Windows 11 contains a number of built-in features that are part of the Microsoft Defender suite of security apps. It’s important that you are familiar with each of these, you can determine what they do, you know how they can help secure your organization’s devices, and you know how you can enable and configure these features. You must also understand how to implement, configure, and manage these security features by using Microsoft Intune.
This skill covers how to:
- Create and manage configuration policies for Endpoint security, including antivirus, encryption, firewall, endpoint detection and response (EDR), and attack surface reduction (ASR)
- Implement and manage security baselines in Intune
- Onboard devices to Defender for Endpoint
- Implement automated response capabilities in Defender for Endpoint
- Review and respond to device issues identified in the Microsoft Defender Vulnerability Management dashboard
Create and manage configuration policies for Endpoint security
In this section, you’ll learn how to secure your Windows 11 devices. You’ll also learn about the various security features in Windows 11.
Implement enterprise-level disk encryption
It’s important to be able to protect your computers against data loss and data leakage. One way in which you can do this is to enable disk encryption. Windows 11 supports BitLocker.
BitLocker enables you to encrypt an entire hard disk, including the operating system drive. BitLocker is available in Windows 11 Pro, Enterprise, and Education editions.
With BitLocker enabled, the drive is no longer susceptible to data theft. On a system that is not encrypted simply removing the drive from the PC and attaching it as a slave to another PC allows the data to be read, bypassing all NTFS security.
Trusted Platform Modules
Most modern computers contain a security component known as a Trusted Platform Module (TPM). This component securely stores cryptographic information, such as BitLocker’s encryption keys.
BitLocker supports versions 1.2 and 2.0 of the TPM specification, and information contained on the TPM is more secure from external software attacks and physical theft.
If a device has been tampered with, such as removing the hard drive from the original computer, BitLocker prevents the drive from being unlocked. BitLocker will seek remediation from the user by entering BitLocker recovery mode and requiring the user to enter a 48-digit recovery key.
While a TPM is the most secure option, BitLocker can also be used on devices without a TPM. To enable this capability, you must configure the appropriate settings in Intune, and we’ll discuss those shortly.