Determining whether to prioritize endpoint protection or the data it contains is a critical consideration. Given the increasing value and regulatory scrutiny of data, comprehensive protection is essential. Encryption is a fundamental safeguard for enterprise data. This document outlines best practices for implementing robust encryption across all network endpoints.
BitLocker encryption pre-requisites are a set of criteria a computer must satisfy to be encryption ready. Meet every encryption pre-requisite before planning the deployment of an encryption policy.
An unencrypted computer in your network is a plentiful loophole for any cybercriminal to hoist their flag. Therefore it's critical to ensure the encryption of your entire network, both computers with and without a TPM chip. Kindly refer to this page to learn more about the encryption settings in Endpoint Central.
For computers with TPM - enable enhanced PIN in addition to TPM
For computers without TPM - a passphrase is the only solution
Enhanced PIN with TPM is the ideal choice for computers with TPM. Nevertheless, the user has to manually enter the enhanced PIN during every other boot up. Hence to subdue user hardship you can opt for TPM alone, though it's not recommended to ensure security resilience.
Full disk encryption is the process of encrypting every byte on the volume, including unused disk space. Traces of deleted confidential data might remain in the unused drive space and can be retrieved. Thus, full disk encryption is by far the safest choice. Kindly refer to this page to know more about configuring encryption policies.
However, full disk encryption can comparatively reduce the overall performance. Go with Used Disk Space Only encryption if you don't want to compromise performance.
There are other volumes along with the operating system volume in a computer that also store data. Always prefer encryption of all drives to encryption of the OS drive alone.
Enable the default encryption method specific to your Windows version suggested by Microsoft. If you want to move to stronger encryption methods in favor of compliance or audit standards, you can manually configure a policy in accordance with that. Stronger encryption methods are not recommended, as they can detain computer performance. To know more about the encryption algorithms, refer to this page.
If Windows detects unauthorized attempts to access the drive, the BitLocker recovery key will be demanded as a precautionary step. In case the recovery key is lost, Microsoft cannot retrieve or create it. So it's important to create a backup in a secure place. Enable the Update recovery key to domain controller option to archive the recovery key in Active Directory.
The recovery key can be updated into the domain controller by enabling the option in the Endpoint Central while creating the BitLocker policy.
Besides archiving the recovery key in AD, you can take a stronger security approach. Automatically change the recovery key on a scheduled period of time by enabling periodic rotation of the recovery key option.
The periodic rotation of the recovery key can be enabled through the Endpoint Central console while configuring the BitLocker policy.
BitLocker is a hardware component and is computer specific. Hence, it is sensible to associate a BitLocker policy with a computer rather than the user. Also, ensure to deploy either encryption or decryption policy to a computer.