Encryption keys supplied by customers do not get escrowed with Nasuni, nor do they leave the Filer in any way. Whether the key comes from the user or is generated by the Filer the key is never stored in the cloud, with the cloud storage provider (so they can not decrypt your data), or anywhere near your data.
-->
The Microsoft Intune encryption report is a centralized location to view details about a device’s encryption status and find options to manage device recovery keys. The recovery key options that are available depend on the type of device you're viewing.
To find the report, Sign in to the Microsoft Endpoint Manager admin center. Select Devices > Monitor, and then under Configuration, select Encryption report.
View encryption details
The encryption report shows common details across the supported devices you manage. The following sections provide details about the information that Intune presents in the report.
PrerequisitesRe-issue Recovery Key Generated Not Escrowed Working
The encryption report supports reporting on devices that run the following operating system versions:
Report details
The Encryption report pane displays a list of the devices you manage with high-level details about those devices. You can select a device from the list to drill-in and view additional details from the devices Device encryption status pane.
Device encryption status
When you select a device from the Encryption report, Intune displays the Device encryption status pane. This pane provides the following details:
Re-issue Recovery Key Generated Not Escrowed OneExport report details
While viewing the Encryption report pane, you can select Export to create a .csv file download of the report details. This report includes the high-level details from the Encryption report pane and Device encryption status details for each device you manage.
This report can be of use in identifying problems for groups of devices. For example, you might use the report to identify a list of macOS devices that all report FileVault is already enabled by the user, which indicates devices that must be manually decrypted before Intune can manage their FileVault settings.
FileVault recovery keys
When Intune first encrypts a macOS device with FileVault, a personal recovery key is created. Upon encryption, the device displays the personal key a single time to the end-user.
For managed devices, Intune can escrow a copy of the personal recovery key. Escrow of keys enables Intune administrators to rotate keys to help protect devices, and users to recover a lost or rotated personal recovery key.
Intune supports multiple options to rotate and recover personal recovery keys. One reason to rotate a key is if the current personal key is lost or thought to be at risk.
Important
Devices that are encrypted by users, and not by Intune, cannot be managed by Intune. This means that Intune can't escrow the personal recovery of these devices, nor manage the rotation of the recovery key. Before Intune can manage FileVault and recovery keys for the device, the user must decrypt their device, and then let Intune encrypt the device.
Rotate recovery keys
Recover recovery keys
BitLocker recovery keys
Intune provides access to the Azure AD blade for BitLocker so you can view BitLocker Key IDs and recovery keys for your Windows 10 devices, from within the Intune portal. To be accessible, the device must have its keys escrowed to Azure AD.
Information for BitLocker is obtained using the BitLocker configuration service provider (CSP). BitLocker CSP is supported on Windows 10 version 1703 and later, and for Windows 10 Pro version 1809 and later.
Next steps
Create a device compliance policy.
-->
Use Intune to manage a devices built-in disk or drive encryption to protect data on your devices.
Configure disk encryption as part of a device configuration profile for endpoint protection. The following platforms and encryption technologies are supported by Intune:
Intune also provides a built-in encryption report that presents details about the encryption status of devices, across all your managed devices.
FileVault encryption for macOS
Use Intune to configure FileVault disk encryption on devices that run macOS. Then, use the Intune encryption report to view encryption details for those devices and to manage recovery keys for FileVault encrypted devices.
User-approved device enrollment is required for FileVault to work on the device. The user must manually approve of the management profile from system preferences for enrollment to be considered user-approved.
FileVault is a whole-disk encryption program that is included with macOS. You can use Intune to configure FileVault on devices that run macOS 10.13 or later.
To configure FileVault, create a device configuration profile for endpoint protection for the macOS platform. FileVault settings are one of the available settings categories for macOS endpoint protection.
After you create a policy to encrypt devices with FileVault, the policy is applied to devices in two stages. First, the device is prepared to enable Intune to retrieve and back up the recovery key. This action is referred to as escrow. After the key is escrowed, the disk encryption can start.
For details about the FileVault setting you can manage with Intune, see FileVault in the Intune article for macOS endpoint protection settings.
Permissions to manage FileVault
To manage FileVault in Intune, your account must have the applicable Intune role-based access control (RBAC) permissions.
Following are the FileVault permissions, which are part of the Remote tasks category, and the built-in RBAC roles that grant the permission:
How to configure macOS FileVault
Manage FileVault
After Intune encrypts a macOS device with FileVault, you can view and manage the FileVault recovery keys when you view the Intune encryption report.
After Intune encrypts a macOS device with FileVault, you can view that device's personal recovery key from the web Company Portal on any device. Once in the web Company Portal, choose the encrypted macOS device, and then choose to 'Get recovery key' as a remote device action.
Retrieve personal recovery key from MEM encrypted macOS devices
End users can retrieve their personal recovery key (FileVault key) using the iOS Company Portal app, the Android Company Portal app, or through the Android Intune app. The device that has the personal recovery key must be enrolled with Intune and encrypted with FileVault through Intune. Using the iOS Company Portal app, Android Company Portal app, the Android Intune app, or the Company Portal website, the end-user can see the FileVault recovery key needed to access their Mac devices. End-users can select Devices > the encrypted and enrolled macOS device > Get recovery key. The browser will show the Web Company Portal and display the recovery key.
BitLocker encryption for Windows 10
Use Intune to configure BitLocker Drive Encryption on devices that run Windows 10. Then, use the Intune encryption report to view encryption details for those devices. You can also access important information for BitLocker from your devices, as found in Azure Active Directory (Azure AD).
BitLocker is available on devices that run Windows 10 or later.
Configure BitLocker when you create a device configuration profile for endpoint protection for the Windows 10 or later platform. BitLocker settings are in the Windows Encryption settings category for Windows 10 endpoint protection.
How to configure Windows 10 BitLockerRe-issue Recovery Key Generated Not Escrowed Form
Silently enable BitLocker on devices
You can configure a BitLocker policy that automatically and silently enables BitLocker on a device. That means that BitLocker enables successfully without presenting any UI to the end user, even when that user isn't a local Administrator on the device.
Device Prerequisites:
A device must meet the following conditions to be eligible for silently enabling BitLocker:
BitLocker policy configuration:
The following two settings for BitLocker base settings must be configured in the BitLocker policy:
The BitLocker policy must not require use of a startup PIN or startup key. When a TPM startup PIN or startup key is required, BitLocker cannot silently enable and requires interaction from the end user. This requirement is met through the following three BitLocker OS drive settings in the same policy:
Manage BitLocker
After Intune encrypts a Windows 10 device with BitLocker, you can view and retrieve BitLocker recovery keys when you view the Intune encryption report.
Rotate BitLocker recovery keys
You can use an Intune device action to remotely rotate the BitLocker recovery key of a device that runs Windows 10 version 1909 or later.
Prerequisites
Devices must meet the following prerequisites to support rotation of the BitLocker recovery key:
To rotate the BitLocker recovery key
Next steps
Create a device compliance policy.
Use the encryption report, to manage:
Review the encryption settings you can configure with Intune for:
Comments are closed.
|
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |