Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.



Windows 7: Deploying BitLocker on an enterprise environment?

14 Feb 2012   #1

Win7
 
 
Deploying BitLocker on an enterprise environment?

Does anyone have any experience deploying Bitlocker on an enterprise environment?
I've been doing some research, but wanted to hear from your past experience for any pro vs. con. Things to be aware of, sample scripts to kick it off. Any advice will help.

This is on a Win 7 front end, with a mix of Server2003,2008 exchange2010.

Thanks.

My System SpecsSystem Spec
.

17 Feb 2012   #2
NFX

Windows 7 Enterprise
 
 

The only thing I've run into since we deployed it 3 months ago - if you run it on machines that don't have TPM and need a USB start-up key, certain brands of USB flash drives will not work (I'm looking at you, Verbatim). Not sure if it's the manufacturer of the flash chips or the brand's software (Store 'n Go, in this case) that Bitlocker won't work with - but we've had no problems since switching to Kingston USB drives.
My System SpecsSystem Spec
19 Feb 2012   #3

Windows Server 2008 R2
 
 

One other thing to be aware of, is that some enterprises want to have up-to-date information and control on which machines are encrypted, which portable drives are encrypted (if forcing Bitlocker to go on USB devices), allow help-desk or admin staff to be able to access and provide recovery keys in the event of someone forgetting their TPM PIN or of disk failure, and more targeted enforcement. To give Bitlocker real enterprise-grade manageability and address these issues (and more), you also want to think about adding MBAM as your management and key escrow (in addition to AD) location. However, as you can see, MBAM requires access to MDOP, access to which you may or may not have already acquired from Microsoft as part of your volume licensing agreement and software assurance. Bitlocker + MBAM is really powerful though (and scales to tens or even hundreds of thousands of endpoints quite well), so it is worth it.

Also, one other security caveat is that you generally want to force TPM + PIN (or at least USB key if a v1.2 TPM isn't available), as well as disabling hybrid sleep. Bitlocker only protects data at rest, so if the machine is sleeping (and not hibernated or off), the security keys used to unlock the volume that are stored in RAM can be brute-forced if given enough physical time with the machine in a powered-on (sleep) state as RAM is not cleared (for obvious reasons - it's sleep! ). This is true of any volume or disk encryption software, but it still bears repeating as some admins forget about disabling hybrid sleep when they start encrypting volumes.
My System SpecsSystem Spec
.


26 Dec 2013   #4

Windows 7 64 Bit Enterprise
 
 

I've gone through a couple installations of bitlocker on a Windows 7 64 bit enterprise OS

I had to meet this criteria
  • Ensure TPM is turned on in BIOS
  • Ensure your Network Domain computer account is made and active but dont login to network yet.
  • Must join your computer name to the network. After joining domain, restart computer.
  • Login as Local Administrator on laptop, Control panel, Bitlocker, Turn on Bitlocker
  • Save a recovery key on a network or external device, type in a startup key pin that is universal to your organization
  • Run bitlocker system check (Checkmark it)
  • Restart when told to restart
  • Login as Local Administrator again, at desktop bitlocker will begin to encrypt automatically.

If you need to re-image the laptop harddrive because...
  • Your locked out of Windows 7, due to forgotten password... remember you cant crack windows password with bootable cd like knoppix because the partitions are encypted where your password is kept.
  • You then need to re-image your hard drive, enter in your recovery bitlocker key.
  • Plug in your hard drive into an ESata Reader hooked up to another computer with windows 7 64 bit. Access control panel, Manage Bitlocker, Turn off bitlocker, Decrypt drive.
  • Remove hard drive, put back into original laptop.
  • Create a new Windows 7 Image or blow a new image from norton ghost onto the computer, or perform a new windows 7 installation from the cd.

If you lost your bitlocker recovery key. You can still image over the encryption but all data will be lost, effectively destroying the encryption, correct me if i'm wrong please. Hope this helps someone
My System SpecsSystem Spec
30 Dec 2013   #5

Windows Server 2008 R2
 
 

1. Bitlocker encryption can be disabled, you do not need to decrypt the drive.
2. A Windows PE environment that matches the installed version of Windows (if built from real WinPE source, and not using something from non-MS sources) can mount and access bitlocker-encrypted volumes on boot. This allows password recovery tools to work (see MSDaRT as an example).

Getting locked-out of a bitlocker-encrypted drive does not require decryption or paving of the disk to regain access.
My System SpecsSystem Spec
Reply

 Deploying BitLocker on an enterprise environment?





Thread Tools



Similar help and support threads for2: Deploying BitLocker on an enterprise environment?
Thread Forum
BIOS flash error, BITLOCKER on? No bitlocker installed, Win 7 Pro General Discussion
BitLocker Drive Encryption - BitLocker To Go - Turn On or Off Tutorials
Deploying Windows 7 Installation & Setup
Deploying Windows 7 Installation & Setup
How to create recovery partition when deploying Windows 7 enterprise u Installation & Setup
Deploying W7 from an image Backup and Restore
Deploying Windows 7 General Discussion

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 03:04 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33