diff --git a/changes/follow-up-pr-8526-disk-encryption b/changes/follow-up-pr-8526-disk-encryption
new file mode 100644
index 0000000000..70d71009d6
--- /dev/null
+++ b/changes/follow-up-pr-8526-disk-encryption
@@ -0,0 +1 @@
+* Reduce false negatives for query used for determining encryption status on Linux systems
diff --git a/frontend/pages/policies/constants.ts b/frontend/pages/policies/constants.ts
index 7885745486..03b9ba882a 100644
--- a/frontend/pages/policies/constants.ts
+++ b/frontend/pages/policies/constants.ts
@@ -71,10 +71,10 @@ export const DEFAULT_POLICIES: IPolicyNew[] = [
   {
     key: 5,
     query:
-      "SELECT 1 FROM disk_encryption WHERE encrypted=1 AND name LIKE '/dev/dm-1';",
+      "SELECT 1 FROM (SELECT encrypted, path FROM disk_encryption FULL OUTER JOIN mounts ON mounts.device_alias = disk_encryption.name) WHERE encrypted = 1 AND path = '/';",
     name: "Full disk encryption enabled (Linux)",
     description:
-      "Checks if the dm-1 device is encrypted. There are many ways to encrypt Linux systems. This is the default on distributions such as Ubuntu. You may need to adapt this query, or submit an issue in the Fleet repo.",
+      "Checks if the device mounted at / is encrypted. There are many ways to encrypt Linux systems. You may need to adapt this query, or submit an issue in the Fleet repo.",
     resolution:
       "Ensure the image deployed to your Linux workstation includes full disk encryption.",
     platform: "linux",
diff --git a/server/service/osquery_utils/queries.go b/server/service/osquery_utils/queries.go
index 32c0122032..1f8b276b68 100644
--- a/server/service/osquery_utils/queries.go
+++ b/server/service/osquery_utils/queries.go
@@ -585,7 +585,7 @@ FROM
 		// osquery table on darwin and linux, it is always present.
 	},
 	"disk_encryption_linux": {
-		Query:            `SELECT 1 FROM disk_encryption WHERE encrypted = 1 AND name = '/dev/dm-1';`,
+		Query:            `SELECT 1 FROM (SELECT encrypted, path FROM disk_encryption FULL OUTER JOIN mounts ON mounts.device_alias = disk_encryption.name) WHERE encrypted = 1 AND path = '/';`,
 		Platforms:        fleet.HostLinuxOSs,
 		DirectIngestFunc: directIngestDiskEncryption,
 		// the "disk_encryption" table doesn't need a Discovery query as it is an official