Bitlocker planning questions
171 views
Skip to first unread message
Max Coder
Apr 30, 2024, 2:55:30 PM4/30/24
to ntsysadmin
Hi,
I have been tasked with implementing Bitlocker to our machine fleet (about 4000+ laptops). Has anyone undertaken this before? I am pretty clueless about how to go about this and am honestly pretty confused about how BitLocker/TPM works. Just looking for any kind of game plan to work with and I figured we should get all our BIOS settings in order first so that we can make sure TPM is enabled with the correct options and then start testing a BitLocker deployment in SCCM. Have tried encrypting some drives then swapping them to a different machine but have had differing results.
Also, We are not using Intune. already synced AD objects via AADconnect. We are not using Task Sequence for OS Deployment.
My questions are:
1 - Our AD domain controllers are running on hosts without TPM chips installed. Will this affect our configuration when we set up AD to store recovery keys?
2 - Do we need to go to each DC server and add the “BitLocker Drive Encryption” feature?
3 - After adding the feature to the DCs, the DC servers will not be encrypted, correct?
4- What do you recommended as encryption method ? AES256 or XTS-AES 128 Bit ?
5- Is there any negative impact on SSD Drives ?
6- Encrypting only used space negates a lot of the benefit of BitLocker, unless you can guarantee that it'll only be used on brand new, blank drives. C
I will use Full encryption. Correct ?
7 - The gpo will not start encryption? Correct ?
8 - There is a policy called " Allow network unlock at startup" What's this? I am using 802.1x in our company environment. I don't have any WDS/DHCP machine. is it necessary to activate this setting?
9 - What happens disk encryption process ? Users may sleep/hibernate their machine instead of shutting it down
10 - Is there any automatic rotation for bitlocker recovery key ? This automatic rotation will refresh only the recovery password which was used to unlock during BitLocker recovery. Correct ?
11 - AFAIK , AD will store multiple keys in a big list under the BitLocker Recovery tab for the computer object. Now, there's one recovery key on the list. If I back up the recovery key every day, will this list swell or is it overwritten because it is the same recovery key?
12 - If the computer has a pending reboot, will it have a negative impact?
thanks,
I have been tasked with implementing Bitlocker to our machine fleet (about 4000+ laptops). Has anyone undertaken this before? I am pretty clueless about how to go about this and am honestly pretty confused about how BitLocker/TPM works. Just looking for any kind of game plan to work with and I figured we should get all our BIOS settings in order first so that we can make sure TPM is enabled with the correct options and then start testing a BitLocker deployment in SCCM. Have tried encrypting some drives then swapping them to a different machine but have had differing results.
Also, We are not using Intune. already synced AD objects via AADconnect. We are not using Task Sequence for OS Deployment.
My questions are:
1 - Our AD domain controllers are running on hosts without TPM chips installed. Will this affect our configuration when we set up AD to store recovery keys?
2 - Do we need to go to each DC server and add the “BitLocker Drive Encryption” feature?
3 - After adding the feature to the DCs, the DC servers will not be encrypted, correct?
4- What do you recommended as encryption method ? AES256 or XTS-AES 128 Bit ?
5- Is there any negative impact on SSD Drives ?
6- Encrypting only used space negates a lot of the benefit of BitLocker, unless you can guarantee that it'll only be used on brand new, blank drives. C
I will use Full encryption. Correct ?
7 - The gpo will not start encryption? Correct ?
8 - There is a policy called " Allow network unlock at startup" What's this? I am using 802.1x in our company environment. I don't have any WDS/DHCP machine. is it necessary to activate this setting?
9 - What happens disk encryption process ? Users may sleep/hibernate their machine instead of shutting it down
10 - Is there any automatic rotation for bitlocker recovery key ? This automatic rotation will refresh only the recovery password which was used to unlock during BitLocker recovery. Correct ?
11 - AFAIK , AD will store multiple keys in a big list under the BitLocker Recovery tab for the computer object. Now, there's one recovery key on the list. If I back up the recovery key every day, will this list swell or is it overwritten because it is the same recovery key?
