This step by step tutorial will show you how to enable and configure BitLocker disk encryption.
This is Part 4 of a 5 part series
=======================================================================
Welcome to part 4 of my five part series of tutorials taking you step by step on how to configure Microsoft Endpoint Manager / Intune focusing on the essential security configurations.
5. Utilize dedicated Intune admin accounts rather than Global Admin accounts - Link
=========================================================================
4. Enabling and Configuring BitLocker
BitLocker Overview - Link
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
Resources -
Overview of BitLocker Device Encryption in Windows 10 - Link
Enable BitLocker Silently using Autopilot and Intune - Link
Video training from intune.training - Link
=========================================================================
Pre-requisite - Enable the ESP - Enrollment Status Page - Link
As per this article - Link
=====================================================================
Enabling and Configuring BitLocker
Devices - Configuration Profiles
Create profile
Platform - Windows 10 and later
Profile type - Templates
Template Name - Endpoint Protection
Create
Basics
Name - Windows 10 - BitLocker
Next
Configuration settings
Expand Windows Encryption
Tip - Hover mouse over the info icon to get more information
Below are the recommended settings from the intune.training guys on their video (see resources at top).
Video training from intune.training - Link
Windows Settings -
BitLocker base settings -
Allow standard users to enable encryption during Azure AD join is good for minimising risk.
Note - encryption level - Link
If changing the encryption method for OS to higher than 128 bit, understand what your vendor is shipping as this policy may enforce the decryption and then encryption to meet what you have enforced.
Authentication before OS - Link (PIN needed before accessing the OS)
These TPM settings only apply Enterprise, Education and Mobile versions of Windows 10
In this tutorial, I am not requiring additional authentication at start-up
Below are screenshots of my current settings -
BitLocker fixed data-drive settings (secondary drive - D drive for example)
This is worth configuring in real world to protect secondary drives from data loss
In this tutorial I am not configuring
BitLocker removable data-drive settings. -
If you are using the default Security Baseline for Endpoint Manager (December 2020), there is no need to configure to block write access to removable data drives as the Security Baseline already does that.
Setting to block will cause a conflict.
Security Baseline configuration
Next -
Assignments -
Add groups - Search for and select the groups - Assign the appropriate device group(s)
Included groups will now update
Next
Applicability Rules - None
Next
Review and Create
Create
=========================================================================
End user experience
Settings - Access work or school
Click - Connected to ....
Click - Info
Here we can see all the policies being applied
After some time -
Check the C drive to see if there is a padlock symbol
Check BitLocker in Control Panel to confirm the drive is encrypting.
======================================================================
Enabling TPM for test labs with Hyper-V VMs.
If testing in a Hyper-V environment, you will need to change the configuration of your test VM.
Edit the VM settings as below after the machine is shut down.
Security - Under Encryption Support - Tick - Enable Trusted Platform Module
IMPORTANT - Link
If testing on a Hyper-V VM, ensure you eject the Windows 10 install disk or encryption will fail.
======================================================================
Check out all my tutorials - Link
Highlights include -
13 part series on how to perform the initial Tenant and Intune Configuration - Link
1. Configure DNS and CNAME
2. Company Branding - Self Service Password Reset (SSPR) - Enable Enterprise State Roaming
3. Enable Conditional Access and MFA (Multi factor authentication)
4. Configure Conditional Access Terms of Use
5. Company Terms and Conditions
6. User and Device Groups, and Device Categories
7. Set-up Autopilot profile and configure MAM and MDM scope for automatic enrollment
7a. More information regarding options for configuring the MDM and MAM user scopes
8. Enrollment Status Page
9. Enrollment Restrictions
10. Deploying Microsoft 365 apps (Office apps)
11. Enable Microsoft Store for Business and publish the Company Portal app
12. Assign Company Portal app
13. Test autopilot via register online
===============================================================
About the author -
Terry Munro is an IT specialist based in Brisbane, Australia.
He draws upon over 20 years experience designing and delivering technical solutions to a variety of enterprise clients in the private, Government and Education sectors, to revolutionise client businesses through collaboration and getting the most value from a variety of cloud solutions.
He is passionate about learning new technologies and is a firm believer in sharing knowledge to provide a better experience for all.
You can connect with Terry
LinkedIn - https://www.linkedin.com/in/terry-munro/
Facebook - @IntuneAdmin - https://www.facebook.com/IntuneAdmin/
Facebook Community Group - https://www.facebook.com/groups/intuneadmin/
GitHub Repository - https://github.com/TeamTerry
No comments:
Post a Comment