Bitlocker
I'm thinking of deploying Bitlocker MBAM more, but I have some questions: You can lock disabling BitLocker, even for administrator users? How? You can configure the Bitlocker with TPM ask for password when the computer is turned on? How is the process of recovering the disk when it happens to lose the hardware, but not lose the HD?
September 28th, 2012 8:06pm

I'm thinking of deploying Bitlocker MBAM more, but I have some questions: You can lock disabling BitLocker, even for administrator users? How? I don't believe you can block disabling it for Admins unless maybe you use a policy or AppLocker, what I did was install the MBAM agent and remove the Add/Remove Program options. A user can disable the encryption but they will then show up as Non-Compliant in the console so it's easy to find who the user is and what machine etc. You can configure the Bitlocker with TPM ask for password when the computer is turned on? Yes and you can choose the complexity etc. How is the process of recovering the disk when it happens to lose the hardware, but not lose the HD? On your MBAM server you will have different AD Groups. There's one for Help Desk which allows them access to get to the users recovery key if they get locked out. You can also customize the message for when they are locked out telling them to call the helpdesk. The recovery key is quite long and annoying but hey, that means it's more secure. It's 48-digits. That restricts them from access to certain features of the console. PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2012 3:15pm

I'm thinking of deploying Bitlocker MBAM more, but I have some questions: You can lock disabling BitLocker, even for administrator users? How? I don't believe you can block disabling it for Admins unless maybe you use a policy or AppLocker, what I did was install the MBAM agent and remove the Add/Remove Program options. A user can disable the encryption but they will then show up as Non-Compliant in the console so it's easy to find who the user is and what machine etc. You can configure the Bitlocker with TPM ask for password when the computer is turned on? Yes and you can choose the complexity etc. How is the process of recovering the disk when it happens to lose the hardware, but not lose the HD? On your MBAM server you will have different AD Groups. There's one for Help Desk which allows them access to get to the users recovery key if they get locked out. You can also customize the message for when they are locked out telling them to call the helpdesk. The recovery key is quite long and annoying but hey, that means it's more secure. It's 48-digits. That restricts them from access to certain features of the console. PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon
September 29th, 2012 3:28pm

Ok, but how is the recovery process if I lose Hardware that has the TPM but not lose the HD? Or rather, I can retrieve the HD on another desktop, as it would be done already that I would no longer have the original TPM?
Free Windows Admin Tool Kit Click here and download it now
October 1st, 2012 10:05am

You will get prompted to provide your recovery key. You can then decrypt the drive and then encrypted again on the machine you want to use so it gets a new recovery key based on that machines TPMPLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon
October 1st, 2012 10:50am

Sorry I did not understand. You mean I can get a disc that was attached to a problem with TPM and insert into another machine with another TPM? That is, simply enter the old password tpm on new hardware?
Free Windows Admin Tool Kit Click here and download it now
October 1st, 2012 8:23pm

When you originally encrypted the drive you would have had an option to save your recovery key. If you saved it, get that key because you will be prompted to enter it once you try to put in a machine without the correct TPM. If you are using MBAM you will see the recovery key in AD. If not you likely saved it onto the drive or possibly in a homedrive or onto a USB etc.PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon
October 2nd, 2012 12:35pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics