Sign in
 
HomeWindows 8Windows 7Windows VistaWindows XPMDOPWindows IntuneLibraryForums
Windows Client >
Manage bitlocker with AD or MBAM

回答済み Manage bitlocker with AD or MBAM

  • Sunday, November 18, 2012 11:39 AM
     
     
    Sign In to Vote
    0

    Hello,

    I would like to know, what is the best way to manage bitlocker.

    AD or MBAM?

    The difference between both (+ and - )

    Thx for you help.

     

All Replies

  • Sunday, November 18, 2012 5:55 PM
     
     Answered
    Sign In to Vote
    1

    Your question is kind of misguided I think or not posed correctly.

    MBAM is what actually allows you to save the recovery keys into AD. MBAM provides you with a client to install on all users machines, you then use Group Policy (A Group Policy template is provided with MBAM) to control the different settings for your environment such as what level of encryption to use, what kind of drives to encrypt and where to store the recovery keys.

    I personally prefer to save the recovery keys into AD. That way you can be sure the keys will not get removed by anybody. They are completely centrally managed. If you were to allow users to save the key to say their home drive, that key would then live out on a share somewhere and they would easily be able to delete it. Then you are in a bad position. If they file has been removed by the user, you cannot recover the drive if something happens.

    Or you could save to a different non-user share but again. If somebody deletes the files or maybe if the drive completely fails you are screwed. AD at least has the redundancy built in by replicating through your DC's and is completely centrally managed so your help desk or whoever is required to provide the recovery key can do so. Hope that helps

    PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon

    • Proposed As Answer by Rorymon Sunday, November 18, 2012 5:55 PM
    • Marked As Answer by Cephasim Sunday, November 18, 2012 9:58 PM
    •  
     
  • Sunday, November 18, 2012 9:58 PM
     
     
    Sign In to Vote
    0

    Sorry for my last question.

    Actually we hesitate to use MBAM to manage bitlocker. Is it possible to save the recovery key into AD and used MBAM Helpdesk Group  to recovery the key?

    I have to find advantage or no to use MBAM for my chiefs.

    What is the avantages to use MBAM ? Are they complementary or different?

    Why use MBAM if with the active D. we can do the same things?

     
  • Monday, November 19, 2012 6:57 PM
     
     
    Sign In to Vote
    0

    If you are not using MBAM, what method will you use to save the key into Active Directory?

    Have you tested both because I think you may be a little confused. It is by using the MBAM setup that gives you the option to store the recovery key in AD and grant Helpdesk Users to retrieve this...

    PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon

     
  • Monday, November 19, 2012 10:05 PM
     
     
    Sign In to Vote
    0

    If i have understood correctly, i can store recovery key into AD and use MBAM interface to help users who cannot unlock their computer (lost Pin, TPM reset,....).

    MBAM can go into AD to get recovery key?