Sunday, November 18, 2012 11:39 AM
I would like to know, what is the best way to manage bitlocker.
AD or MBAM?
The difference between both (+ and - )
Thx for you help.
Sunday, November 18, 2012 5:55 PM
Your question is kind of misguided I think or not posed correctly.
MBAM is what actually allows you to save the recovery keys into AD. MBAM provides you with a client to install on all users machines, you then use Group Policy (A Group Policy template is provided with MBAM) to control the different settings for your environment such as what level of encryption to use, what kind of drives to encrypt and where to store the recovery keys.
I personally prefer to save the recovery keys into AD. That way you can be sure the keys will not get removed by anybody. They are completely centrally managed. If you were to allow users to save the key to say their home drive, that key would then live out on a share somewhere and they would easily be able to delete it. Then you are in a bad position. If they file has been removed by the user, you cannot recover the drive if something happens.
Or you could save to a different non-user share but again. If somebody deletes the files or maybe if the drive completely fails you are screwed. AD at least has the redundancy built in by replicating through your DC's and is completely centrally managed so your help desk or whoever is required to provide the recovery key can do so. Hope that helps
Sunday, November 18, 2012 9:58 PM
Sorry for my last question.
Actually we hesitate to use MBAM to manage bitlocker. Is it possible to save the recovery key into AD and used MBAM Helpdesk Group to recovery the key?
I have to find advantage or no to use MBAM for my chiefs.
What is the avantages to use MBAM ? Are they complementary or different?
Why use MBAM if with the active D. we can do the same things?
Monday, November 19, 2012 6:57 PM
If you are not using MBAM, what method will you use to save the key into Active Directory?
Have you tested both because I think you may be a little confused. It is by using the MBAM setup that gives you the option to store the recovery key in AD and grant Helpdesk Users to retrieve this...
Monday, November 19, 2012 10:05 PM
If i have understood correctly, i can store recovery key into AD and use MBAM interface to help users who cannot unlock their computer (lost Pin, TPM reset,....).
MBAM can go into AD to get recovery key?