Best Practices for Microsoft Defender Antivirus & BitLocker Management
Many companies have transitioned their employees to mobile and home office workstations over the past year. Companies gain the advantage of being able to respond quickly to change and users for the most part enjoy the flexibility to work from anywhere.
However, this presents new challenges For IT security and IT managers with the responsibility to protect devices against viruses and physical loss outside the company building. Microsoft Defender Antivirus and BitLocker hard drive encryption in Windows 10 are the go-to tools for this purpose.
BitLocker encryption in particular is essential for preventing data theft. BitLocker also operates transparently in the background so users typically aren’t even aware it’s enabled. If a device is lost or stolen, the data is inaccessible without a password. However, comprehensive and consistent protection is only possible if administrators can centrally manage and monitor BitLocker status on each mobile endpoint.
To do that effectively you need to consider the following essential points, all of which you can handle using baramundi Management Suite:
1. Encryption of Windows clients (TPM)
The switch to mobile working had to happen quickly. Many admins were faced with the challenge of quickly finding out whether and to what extent BitLocker was enabled on each system. That required a comprehensive overview of mobile endpoint security status and settings. But where to start?
Step one was device hardware and identifying which systems have a Trusted Platform Module (TPM) 1.2 or higher. This is the basic prerequisite for using BitLocker.
2. Central activation of encryption during OS installation
Employees today expect their systems to be deployed quickly and ready to use. One way to save time is to have the hardware shipped directly to the employee by the vendor. Enrollment of the device can be done directly via Microsoft Autopilot. But even with such an arrangement, you also have to configure security -- including enabling hard disk encryption -- from the start.
3. Integration in baramundi (when you need to pause BitLocker for software distribution)
But just when you think you’ve got system encryption fully configured and user-ready, you run into your first case of having to remotely deploy software that can't work with BitLocker or that requires a system reboot for installation. This presents another hurdle for IT admins, because the time-saving automation you created to install the software on each endpoint will hang as the system waits for the BitLocker PIN. To keep everything running smoothly you have to pause – and then resume --BitLocker. You need the right tools to make that happen without introducing additional steps or security exposures.
4. Network unlock for BitLocker (2-factor authentication with PIN)
With hybrid work the new normal, most employees will head into the office at least semi-regularly. However, BitLocker PIN or password entry at startup needed for remote work becomes rather annoying without adding any real value when users are on the secure company network. Microsoft therefore provides the option of booting the system automatically without requiring a BitLocker PIN when it’s on a secure network. That’s good, but it also means that IT admins have to set that feature on each system.
5. Central storage location for recovery keys
Whether it’s because of changes in hardware or vacation-induced password amnesia, users at one point or another will not be able to unlock their system and ask IT to come to the rescue. BitLocker recovery keys can quickly give an employee access again provided that IT admins can readily unpack and access those special keys. The bottom line is that an IT department that requires encryption for company needs to keep these keys both safely secured and ready for authorized staff to use in a central location.
6. Keep an eye on client encryption
What you can enable, you can usually disable. In fact, you’ll have to pause or disable encryption for a various reasons from time to time. That’s fine so long as you remember to resume or re-enable it. But we’re all human so sometimes you may forget and leave a system unsecured. That's why it helps to have the right tool and a dashboard view to help helpdesk and IT staff stay on top of things. In practice, encryption management is condition-based and uses warning levels to immediately identify which devices are "out of line." This allows corrective intervention before any damage is done.
In addition to the physical loss of mobile devices and laptops, the danger of malware and cyberattacks is constant and continuously evolving. Nearly all systems are online nearly all of the time, and remote devices are online more often and longer than ever. Microsoft offers a cybersecurity solution natively from within the operating system. Initially considered inadequate, Microsoft Defender is now a real and strong competitor to other established antivirus programs.
Defender is active from the first time the computer starts up to protect against online threats. It’s also much more than a "virus scanner." Defender tamper protection includes behavior monitoring to detect suspicious or malicious system processes, IOAV to detect suspicious files from the internet, real-time anti-malware scanning, and continuous cloud-based updates to detect and stop new threats.
BitLocker and Defender are essential options for system protection. baramundi helps you get the most from them by providing a central overview of the security status of all protected devices and efficient ways to manage them. Incorrect settings and potential and active threats can be displayed so IT admins can respond quickly, including initiating automated or manual scans as needed. The combination of Microsoft’s tools and baramundi UEM gives you and your company a major advantage in the fight against continuously evolving and increasingly sophisticated threats from "Team Red."