Bitlocker
I'm thinking of deploying
Bitlocker MBAM more, but I have some
questions:
You can lock disabling BitLocker,
even for administrator users? How?
You can configure the Bitlocker with
TPM ask for password when the
computer is turned on?
How is the process of recovering the
disk when it happens to lose the
hardware, but not lose the HD?
September 28th, 2012 8:06pm
I'm thinking of deploying
Bitlocker MBAM more, but I have some
questions:
You can lock
disabling BitLocker,
even for administrator users?
How?
I don't believe you can block disabling it for Admins unless maybe you use a policy or AppLocker, what I did was install the MBAM agent and remove the Add/Remove Program options. A user can disable the encryption but they will then show up as Non-Compliant
in the console so it's easy to find who the user is and what machine etc.
You can configure the
Bitlocker with
TPM ask for
password when the computer is turned on?
Yes and you can choose the complexity etc.
How is the process of
recovering the disk
when it happens to lose
the hardware,
but not lose the
HD?
On your MBAM server you will have different AD Groups. There's one for Help Desk which allows them access to get to the users recovery key if they get locked out. You can also customize the message for when they are locked out telling them to call the helpdesk.
The recovery key is quite long and annoying but hey, that means it's more secure. It's 48-digits. That restricts them from access to certain features of the console.
PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog:
rorymon.com Twitter: @Rorymon
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2012 3:15pm
I'm thinking of deploying
Bitlocker MBAM more, but I have some
questions:
You can lock
disabling BitLocker,
even for administrator users?
How?
I don't believe you can block disabling it for Admins unless maybe you use a policy or AppLocker, what I did was install the MBAM agent and remove the Add/Remove Program options. A user can disable the encryption but they will then show up as Non-Compliant
in the console so it's easy to find who the user is and what machine etc.
You can configure the
Bitlocker with
TPM ask for
password when the computer is turned on?
Yes and you can choose the complexity etc.
How is the process of
recovering the disk
when it happens to lose
the hardware,
but not lose the
HD?
On your MBAM server you will have different AD Groups. There's one for Help Desk which allows them access to get to the users recovery key if they get locked out. You can also customize the message for when they are locked out telling them to call the helpdesk.
The recovery key is quite long and annoying but hey, that means it's more secure. It's 48-digits. That restricts them from access to certain features of the console.
PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog:
rorymon.com Twitter: @Rorymon
September 29th, 2012 3:28pm
Ok, but how
is the recovery process if I lose Hardware
that has the TPM but not lose the
HD? Or rather, I can retrieve
the HD on another desktop,
as it would be done already that I
would no longer have the original TPM?
Free Windows Admin Tool Kit Click here and download it now
October 1st, 2012 10:05am
You will get prompted to provide your recovery key. You can then decrypt the drive and then encrypted again on the machine you want to use so it gets a new recovery key based on that machines TPMPLEASE MARK ANY ANSWERS TO HELP OTHERS Blog:
rorymon.com Twitter: @Rorymon
October 1st, 2012 10:50am
Sorry I did not understand.
You mean I can get a disc that was
attached to a problem with TPM
and insert into another machine with another
TPM?
That is, simply enter the old
password tpm on new hardware?
Free Windows Admin Tool Kit Click here and download it now
October 1st, 2012 8:23pm
When you originally encrypted the drive you would have had an option to save your recovery key. If you saved it, get that key because you will be prompted to enter it once you try to put in a machine without the correct TPM.
If you are using MBAM you will see the recovery key in AD. If not you likely saved it onto the drive or possibly in a homedrive or onto a USB etc.PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog:
rorymon.com Twitter: @Rorymon
October 2nd, 2012 12:35pm