the performance impact is negligible. Apple's T2 and M-series chips handle encryption in dedicated hardware. On Windows, modern processors include dedicated AES instructions that handle the encryption with negligible overhead.

What happens if an employee forgets their password on an encrypted device?

This is exactly why recovery key escrow matters. When keys are stored centrally, IT can unlock the device without data loss. Without escrowed keys, the data on that drive may be permanently inaccessible. Set up key escrow before you enforce encryption, not after.

Do I need separate tools for Mac and Windows encryption?

Not necessarily. While the underlying technologies differ (FileVault vs. BitLocker), unified IT platforms can enforce and monitor encryption across both operating systems from a single console. This is especially valuable for mixed fleets, which most SMBs run.

Conclusion and next steps

Disk encryption is a non-negotiable baseline for any company that issues laptops. It removes the single biggest risk from a lost or stolen device: exposed data. The native tools, FileVault and BitLocker, work well, but relying on employees to enable them doesn't scale, and managing two separate systems creates drift and blind spots.

The practical path is central enforcement: encryption applied automatically at device setup, verified continuously, and documented for audits. Pair it with automated patch management and endpoint monitoring, and you've covered the fundamentals of IT security without a dedicated team.

An SMB-focused IT platform like deeploi brings these pieces together: encryption enforcement across Mac and Windows, device oversight, and compliance documentation in one place. If your fleet is growing and you're still checking encryption status manually, it's time to automate it.