12 - If the computer has a pending reboot, will it have a negative impact?
thanks,
Michael B. Smith
Apr 30, 2024, 2:59:22 PM4/30/24
to ntsys...@googlegroups.com
Talk about a question being all black and white!
(Or is it just me and other people see words here?)
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ntsysadmin/3e793243-4d47-4e97-ad47-9d9250fb0bb8n%40googlegroups.com.
Mike Leone
Apr 30, 2024, 3:01:48 PM4/30/24
to ntsys...@googlegroups.com
I see words .... specifically:
Hi,
I have been tasked with implementing Bitlocker to our machine fleet (about 4000+ laptops). Has anyone undertaken this before? I am pretty clueless about how to go about this and am honestly pretty confused about how BitLocker/TPM works. Just looking for any kind of game plan to work with and I figured we should get all our BIOS settings in order first so that we can make sure TPM is enabled with the correct options and then start testing a BitLocker deployment in SCCM. Have tried encrypting some drives then swapping them to a different machine but have had differing results.
Also, We are not using Intune. already synced AD objects via AADconnect. We are not using Task Sequence for OS Deployment.
My questions are:
1 - Our AD domain controllers are running on hosts without TPM chips installed. Will this affect our configuration when we set up AD to store recovery keys?
2 - Do we need to go to each DC server and add the “BitLocker Drive Encryption” feature?
3 - After adding the feature to the DCs, the DC servers will not be encrypted, correct?
4- What do you recommended as encryption method ? AES256 or XTS-AES 128 Bit ?
5- Is there any negative impact on SSD Drives ?
6- Encrypting only used space negates a lot of the benefit of BitLocker, unless you can guarantee that it'll only be used on brand new, blank drives. C
I will use Full encryption. Correct ?
7 - The gpo will not start encryption? Correct ?
8 - There is a policy called " Allow network unlock at startup" What's this? I am using 802.1x in our company environment. I don't have any WDS/DHCP machine. is it necessary to activate this setting?
9 - What happens disk encryption process ? Users may sleep/hibernate their machine instead of shutting it down
10 - Is there any automatic rotation for bitlocker recovery key ? This automatic rotation will refresh only the recovery password which was used to unlock during BitLocker recovery. Correct ?
11 - AFAIK , AD will store multiple keys in a big list under the BitLocker Recovery tab for the computer object. Now, there's one recovery key on the list. If I back up the recovery key every day, will this list swell or is it overwritten because it is the same recovery key?
12 - If the computer has a pending reboot, will it have a negative impact?
I have been tasked with implementing Bitlocker to our machine fleet (about 4000+ laptops). Has anyone undertaken this before? I am pretty clueless about how to go about this and am honestly pretty confused about how BitLocker/TPM works. Just looking for any kind of game plan to work with and I figured we should get all our BIOS settings in order first so that we can make sure TPM is enabled with the correct options and then start testing a BitLocker deployment in SCCM. Have tried encrypting some drives then swapping them to a different machine but have had differing results.
Also, We are not using Intune. already synced AD objects via AADconnect. We are not using Task Sequence for OS Deployment.
My questions are:
1 - Our AD domain controllers are running on hosts without TPM chips installed. Will this affect our configuration when we set up AD to store recovery keys?
2 - Do we need to go to each DC server and add the “BitLocker Drive Encryption” feature?
3 - After adding the feature to the DCs, the DC servers will not be encrypted, correct?
4- What do you recommended as encryption method ? AES256 or XTS-AES 128 Bit ?
5- Is there any negative impact on SSD Drives ?
6- Encrypting only used space negates a lot of the benefit of BitLocker, unless you can guarantee that it'll only be used on brand new, blank drives. C
I will use Full encryption. Correct ?
7 - The gpo will not start encryption? Correct ?
8 - There is a policy called " Allow network unlock at startup" What's this? I am using 802.1x in our company environment. I don't have any WDS/DHCP machine. is it necessary to activate this setting?
9 - What happens disk encryption process ? Users may sleep/hibernate their machine instead of shutting it down
10 - Is there any automatic rotation for bitlocker recovery key ? This automatic rotation will refresh only the recovery password which was used to unlock during BitLocker recovery. Correct ?
