none
BITLOCKER with TPM Only

    Question

  • Hello,

    We have been asked to prevent the booting of workstations (desktops specifically) when any external media is connected to the machine. We already have the Bitlocker drive encryption enabled in our estate and hence we decided to use the TPM only (we do not want to enable the TPM with PIN option) option so that the BIOS settings are validated before the OS boots up. <o:p></o:p>

    1. We have enabled the TPM at BIOS level<o:p></o:p>

    2. Initialized the TPM using tpm.msc (set the recovery PIN as well)<o:p></o:p>

    Even after doing the above settings and upon connecting the pen drive to the machine and trying to reboot, the OS still loads. My intention is to prevent this!<o:p></o:p>

    Please let me know if TPM is capable of achieving the desired results as mentioned above or is there any other feature in Windows 7 or GPO to get this accomplished. <o:p></o:p>

    Thanks in Advance!<o:p></o:p>



    Sharath Attur Prakash|Microsoft Practices

    Thursday, December 12, 2013 11:53 AM

Answers

All replies

  • Hi,

    no, Bitlocker cannot help here. I never say an BIOS option preventing the boot if a external media device is attached. You can prevent from booting from those devices on the BIOS level. 

    What is the background of your question? Why is this a requirement for you? Even you could boot from a DVD or USB flash drive you cannot access the encrypted disk.

    Regards,

    Lutz

    Friday, December 13, 2013 2:46 AM
  • Hello Lutz,

    Thanks for your inputs!

    We have an unauthorised access reported on our network. The hacker had loaded a different OS on one of the machines using an external drive. Hence we want to prevent this from happenning.

    We cannot block the usage of external media as the users will need it for daily activities. We have prevented execution of any ".exe" files from external media using the GPO.

    Hope this helps!

    Thanks!


    Sharath Attur Prakash|Microsoft Practices

    Friday, December 13, 2013 7:58 AM
  • Because your attacker could bring his own laptop or a tiny Raspberry Pi with you should better protect your network port. E.g. using 802.1x authentication (http://technet.microsoft.com/en-us/network/bb545365.aspx).802.1x auth must be supported on the network switches. Not all devices can handle 802.1x authentication so you can put them in a screend/locked-down VLAN

    And of course double check the physical security of your company, who can get in and out of the building.

    Hope that helps,

    Lutz

    Friday, December 13, 2013 7:35 PM