MASIGNCLEAN104

Bitlocker encryption using AAD/MDM for Cloud Data Security

iklan banner

With Windows 10’s novel features, the productivity of users has increased leaps in addition to bounds. That’s because Windows 10 introduced its approach every bit ‘Mobile first, Cloud first’. It is goose egg simply the integration of mobile devices amongst the cloud technology. Windows 10 delivers the modern management of information using cloud-based device management solutions such every bit Microsoft Enterprise Mobility Suite (EMS). With this, users tin access their information from anywhere in addition to anytime. However, this form of information every bit good needs adept security, which is possible amongst Bitlocker.

 the productivity of users has increased leaps in addition to bounds Bitlocker encryption using AAD/MDM for Cloud Data Security

Bitlocker encryption for cloud information security

Bitlocker encryption configuration is already available on the Windows 10 mobile devices. However, these devices needed to possess got InstantGo capability to automate the configuration. With InstantGo, the user could automate the configuration on the device every bit good every bit backup the recovery cardinal to the user’s Azure AD account.

But at 1 time the devices volition non require the InstantGo capability anymore. With Windows 10 Creators Update, all Windows 10 devices volition possess got a sorcerer where users are prompted to start the Bitlocker encryption regardless of the hardware used. This was mainly the number of users’ feedback close the configuration, where they wished to possess got this encryption automated without having the users create anything. Thus, at 1 time the Bitlocker encryption has expire automatic in addition to hardware independent.

How does the Bitlocker encryption work

When the end-user enrolls the device in addition to is a local admin, the TriggerBitlocker MSI does the following:

  • Deploys 3 files into C:\Program Files (x86)\BitLockerTrigger\
  • Imports a novel scheduled chore based on the included Enable_Bitlocker.xml

The scheduled chore volition run every twenty-four hr menstruum at two PM in addition to volition create the following:

  • Run Enable_Bitlocker.vbs which the principal role is to telephone telephone Enable_BitLocker.ps1 in addition to brand certain to run minimized.
  • In its turn, Enable_BitLocker.ps1 volition encrypt the local drive in addition to shop the recovery cardinal into Azure AD in addition to OneDrive for Business (if configured)
    • The recovery cardinal is exclusively stored when either changed or non present

Users who are non role of the local admin group, involve to follow a dissimilar procedure. By default, the outset user that joins a device to Azure AD is a fellow member of the local admin group. If a minute user, who is a role of the same AAD tenant, logs on to the device, it volition live on a criterion user.

This bifurcation is necessary when a Device Enrollment Manager concern human relationship takes help of the Azure AD bring together earlier handing over the device to the end-user. For such users modified MSI (TriggerBitlockerUser) has been given Windows team. It is slightly dissimilar from that of local admin users:

The BitlockerTrigger scheduled chore volition run inwards the System Context in addition to will:

  • Copy the recovery cardinal to the Azure AD concern human relationship of the user who joined the device to AAD.
  • Copy the recovery cardinal to Systemdrive\temp (typically C:\Temp) temporarily.

A novel script MoveKeyToOD4B.ps1 is introduced in addition to runs daily via a scheduled chore called MoveKeyToOD4B. This scheduled chore runs inwards the users’ context. The recovery cardinal volition live on moved from systemdrive\temp to the OneDrive for Business\recovery folder.

For the non-local admin scenarios, users involve to deploy the TriggerBitlockerUser file via Intune to the grouping of end-users. This is non deployed to the Device Enrollment Manager group/account used to bring together the device to Azure AD.

To instruct the access to the recovery key, users involve to expire to either of the next locations:

  • Azure AD account
  • A recovery folder inwards the OneDrive for Business (if configured).

Users are suggested to call upward the recovery cardinal via http://myapps.microsoft.com in addition to navigate to their profile, or inwards their OneDrive for Business\recovery folder.

For to a greater extent than information on how to enable the Bitlocker encryption, read the consummate spider web log on Microsoft TechNet.


Source: https://www.thewindowsclub.com/
Share This :