Once we take into consideration encryption for a Microsoft-based community, what typically first springs to thoughts is BitLocker, Microsoft’s native fixed-drive encryption software program. However that highlights an inclination to overlook that in a community there are a lot of areas the place encryption choices are made.
These choices are necessary however not at all times apparent, particularly once they’re made by utility or software program distributors that advocate sure settings in the course of the software program set up course of. I can’t let you know what number of instances a vendor has beneficial settings which have given me pause and even made me query their stance on security.
Trendy companies handle many sorts of encryption throughout their generally huge networks. I’d argue that, on steadiness, cybersecurity groups do an honest job managing encryption on cell workstations. It’s comparatively easy to allow BitLocker with a PIN throughout Autopilot deployment — in Autopilot configuration, a template may be set in Intune’s endpoint safety. As well as, with Home windows 11 machines that meet sure {hardware} configurations, reminiscent of gadgets that meet trendy standby or meet the {Hardware} Safety Testability Specification (HSTI), encryption occurs by default in the course of the out-of-box expertise and encryption keys are backed up both to a Microsoft account or an Entra ID account by default.
Extra choices can strengthen BitLocker encryption
If the person wants a restoration key, ought to or not it’s essential to reset a workstation again to default settings, or ought to a tool ask for a BitLocker key throughout patching, the restoration key will likely be saved in a location that the assistance desk can refer them to. Autopilot permits the configuration of extra choices, reminiscent of strengthening the Bitlocker encryption algorithm. On the Bitlocker CSP in Intune, you possibly can specify a stronger algorithm reminiscent of XTS-AES 256-bit. You’ll be able to configure this in Endpoint Safety > Disk Encryption > Create Coverage > Platform > Home windows 10 and later after which select the BitLocker profile kind.
In the end, firms will wish to measure compliance with coverage — to overview system encryption standing throughout a agency and choices for monitoring and reporting. In a given area, there could also be scripting or third-party administration instruments which may be used to determine these drives which might be encrypted. The place there’s Intune licensing, experiences may be pulled utilizing the Intune encryption standing report console.
Log in to the Intune portal, then go to Units, then Monitor and click on on the encryption report. From there you’ll get a standing report of computer systems, what TPM model they’ve, if they’re prepared for encryption and most significantly, if they’re encrypted. It would additionally determine who has the username assigned to that pc system identify so you possibly can determine the “proprietor” of the pc.
