Get more device control flexibility with BitLocker settings in Defender for Endpoint
With hybrid work here to stay and data-centric cyberattacks on the rise, safeguarding sensitive information is critical to every security strategy. While data loss prevention (DLP) is often considered for cloud storage locations, the management of removable storage devices such as USBs is equally important, to help ensure that data-at-rest is encrypted and integrity and confidentiality of sensitive information is maintained.
We’re excited to announce that Defender for Endpoint device control support for BitLocker is now in public preview. This new feature provides security admins with more granular control through policy exceptions for BitLocker encrypted devices.
Comprehensive management of removable storage devices
BitLocker encryption has long been recognized for its ability to protect data on devices by encrypting the entire drive, ensuring that data remains inaccessible to unauthorized users. With the integration of BitLocker device control, organizations can now seamlessly integrate their Defender for Endpoint policies with BitLocker’s best-in-class encryption for a comprehensive method to manage access to removable storage based on the BitLocker encryption state.
This flexibility allows administrators to require BitLocker encryption, and then manage exceptions for other trusted devices and users.
Figure 1 shows device control with a new descriptor Id called DeviceEncryptionStateId that includes or excludes devices in rules by encryption state (BitlockerEncrypted or Plain). This descriptorId can be added to groups that are managed via Intune (OMA-URI) or Group Policy
Setting up device control
Setting up device control with an approved list can be configured with 3 rules:
Allow unencrypted removable media devices read only access – which applies to all removable media devices except BitLocker encrypted and unencrypted devices that are specifically added
Allow unencrypted removable media devices with an exception full access – which applies to all allowed BitLocker unencrypted devices
Allow BitLocker encrypted removable media full device access – which applies to all the BitLocker encrypted devices
The policy can be tested by using three-different removable media devices:
Green USB (BitLocker encrypted)
Blue USB (unencrypted, but granted full access)
Red USB (read-only)
Figures 3 and 4 show that when device control blocks access, and there is an audit rule defined, a ReusableStorageAcessTrigger event gets created—visible in Advanced Hunting.
End user experience
A notification is also sent to the end-user to provide awareness.
Comprehensive endpoint security
The release of BitLocker device control combines the policy enforcement capabilities of Defender for Endpoint with the robust encryption of BitLocker and gives admins new flexibility in device control to use BitLocker encrypted devices at scale.
Get more information:
Check out the documentation here.
Learn more about
Not a Defender for Endpoint customer? Start a free trial today.
Microsoft Tech Community – Latest Blogs –Read More