Deploying BitLocker on an enterprise environment?


  1. FD3S
    Posts : 11
    Win7
       New #1

    Deploying BitLocker on an enterprise environment?


    Does anyone have any experience deploying Bitlocker on an enterprise environment?
    I've been doing some research, but wanted to hear from your past experience for any pro vs. con. Things to be aware of, sample scripts to kick it off. Any advice will help.

    This is on a Win 7 front end, with a mix of Server2003,2008 exchange2010.

    Thanks.
      My Computer
    Quote Quote

  3. NFX
    Posts : 1
    Windows 7 Enterprise
       New #2

    The only thing I've run into since we deployed it 3 months ago - if you run it on machines that don't have TPM and need a USB start-up key, certain brands of USB flash drives will not work (I'm looking at you, Verbatim). Not sure if it's the manufacturer of the flash chips or the brand's software (Store 'n Go, in this case) that Bitlocker won't work with - but we've had no problems since switching to Kingston USB drives.
      My Computer
    Quote Quote

  4. cluberti
    Posts : 2,528
    Windows 10 Pro x64
       New #3

    One other thing to be aware of, is that some enterprises want to have up-to-date information and control on which machines are encrypted, which portable drives are encrypted (if forcing Bitlocker to go on USB devices), allow help-desk or admin staff to be able to access and provide recovery keys in the event of someone forgetting their TPM PIN or of disk failure, and more targeted enforcement. To give Bitlocker real enterprise-grade manageability and address these issues (and more), you also want to think about adding MBAM as your management and key escrow (in addition to AD) location. However, as you can see, MBAM requires access to MDOP, access to which you may or may not have already acquired from Microsoft as part of your volume licensing agreement and software assurance. Bitlocker + MBAM is really powerful though (and scales to tens or even hundreds of thousands of endpoints quite well), so it is worth it.

    Also, one other security caveat is that you generally want to force TPM + PIN (or at least USB key if a v1.2 TPM isn't available), as well as disabling hybrid sleep. Bitlocker only protects data at rest, so if the machine is sleeping (and not hibernated or off), the security keys used to unlock the volume that are stored in RAM can be brute-forced if given enough physical time with the machine in a powered-on (sleep) state as RAM is not cleared (for obvious reasons - it's sleep! :)). This is true of any volume or disk encryption software, but it still bears repeating as some admins forget about disabling hybrid sleep when they start encrypting volumes.
      My Computer
    Quote Quote

  6. jonmaine43
    Posts : 1
    Windows 7 64 Bit Enterprise
       New #4

    I've gone through a couple installations of bitlocker on a Windows 7 64 bit enterprise OS

    I had to meet this criteria
    • Ensure TPM is turned on in BIOS
    • Ensure your Network Domain computer account is made and active but dont login to network yet.
    • Must join your computer name to the network. After joining domain, restart computer.
    • Login as Local Administrator on laptop, Control panel, Bitlocker, Turn on Bitlocker
    • Save a recovery key on a network or external device, type in a startup key pin that is universal to your organization
    • Run bitlocker system check (Checkmark it)
    • Restart when told to restart
    • Login as Local Administrator again, at desktop bitlocker will begin to encrypt automatically.


    If you need to re-image the laptop harddrive because...
    • Your locked out of Windows 7, due to forgotten password... remember you cant crack windows password with bootable cd like knoppix because the partitions are encypted where your password is kept.
    • You then need to re-image your hard drive, enter in your recovery bitlocker key.
    • Plug in your hard drive into an ESata Reader hooked up to another computer with windows 7 64 bit. Access control panel, Manage Bitlocker, Turn off bitlocker, Decrypt drive.
    • Remove hard drive, put back into original laptop.
    • Create a new Windows 7 Image or blow a new image from norton ghost onto the computer, or perform a new windows 7 installation from the cd.


    If you lost your bitlocker recovery key. You can still image over the encryption but all data will be lost, effectively destroying the encryption, correct me if i'm wrong please. Hope this helps someone
      My Computer
    Quote Quote

  7. cluberti
    Posts : 2,528
    Windows 10 Pro x64
       New #5

    1. Bitlocker encryption can be disabled, you do not need to decrypt the drive.
    2. A Windows PE environment that matches the installed version of Windows (if built from real WinPE source, and not using something from non-MS sources) can mount and access bitlocker-encrypted volumes on boot. This allows password recovery tools to work (see MSDaRT as an example).

    Getting locked-out of a bitlocker-encrypted drive does not require decryption or paving of the disk to regain access.
      My Computer
    Quote Quote

 

  Related Discussions
How to Turn Windows 7 BitLocker To Go On or Off for Removable Drives BitLocker To Go is used to encrypt and password protect any removable external hard drives and USB flash drives. The drives must be formatted using either the exFAT, FAT16, FAT32, or NTFS file system and must be at least...
problem deploying windows 7
in Installation & Setup

first of all hello to all i am preparing for MCTS 70-680 (Win 7 configuration exam) for doing labs i am using VMware workstation 7. every thing is going OK but when i try to copy the created image wim file to destination computer. on that particular dest computer i cannot access the e: drive...
I tried using HP BIOS Flashing utility on my HP Z400 Workstation, and it says it can't continue because I have Bitlocker enabled, but I don't have bitlocker on Win 7 Professional 32bit. I don't see it on the control panel or in context menus. I do see it set to manual in "Services" but the service...
Deploying Windows 7
in Installation & Setup

I am looking for a solution for how to put a image on 80 different PCs that are running windows 7. I am deploying 80 new PCs. I want to create one image and then deploy them on the 80 new PCs. Also should i buy OEM or let the computer come with windows and office??? Thanks
Deploying Windows 7
in Installation & Setup

I'm rolling out Windows 7 to my small company, which is a non-profit, and I won't be setting up a deployment server...so keep that in mind. In the past, with XP, I created a ghost image for each of my hardware devices, and stored them on a server. When I needed to reimage, I'd boot from a...
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 11:33.
Find Us