In order to meet EPS control 10.1.7 on Windows-based devices, the OIT Managed Desktop Service (OIT-MDS) plans to utilize NCSU’s existing Bitlocker infrastructure.
Full Disk Encryption. Prevents access to data stored on endpoint devices without approved credentials. Full disk encryption is not intended to supersede any data classification-specific security standards, as authorization from a Data Steward remains a requirement for storage of sensitive data on endpoint devices. Protection and escrow of encryption keys must be addressed appropriately.
Background
NCSU currently maintains an MBAM infrastructure in order to allow various IT groups to manage full disk encryption on Windows endpoints. It is documented at https://activedirectory.ncsu.edu. There are opt-in groups in Wolftech AD for IT departments to use, that place machines in scope for GPO’s and an SCCM application deployment (the MBAM client). Once the changes hit the endpoint, and a user is logged in locally for 15 minutes, disk encryption will start. It uses AES-256 encryption, and requires that the device contains a TPM for automatic disk unlocking.
The recovery key is stored in Wolftech AD and with MBAM. There is another group in AD for “high” settings that require a pin on boot for unlocking. There are currently plans to move this functionality away from dedicated MBAM servers and integrate into SCCM. Once complete, rather than GPO’s, this would be controlled via SCCM Client Settings. It is assumed that this will utilize the existing opt-in groups, but this is not yet in place.
Implementation
The OIT Managed Desktop Service will utilize the service as specified on https://activedirectory.ncsu.edu for all compatible endpoints. If the OIT-MDS decides that it is in its interest to use custom client settings deployments, rather than AD groups (avoids edge-cases missing the assignment), then we will request that capability from the SCCM Core Team.
Any questions on process or content contained in this document should be escalated through the NCSU Help desk and a have an incident assigned to the OIT_DESKTOP_SUPPORT team.
https://policies.ncsu.edu/rule/rul-08-00-18/#security_controls
https://activedirectory.ncsu.edu
Title: Windows Full Disk Encryption Policy and Process for the OIT Managed Desktop Service
Service: Security Policy & Compliance
Template if applicable: NA
Assignment Group(s): OIT_DESKTOP_SUPPORT
Document Owner: OIT_DESKTOP_SUPPORT
Available Priorities: Critical, High, Medium, Low
Keywords: encrypt, windows, full disk encryption, bitlocker, bit locker, bit, fde, eps, endpoint protection standard, MBAM, SCCM, GPO, OIT Managed Desktop Service, macos, macOS, eps, security, compliance, endpoint protection standard, OIT Managed Desktop Service, how to I conply with the eps endpoint protection standard, am I compliant with the endpoint protection standard, EPS, how do I become compliant with the endpoint protection standard, how do I get compliant with the endpoint protection standard, how do I meet the EPS controls, EPS Controls, what does EPS mean, what is the endpoint protections standard, Endpoint Protection Standard Compliance and Guidance