πΌ Management Samenvatting
BitLocker disk versleuteling is MANDATORY - data-at-rest versleuteling (device theft/loss is data protected).
Aanbeveling
IMPLEMENT IMMEDIATELY
Risico zonder
Critical
Risk Score
10/10
Implementatie
10u (tech: 5u)
Van toepassing op:
β Windows 10
β Windows 11
β Windows 11
BitLocker is device theft defense: Laptop stolen β disk removed β mounted in attacker system β zonder BitLocker: alle data readable (documents, credentials, browser passwords), met BitLocker: versleuteld (AES-256) is unreadable zonder recovery key. Compliance: AVG Art. 32 (gegevensbescherming), BIO 10.01 (versleuteling).
Implementatie
BitLocker enforcement: Intune policy: Require versleuteling (compliance), TPM required (hardware root of trust), Recovery key: Escrowed to Azure AD (admin recovery), Compliance: Device non-compliant if not versleuteld β blocked access.
Vereisten
- Windows 10 Pro/Enterprise
- TPM 2.0
- Intune enrollment
- Azure AD
Implementatie
Gebruik PowerShell-script bitlocker-encryption-enabled.ps1 (functie Invoke-Implementation) β Implementeren.
Intune: Endpoint Security β Disk versleuteling β Maak policy β Require versleuteling: Yes β Assign to: alle Windows devices. Compliance: Device Compliance β Windows β versleuteling: Required.
Compliance
AVG Art. 32, BIO 10.01.01, ISO 27001 A.10.1.1, CIS Windows Benchmark L1, NIST SC-28.
Monitoring
Gebruik PowerShell-script bitlocker-encryption-enabled.ps1 (functie Invoke-Monitoring) β Controleren.
Remediatie
Gebruik PowerShell-script bitlocker-encryption-enabled.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- CIS M365: Control Windows - BitLocker (L1) -
- BIO: 10.01.01 -
- ISO 27001:2022: A.10.1.1 -
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
================================================================================
POWERSHELL SCRIPT - Nederlandse Baseline voor Veilige Cloud
================================================================================
.SYNOPSIS
Intune: dwing af BitLocker versleuteling
.DESCRIPTION
Implementeert, monitort en herstelt: Intune: dwing af BitLocker versleuteling
.NOTES
Filename: bitlocker-encryption-enabled.ps1
Author: Nederlandse Baseline voor Veilige Cloud
Version: 1.0
Workload: intune
Category: device-health
#>
#Requires -Version 5.1
[CmdletBinding()]
param()
$ErrorActionPreference = 'Stop'
function Invoke-Implementation {
<#
.SYNOPSIS
Implementeert de configuratie
#>
[CmdletBinding()]
param()
Write-Host "[INFO] Invoke-Implementation - Intune: dwing af BitLocker versleuteling" -ForegroundColor Cyan
Invoke-Remediation
}
function Invoke-Monitoring {
<#
.SYNOPSIS
Controleert de huidige configuratie status
#>
[CmdletBinding()]
param()
try {
Write-Host "
========================================" -ForegroundColor Cyan
Write-Host "Intune: dwing af BitLocker versleuteling - Monitoring" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
# TODO: Implementeer monitoring logica voor Intune: dwing af BitLocker versleuteling
Write-Host "[INFO] Monitoring check voor Intune: dwing af BitLocker versleuteling" -ForegroundColor Yellow
Write-Host "[OK] Monitoring check completed" -ForegroundColor Green
}
catch {
Write-Error "Monitoring failed: $_"
throw
}
}
function Invoke-Remediation {
<#
.SYNOPSIS
Herstelt de configuratie naar de gewenste staat
#>
[CmdletBinding()]
param()
try {
Write-Host "
========================================" -ForegroundColor Cyan
Write-Host "Intune: dwing af BitLocker versleuteling - Remediation" -ForegroundColor Cyan
Write-Host "========================================" -ForegroundColor Cyan
# TODO: Implementeer remediation logica voor Intune: dwing af BitLocker versleuteling
Write-Host "[INFO] Remediation voor Intune: dwing af BitLocker versleuteling" -ForegroundColor Yellow
Write-Host "[OK] Remediation completed" -ForegroundColor Green
}
catch {
Write-Error "Remediation failed: $_"
throw
}
}
Risico zonder implementatie
Risico zonder implementatie
Critical: KRITIEK: Device theft is alle data readable (AVG datalek).
Management Samenvatting
dwing af BitLocker op ALLE Windows devices. Data-at-rest versleuteling. Device theft bescherming. Implementatie: 5-10 uur.
- Implementatietijd: 10 uur
- FTE required: 0.05 FTE