none
Bitlocker and password policy for laptops

    질문

  • Hi,

    Hope you are well. 

    We are a small start-up that has a highly distributed team.  I am exploring using Windows Intune to manage the teams devices.

    Two quick questions from me:

    1. Can I set a password policy for PC machines that are under Intunes management?
    2. Can I see which PC machines have enabled bit-locker?  We'd like to ensure that everyone has.  Bonus points if I can also manage the bitlocker recovery keys through Intune as well.

    Thanks in advance for the answers.

    Simon.

    2014년 5월 4일 일요일 오후 3:54

답변

  • 1. No. That's what Active Directory and Group Policy typically do.

    2. No. That's where MBAM could come in though. By default, recovery keys are stored in AD and with MBAM they can also be stored in an encrypted SQL DB.


    Jason | http://blog.configmgrftw.com

    2014년 5월 4일 일요일 오후 11:14

모든 응답

  • 1. No. That's what Active Directory and Group Policy typically do.

    2. No. That's where MBAM could come in though. By default, recovery keys are stored in AD and with MBAM they can also be stored in an encrypted SQL DB.


    Jason | http://blog.configmgrftw.com

    2014년 5월 4일 일요일 오후 11:14
  • Great, thanks Jason for the quick response.

    My follow-up questions are straying off Intune a wee bit, so I'd be happy to redirect them to another forum if better...

    We are Office 365 users and right now don't have a domain controller / any other IT infrastructure in place (we don't have an office as everyone is working from home on company supplied laptops).  In order to implement AD + group policies + MBAM as you'd outlined above, would you recommend setting up a Azure hosted VM server to act as a domain controller for our company?  I am guessing that O365 already has an AD for my org and perhaps I can access that in some way?

    Cheers,

    Simon.

    2014년 5월 5일 월요일 오후 12:05
  • That's become a very interesting question Simon; that said you might get a more detailed answer in the Azure forums. Here's one relevant thread for Jan 2013 that I just posted on asking for an update. There could well be better threads there, that's just the first I found.

    I guess it depends on your current rate of growth, but you might not need the domain at all.  Perhaps the easiest answer is just to implement a manual process for backing up Bitlocker recovery keys (making sure to avoid common BIOS config mistakes), and then be sure to have a reliable online backup of each machine.

    I haven't heard of anyone having a cloud-only AD infrastructure.  Afaik, you would need to have a local DC.  And of course, no-one wants to have a domain with just one DC, so you would set up a second too.  

    Your roaming clients would be joined to the domain (without having to be physically connected to your DC) using this method.

    If you really need Group Policy, the approach I would take would be

    (1) Set up domain, with second DC

    (2) dirsync to Office 365, clear up any glitches there, make sure all is smooth. Manage updates/endpoint protection with Intune

    (3) set up directaccess

    (4) Offline domain join your workstations

    (5) Implement Bitlocker group policies which store the recovery keys in AD & the desired password policies

    (6) Since you will have purchased the Enterprise OS, you'll also have access to AppLocker, which I'd roll out at this point for protection against most malware.

    I wouldn't be an expert on this at all and I'd like to learn more.  If you get a more authoritative answer, please drop me a line to let me know.


    • 편집됨 Eoin Ryan 2014년 5월 13일 화요일 오후 1:20
    2014년 5월 13일 화요일 오후 1:19