A Disk Encryption policy can be assigned to devices or to device folders. A device inherits any Disk Encryption policies assigned to the folders in which the device resides. It then applies the policy that is closest to it. For example, if a policy is assigned to a device and another policy is assigned to the device’s parent folder, the device applies the policy assigned to it and ignores the folder-assigned policy. For more information, see Section 4.0, Effective Policy.
Because of the system requirements and hardware support considerations for Full Disk Encryption, we strongly recommend that folder assignments be used with caution. Before assigning a Disk Encryption policy to a folder, you should ensure that all devices within the folder (and subfolders) can support the policy. If a device cannot, you can move the device to another folder or assign an appropriate Disk Encryption policy directly to the device.
The same policy can be applied to devices with standard hard disks and devices with self-encrypting hard disks. With self-encrypting hard disks, the Full Disk Encryption Agent ignores the encryption settings and only applies the pre-boot authentication settings.