Once we take into consideration encryption for a Microsoft-based community, what usually first springs to thoughts is BitLocker, Microsoft’s native fixed-drive encryption software program. However that highlights a bent to overlook that in a community there are various areas the place encryption selections are made.
These selections are essential however not all the time apparent, particularly after they’re made by utility or software program distributors that suggest sure settings throughout the software program set up course of. I can’t let you know what number of occasions a vendor has beneficial settings which have given me pause and even made me query their stance on safety.
Trendy companies handle many forms of encryption throughout their typically huge networks. I’d argue that, on steadiness, cybersecurity groups do a good job managing encryption on cell workstations. It’s comparatively easy to allow BitLocker with a PIN throughout Autopilot deployment — in Autopilot configuration, a template will be set in Intune’s endpoint safety. As well as, with Home windows 11 machines that meet sure {hardware} configurations, comparable to gadgets that meet trendy standby or meet the {Hardware} Safety Testability Specification (HSTI), encryption occurs by default throughout the out-of-box expertise and encryption keys are backed up both to a Microsoft account or an Entra ID account by default.
Extra choices can strengthen BitLocker encryption
If the person wants a restoration key, ought to or not it’s essential to reset a workstation again to default settings, or ought to a tool ask for a BitLocker key throughout patching, the restoration key might be saved in a location that the assistance desk can refer them to. Autopilot permits the configuration of further choices, comparable to strengthening the Bitlocker encryption algorithm. On the Bitlocker CSP in Intune, you possibly can specify a stronger algorithm comparable to XTS-AES 256-bit. You’ll be able to configure this in Endpoint Safety > Disk Encryption > Create Coverage > Platform > Home windows 10 and later after which select the BitLocker profile kind.
Finally, corporations will need to measure compliance with coverage — to overview gadget encryption standing throughout a agency and choices for monitoring and reporting. In a given area, there could also be scripting or third-party administration instruments which may be used to establish these drives which are encrypted. The place there’s Intune licensing, experiences will be pulled utilizing the Intune encryption standing report console.
Log in to the Intune portal, then go to Gadgets, then Monitor and click on on the encryption report. From there you’ll get a standing report of computer systems, what TPM model they’ve, if they’re prepared for encryption and most significantly, if they’re encrypted. It should additionally establish who has the username assigned to that laptop gadget title so you possibly can establish the “proprietor” of the pc.