Understand the importance of device encryption for compliance and security

Completed

In this unit, you will learn why device encryption is a foundational element of your organization's security strategy, how it reduces the risk of data exposure when a device is lost or stolen, and its role within a Zero Trust architecture.

The vulnerability of data at rest

A common misconception in endpoint management is that a strong Windows or macOS login password fully protects the data on the local hard drive. In reality, a lock screen only protects the running operating system.

If an unencrypted laptop is lost or stolen, a malicious actor does not need to guess the user's password. They can simply remove the solid-state drive (SSD), connect it to a different computer, and directly read every file, cached email, and saved credential. Alternatively, they can boot the laptop from a USB drive and bypass the native operating system entirely.

Full-Disk Encryption (FDE)—such as BitLocker for Windows or FileVault for macOS—mitigates this risk by cryptographically scrambling the data on the drive. Without the correct decryption key (which is tied to the user's secure login and the device's Trusted Platform Module or TPM), the data remains completely unreadable.

How encryption changes the impact of a lost or stolen device

Many organizations are required to protect personal and sensitive business data and to notify affected parties when that data is exposed. Whether a lost or stolen device triggers those obligations often depends on whether the data on the device was readable to an unauthorized person.

Consider the following scenarios:

• Unencrypted scenario: An employee leaves an unencrypted corporate laptop in a public space. The laptop contains sensitive customer data. Because the data on the drive can be read by anyone with physical access, the organization must treat this as a potential data exposure and follow its incident-response and notification processes.
• Encrypted scenario: An employee leaves an encrypted corporate laptop in a public space. Because the data on the drive is cryptographically protected and cannot be read without the decryption key, the technical risk of data exposure is dramatically reduced. The organization can focus on recovering or remotely wiping the hardware rather than responding to an exposure of the data itself.

Your legal, privacy, and compliance teams determine which obligations apply to your organization and when notifications are required. Device encryption is one of the technical controls that helps reduce the risk of data exposure in scenarios like these.

Note

Device encryption secures data at rest. It does not protect data in transit (which relies on protocols like HTTPS/TLS) or data in use (which relies on memory protection and application security).

Device encryption in a Zero Trust architecture

In a Zero Trust security model, no device is implicitly trusted, regardless of whether it is connected to the corporate network. Every time a device attempts to access organizational resources, it must prove it is healthy and secure. Device encryption is a baseline requirement for this health evaluation.

1. Evaluation: Microsoft Intune Compliance Policies query the device hardware to verify that BitLocker or FileVault is actively running.
2. Enforcement: If a user intentionally disables encryption, or if a malware infection corrupts the encryption state, Intune immediately flags the device as Noncompliant.
3. Action: Microsoft Entra Conditional Access reads this noncompliant signal and automatically revokes the device's access to corporate resources (such as Microsoft 365 or VPNs) until the drive is re-encrypted.

Modern key management

Historically, managing recovery keys was a significant administrative burden. If an encryption key was lost, the data was unrecoverable.

Modern endpoint management resolves this through automated key escrow:

• Intune deploys an Endpoint Security profile that silently enables encryption without requiring end-user interaction.
• The device generates a unique recovery key.
• The device securely transmits that key directly to its device object record in Microsoft Entra ID.
• If a user is locked out, helpdesk administrators can retrieve the recovery key from the Microsoft Entra admin center, or users can securely access it themselves via the MyAccount self-service portal.