Bitlocker Step by Step guide
Hi,
Can anyone point me in the direction of a good Bitlocker rollout guide?
We are a Server 2012 domain with mainly Windows 7 clients (and a handful of Windows 8) and mainly TPM hardware (but a few that aren't).
We want to use Bitlocker solely for drive encryption on client devices that are going out of the building and running Direct Access.
We have manually encrypted a few and stored the keys but we want to do this automatically and I am really struggling to find some good documentation about the process. There seem to be a lot of pages on the Microsoft site, but a lot of the advice seems to be conflicting so I am really looking for a good step-by-step guide about how to roll Bitlocker out across the domain and automatically store the encryption keys in Active Directory.
I found this:-
https://www.microsoft.com/en-us/download/details.aspx?id=13432
However, it seems to be quite dated (talks about Windows Longhorn) and so I am not convinced it is particularly current.
I have also found these sections:-
https://technet.microsoft.com/en-us/library/hh831713.aspx (seems to only apply to Window 8 and not Windows 7)
https://technet.microsoft.com/en-us/library/dd875547(v=ws.10).aspx (seems to only apply to Server 2008 and not Server 2012)
Can anyone point me in the direction of any more relevant documentation than this?
Surely I can't be the only person trying to do this with Windows 7 and Server 2012?
Any pointers or clearer documentation would be appreciated!
Jon
Can anyone point me in the direction of a good Bitlocker rollout guide?
We are a Server 2012 domain with mainly Windows 7 clients (and a handful of Windows 8) and mainly TPM hardware (but a few that aren't).
We want to use Bitlocker solely for drive encryption on client devices that are going out of the building and running Direct Access.
We have manually encrypted a few and stored the keys but we want to do this automatically and I am really struggling to find some good documentation about the process. There seem to be a lot of pages on the Microsoft site, but a lot of the advice seems to be conflicting so I am really looking for a good step-by-step guide about how to roll Bitlocker out across the domain and automatically store the encryption keys in Active Directory.
I found this:-
https://www.microsoft.com/en-us/download/details.aspx?id=13432
However, it seems to be quite dated (talks about Windows Longhorn) and so I am not convinced it is particularly current.
I have also found these sections:-
https://technet.microsoft.com/en-us/library/hh831713.aspx (seems to only apply to Window 8 and not Windows 7)
https://technet.microsoft.com/en-us/library/dd875547(v=ws.10).aspx (seems to only apply to Server 2008 and not Server 2012)
Can anyone point me in the direction of any more relevant documentation than this?
Surely I can't be the only person trying to do this with Windows 7 and Server 2012?
Any pointers or clearer documentation would be appreciated!
Jon
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the responses everyone. So we are going to manually encrypt the drives when we image them, but need to store the decryption data in AD automatically. We want things to automatically get written to AD when we encrypt the system drive on these devices. This is the step that I am not clear on.
jcimarron - yes we are using Windows 7 Enterprise - as I mentioned, we have already encrypted some manually which we wouldn't have been able to do if we didn't have a compatible OS.
Thanks for the link but it largely tells me the bit I already know about.
mcknife - thanks for all the questions back - I think we know a lot of this already, but I will have a look down the list. Are you asking me to give you answers to all of these? I am not clear on how we get access to MBAM as our environment is IaaS - any guidance?
btan - thanks for flagging that as the most relevant link I posted, however, I still can't see where the information is about setting up the AD stuff I mentioned at the top is?
jcimarron - yes we are using Windows 7 Enterprise - as I mentioned, we have already encrypted some manually which we wouldn't have been able to do if we didn't have a compatible OS.
Thanks for the link but it largely tells me the bit I already know about.
mcknife - thanks for all the questions back - I think we know a lot of this already, but I will have a look down the list. Are you asking me to give you answers to all of these? I am not clear on how we get access to MBAM as our environment is IaaS - any guidance?
btan - thanks for flagging that as the most relevant link I posted, however, I still can't see where the information is about setting up the AD stuff I mentioned at the top is?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We do not use SCCM so that isn't relevant.
I'm still trying to understand if we qualify for MBAM or not? We have SA on the desktops. Servers are all VM's in an IaaS environment. In other words we only have control from the OS up. They look after the licencing at a server level as it is on their hardware platform.
I'm still trying to understand if we qualify for MBAM or not? We have SA on the desktops. Servers are all VM's in an IaaS environment. In other words we only have control from the OS up. They look after the licencing at a server level as it is on their hardware platform.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. Does look like we have access to MDOP. I think there is enough information here to be getting on with and I'll open a new question if anything particular crops up that we get stuck with.
Thanks for sharing
ASKER
So after posting another question about this - here is the step-by-step guide we ended up with:-
https://www.experts-exchange.com/questions/28831039/How-to-store-bitlocker-recovery-information-in-AD-DS.html?anchorAnswerId=41276084#a41276084
This is the full working solution.
https://www.experts-exchange.com/questions/28831039/How-to-store-bitlocker-recovery-information-in-AD-DS.html?anchorAnswerId=41276084#a41276084
This is the full working solution.
You seem to be using Win 7. Bit Locker is available only for Windows 7 Ultimate or 7 Enterprise (and higher versions of Windows (like Win 8.1)).
Here is a tutorial for Bit Locker, but it will only be useful if you are running these versions of Win7.
http://www.howtogeek.com/192894/how-to-set-up-bitlocker-encryption-on-windows/