Enterprise level passwordfree encryption solution

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

ASKER

Thank you for your reply. Currently we are planning to encrypt our laptops and removable devices. Our laptops have TPM installed built in. If we wants to encrypt our removable drives with SID protector and restrict users to access the public key for that encrypted drive is it possible? The thing is we just dont wanna give the access to any unlocking options to our users.

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

ASKER

How do we restrict them to access the public key when they are accessing the device on domain computers? I noticed when the device is unlocked to domain computers users can simply right click on the device and print or copy the public key from there. Also do we need MBAM to implement it to enterprise level smoothly? or how else we could manage everything centrally? and Is there any way to assign SID protector for some device which is not part of domain for some reason and give access to encrypted drive to those devices? Thanks a lot for your help..

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

ASKER

Can you please point me on how can I use external key files instead of recovery keys. I followed all steps from your article and in which step should I make the change to add external key files. Thanks

ASKER

Also I would be grateful if you could point me to any documentation for SID protectors for bitlocker as I couldn't find anything useful on my search. Thanks a lot for your help

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

ASKER

I get this:

Volume F: [WOW]
[Data Volume]
Key Protectors Added:

ERROR: There was an error while trying to save the key to disk.

when I run 'manage-bde -on f: -used -sk \\server\SecuredShare\ -sid "DOMAIN\domain users" '

What should I say... make sure you know what you are writing to.
->Did you create a share?

ASKER

Sorry for asking the dumb question. It worked.. I was wondering since there is no public key is being used, how exactly admin can recover the drives?

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

ASKER

Thanks a lot.. Thats very helpful

Fine.

So is this answered, then?

ASKER

Yes.. One last question... Is it possible to add multiple domain while encrypting a drive?

You mean, add SID-protectors for users of multiple domains? That should be possible, but I haven't tried, yet.

However, the SID-protector will need to be written to the device while connected to the respective domain, so you would connect the stick to a member pc of domain-A to write a SID-protector domain-A\someuser and connect it to another pc that is member of domain-B to write the SID-protector domain-B\someotheruser.

ASKER

Yes thats what I want. So I have to write SID on both A and B domain? Is there any way to replicate the SID of domain A to B so I dont have to plug the device in both domain pc to add SID.

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.