Once we take into consideration encryption for a Microsoft-based community, what usually first springs to thoughts is BitLocker, Microsoft’s native fixed-drive encryption software program. However that highlights an inclination to neglect that in a community there are numerous areas the place encryption choices are made.
These choices are essential however not all the time apparent, particularly after they’re made by utility or software program distributors that suggest sure settings through the software program set up course of. I can’t inform you what number of instances a vendor has advisable settings which have given me pause and even made me query their stance on safety.
Fashionable companies handle many kinds of encryption throughout their typically huge networks. I’d argue that, on stability, cybersecurity groups do a good job managing encryption on cellular workstations. It’s comparatively easy to allow BitLocker with a PIN throughout Autopilot deployment — in Autopilot configuration, a template might be set in Intune’s endpoint safety. As well as, with Home windows 11 machines that meet sure {hardware} configurations, corresponding to gadgets that meet fashionable standby or meet the {Hardware} Safety Testability Specification (HSTI), encryption occurs by default through the out-of-box expertise and encryption keys are backed up both to a Microsoft account or an Entra ID account by default.
Further choices can strengthen BitLocker encryption
If the person wants a restoration key, ought to it’s essential to reset a workstation again to default settings, or ought to a tool ask for a BitLocker key throughout patching, the restoration key will probably be saved in a location that the assistance desk can refer them to. Autopilot permits the configuration of further choices, corresponding to strengthening the Bitlocker encryption algorithm. On the Bitlocker CSP in Intune, you may specify a stronger algorithm corresponding to XTS-AES 256-bit. You’ll be able to configure this in Endpoint Safety > Disk Encryption > Create Coverage > Platform > Home windows 10 and later after which select the BitLocker profile sort.
In the end, corporations will wish to measure compliance with coverage — to assessment gadget encryption standing throughout a agency and choices for monitoring and reporting. In a given area, there could also be scripting or third-party administration instruments that could be used to determine these drives which are encrypted. The place there may be Intune licensing, reviews might be pulled utilizing the Intune encryption standing report console.
Log in to the Intune portal, then go to Gadgets, then Monitor and click on on the encryption report. From there you’ll get a standing report of computer systems, what TPM model they’ve, if they’re prepared for encryption and most significantly, if they’re encrypted. It’ll additionally determine who has the username assigned to that pc gadget title so you may determine the “proprietor” of the pc.
