Encryption #1 – Microsoft Bitlocker, deploying via Intune, GPO or Powershell?
Introduction
Encryption is a practise that has been in use since time immemorial, it is written in the historical record that in 600 BC encryption was being used by the Spartans as Thales introduces to us here.
The reason for encrypting is fairly self explanatory, a message to your Military leaders in 600 BC could be intercepted and this interception would mean that your armies movements could be compromised. So, by having the same military information encrypted, even if the messenger was “hijacked”, without the decryption mechanism the information would still be secure and the worst that would happen is that a message didn’t get through – no secrets lost.
In modern day, the use of encryption is for fairly similar reasons, except that “hijacking” is not military plans and the “hijacked” messenger is probably not going to end up dead! today encryption is around you everywhere from Wifi, Cellular, NFC communications to the transmission of “contactless payments” and protecting your web traffic when you use HTTPS:// as all websites should be using today, see HTTPS for more information, the point being that encryption in todays ages is something we can not live without, it protects our data, our in flight communications etc from malicious actors – Not Nicolas Cages, he is just a bad Actor, that I have to watch each new movie he releases…..
Encryption for devices
Encryption can mean losing all of your data FOREVER too, so make certain that you have a backup of the encryption keys before you enable it!
In 2024, encryption must be enabled and enforced on all devices and allowed storage across all organisations and on all personal devices (both PC or Mobile) without fail, because otherwise the data on your device if stolen is easily readable to anyone who can reinstall the operating system, Windows or Mac OS or iOS and Android, if encryption is not present.
Encryption should be enabled, on:
- Windows and MacOS devices
- Mobile operating systems (enabling a PIN does this on iOS)
- Corporate allowed Storage devices (do not allow storage devices to be used is the best approach)
- All Servers including OS drives
- Network Attached Storage (NAS)
- Backups (the tapes that go offsite too)
TPM and Secure Enclaves
Trusted Platform Modules are absolutely necessary nowadays to provide a mechanism to ensure that sensitive user data is kept secure and that a device is secure, a TPM can also help with reducing risks from cyber attacks, it is not 100% infallible but it is good enough for most users, if you need 100% security then Thales! can help, until they are breached.
A Trusted Platform Module or Apple’s T1 or T2 “Secure Enclave” is not a pre-requisite for encryption but is desirable and should be included with any devices purchased for corporate use, a TPM allows for Encryption pre-boot which ensures that a device is completely(99%) secure and in most cases is also not useable if stolen except for parts.
Microsoft has further reading here about TPM and Apple has its own description here.
Encryption Management
The reason for my writing of this article in fact was a partner asking last week about best practise for encryption, should they implement Intune first or can they implement encryption regardless of Intune.
My response was that encryption is necessary on all devices, if you have a method to roll it out and manage it centrally then that is the “best practise”, if Intune is going to be deployed shortly then wait and deploy with Intune to simplify the management of it, and disable USB device access while you are at it for Windows and MacOS (yes Intune can do that).
If a management platform like Intune is still someways off then deploy, using whatever management tool you have available.
If the devices to be are associated with Entra Identity user accounts then the encryption keys by default will be backed up to Entra ID, giving a centralised backup.
Enabling Encryption on Windows
Rather than go through the process myself, many technologists have written about the process and I will share their information to help with your deployment of Bitlocker Encryption, there are three main methods: Powershell, Group policy (not for cloud only orgs) and Intune deployed.
#1, Powershell script
Starting with the least automated method, installing Bitlocker with PowerShell, my recommendation here is to manage this through an RMM or other management platform to ensure changes later on are easy to update.
Enable BitLocker with PowerShell – 4sysops
If you are not using a TPM then you will need a separate recovery key and preboot encryption is not possible either, the data stored on the device is secure providing you have set a path that is encryoted, though performance may be impacted.
When using Bitlocker without TPM, a recovery key must be used.
Further information on deploying Bitlocker with Powershell is here:
BitLocker overview – Windows Security | Microsoft Learn
Deploy bit locker by script
#2, Group Policy deployment
Active Directory Group policy deployment – still sticking to the centralised model which is always most desirable.
Obviously this method can only work if your organisation is still utilising Microsoft Active Directory and discounts many small businesses who have migrated to Entra Identity usage only, by the way congratulations if you have no AD – you have improved your security posture by 90% (not based in fact!) by deleting Active Directory! from your existence.
Here is a detailed description regarding Deploying Bitlocker by Microsoft Group Policy.
https://askme4tech.com/how-enable-bitlocker-group-policy
#3, Microsoft Intune
Microsoft Intune, previously Microsoft Endpoint manager, prior to this Microsoft Intune again! is the preferred method of device management where possible in the modern “Cloud First” organisation, Intune does NOT manage Servers, but for Windows, MacOS, iOS, Linux and Android Microsoft Intune is the best way to centrally deploy, update and apply configurations etc.
Microsoft has provided some information here:
https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices
But by far the best location for information regarding deployment via Intune is Prajwal Desai, below:
https://www.prajwaldesai.com/enable-and-configure-bitlocker-using-intune/
Apple Mac Encryption
Apple have their own encryption support native to the platform, known as File Vault which can be deployed via an MDM solution and also deployed via Intune keeping all your device security configurations central.
Microsoft has some detail here:
https://learn.microsoft.com/en-us/mem/intune/protect/encrypt-devices-filevault
And further details which include other security hardening for Apple MacOS is here:
https://hmaslowski.com/f/macos-security-hardening-with-microsoft-intune
Apple IOS encryption
Apple iOS encryption is relatively easy to deploy and should be implemented on corporate devices.
There is further detail on managing encryption via Intune here:
Microsoft also provides further information here:
https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios
There is one more method – SCCM deployment, but hoping for the overdue death of SCCM means that I can not include the summary for SCCM deployment of Bitlocker.
Finally
If your business is using Intune and you are rolling out encryption, ensure that you are also leveraging a compliance policy to enforce the devices connecting to your organisation are secure, this does not just include Encryption is enabled, but also the operating System is up to date and all other security mechanisms are in place, such as Anti-virus, Endpoint Detection and Response etc
Summary
Encryption when used for good will secure your devices and ensure that your data remains “your” data, not accessible to other parties or criminals. But use it wisely, encryption needs a decryption object (PIN, Password, Certificate, token etc) and if this is lost then you have no access to the data EVER AGAIN.
Ensure that all data is encrypted at “Rest” and “In transit” at all times and across all your platforms, make sure that the decryption keys are stored centrally and accessible to an administrator always in the case of a disaster.
Make sure that all corporate data is backed up and the offsite copy using a different encryption mechanism that is regularly tested as a part of your Business Continuity testing.
Leave a Reply