Deciding whether to focus on endpoint protection or the data it contains is crucial. Given the increasing value and regulatory focus on data, comprehensive protection is vital. Encryption remains a fundamental safeguard for enterprise data. This document outlines best practices for implementing robust encryption across network endpoints.
BitLocker encryption pre-requisites are criteria a computer must satisfy to be encryption ready. Meet every encryption pre-requisite before planning the deployment of an encryption policy.
If a device is unencrypted, its data is prone to unauthorized access. In the event of loss, theft, or hacking, sensitive information can be easily accessed and potentially misused. Therefore, it is critical to ensure encryption across your network, including devices with and without TPM chips. Please refer to this page to learn more about the encryption settings in Endpoint Central.
For computers with TPM - enable enhanced PIN in addition to TPM
For computers without TPM - a passphrase is the only solution
Enhanced PIN with TPM is the ideal choice for computers equipped with TPM. However, users must manually enter the Enhanced PIN during every boot, which can be cumbersome. As an alternative, you can opt for TPM alone, though this is not recommended for optimal security resilience.
Full disk encryption encrypts all data on a drive, including unused drive space where traces of deleted data remain, which can be retrieved. It is the safest option, though it can impact performance. If performance is a concern, choose Used Disk Space Only encryption.
Kindly refer to this page to know more about configuring encryption policies.
Ensure that all drives, not just the operating system drive, are encrypted. Other volumes may also store valuable data.
Stick with the default encryption method recommended by Microsoft for your Windows version. Stronger methods can be configured by a manual policy for compliance or audits. But they may reduce performance, hence not recommended. To know more about the encryption algorithms, refer to this page.
If unauthorized access is detected, Windows will require the BitLocker recovery key. Microsoft cannot recover this key if lost, so create a secure backup. Enable the Update recovery key to domain controller option to store it in Active Directory.
Enhance security by automatically changing the recovery key on a periodic basis. This periodic rotation of the recovery key can be configured in Endpoint Central when setting up BitLocker policies by enabling periodic rotation of the recovery key option.
BitLocker is a hardware component and computer-specific, so associate policies with computers, not users. Also, ensure that only one policy—either encryption or decryption—is deployed to each computer.
