Sign in
 
HomeWindows 8Windows 7Windows VistaWindows XPMDOPWindows IntuneLibraryForums
Windows Client >
Bitlocker

Answered Bitlocker

  • Saturday, September 29, 2012 12:06 AM
     
     
    Sign In to Vote
    0
    I'm thinking of deploying Bitlocker MBAM more, but I have some questions:
    You can lock disabling BitLocker, even for administrator users? How?
    You can configure the Bitlocker with TPM ask for password when the computer is turned on?
    How is the process of recovering the disk when it happens to lose the hardware, but not lose the HD?
     

All Replies

  • Saturday, September 29, 2012 7:15 PM
     
     Proposed
    Sign In to Vote
    0

    I'm thinking of deploying Bitlocker MBAM more, but I have some questions:

    You can lock disabling BitLocker, even for administrator users? How?


    I don't believe you can block disabling it for Admins unless maybe you use a policy or AppLocker, what I did was install the MBAM agent and remove the Add/Remove Program options. A user can disable the encryption but they will then show up as Non-Compliant in the console so it's easy to find who the user is and what machine etc.

    You can configure the Bitlocker with TPM ask for password when the computer is turned on?

    Yes and you can choose the complexity etc.


    How is the process of recovering the disk when it happens to lose the hardware, but not lose the HD?

    On your MBAM server you will have different AD Groups. There's one for Help Desk which allows them access to get to the users recovery key if they get locked out. You can also customize the message for when they are locked out telling them to call the helpdesk. The recovery key is quite long and annoying but hey, that means it's more secure. It's 48-digits. That restricts them from access to certain features of the console.


    PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon

    • Proposed As Answer by Rorymon Monday, October 01, 2012 2:47 PM
    •  
     
  • Monday, October 01, 2012 2:02 PM
     
     
    Sign In to Vote
    0
    Ok, but how is the recovery process if I lose Hardware that has the TPM but not lose the HD? Or rather, I can retrieve the HD on another desktop, as it would be done already that I would no longer have the original TPM?
     
  • Monday, October 01, 2012 2:47 PM
     
     Proposed
    Sign In to Vote
    0
    You will get prompted to provide your recovery key. You can then decrypt the drive and then encrypted again on the machine you want to use so it gets a new recovery key based on that machines TPM

    PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon

    • Proposed As Answer by Rorymon Monday, October 01, 2012 2:47 PM
    •  
     
  • Tuesday, October 02, 2012 12:20 AM
     
     
    Sign In to Vote
    0
    Sorry I did not understand.
    You mean I can get a disc that was attached to a problem with TPM and insert into another machine with another TPM?
    That is, simply enter the old password tpm on new hardware?
     
  • Tuesday, October 02, 2012 4:32 PM
     
     Answered
    Sign In to Vote
    0

    When you originally encrypted the drive you would have had an option to save your recovery key. If you saved it, get that key because you will be prompted to enter it once you try to put in a machine without the correct TPM.

    If you are using MBAM you will see the recovery key in AD. If not you likely saved it onto the drive or possibly in a homedrive or onto a USB etc.

    PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon

    • Proposed As Answer by Rorymon Tuesday, October 02, 2012 4:32 PM
    • Marked As Answer by Marcelo Cabra Tuesday, October 02, 2012 8:27 PM
    •