11 - AFAIK , AD will store multiple keys in a big list under the BitLocker Recovery tab for the computer object. Now, there's one recovery key on the list. If I back up the recovery key every day, will this list swell or is it overwritten because it is the same recovery key?
12 - If the computer has a pending reboot, will it have a negative impact?
(it looks fine in my Gmail, but copy/paste was all black. So I just did it to a text file, then copied from there)
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/265ab6bfb1a84c7cb512ebf6685ac90f%40smithcons.com.
Mike. Leone, <mailto:tur...@mike-leone.com>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
Heaton, Joseph@Wildlife
Apr 30, 2024, 3:36:55 PM4/30/24
to ntsys...@googlegroups.com
I only see redaction here, same as you.
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Michael B. Smith
Sent: Tuesday, April 30, 2024 11:59 AM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] Bitlocker planning questions
WARNING: This message is from an external source. Verify the sender and exercise caution when clicking links or opening attachments.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/265ab6bfb1a84c7cb512ebf6685ac90f%40smithcons.com.
Kurt Buff
Apr 30, 2024, 4:19:10 PM4/30/24
to ntsys...@googlegroups.com
That's weird.
It displays just fine in gmail.
Kurt
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/265ab6bfb1a84c7cb512ebf6685ac90f%40smithcons.com.
Henry Awad
Apr 30, 2024, 4:19:50 PM4/30/24
to ntsys...@googlegroups.com
You might want to start reading this deployment guide first then ask any questions that this article didn't answer.
https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/bitlocker/deploy-management-agent
I would recommend storing the Bitlocker passwords in Configuration Manager (MECM aka SCCM) in order to encrypt them.
The project will require a bit of leg work in order to figure out which devices can be encrypted as well as enabling (if not enabled by default) and configuring the TPM chip. A lot of that can be done through MECM which can get you reports on device readiness. I would also recommend updating the computer BIOS and firmware before enabling Bitlocker to avoid any issues. If you use mainly one or two manufacturers for your hardware then it could be doable since they usually have tools to do so or you can do it using MECM (but I don't know how easy it is as I haven't done it).
You should definitely use full disk encryption since the overhead is only the first time you enable it since it has to encrypt all the existing data. After that, there's no impact on drive performance.
I would also recommend reading any information from your antivirus/anti-malware vendor for any exclusions that you might have to put in place if you're not using Windows Defender.
Hope this answers your questions.
--
Glen Johnson
Apr 30, 2024, 4:25:00 PM4/30/24
to ntsys...@googlegroups.com
Fine in outlook on android.
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> on behalf of Kurt Buff <kurt...@gmail.com>
Sent: Tuesday, April 30, 2024 4:18:53 PM
To: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
Subject: Re: [ntsysadmin] Bitlocker planning questions
Sent: Tuesday, April 30, 2024 4:18:53 PM
To: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
Subject: Re: [ntsysadmin] Bitlocker planning questions
To view this discussion on the web visit
https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7p3Mn975r47SR9_31v_0-g6vPU5zgs1TUwPXNboy6KCg%40mail.gmail.com.
Ken Dibble
May 1, 2024, 11:15:10 AM5/1/24
to ntsys...@googlegroups.com
In Eudora everything appears
redacted, but when I selected (highlighted) the text I was able to read
it as white text against a blue background.
Ken Dibble
Conklin NY
Ken Dibble
Conklin NY
At 02:59 PM 4/30/2024, Michael B. Smith wrote:
Talk about a question being all black and white!
(Or is it just me and other people see words here?)
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Max Coder
Sent: Tuesday, April 30, 2024 2:56 PM
To: ntsysadmin <ntsys...@googlegroups.com>
Subject: [ntsysadmin] Bitlocker planning questions
Hi,
I have been tasked with implementing Bitlocker to our machine fleet (about 4000+ laptops). Has anyone undertaken this before? I am pretty clueless about how to go about this and am honestly pretty confused about how BitLocker/TPM works. Just looking for any kind of game plan to work with and I figured we should get all our BIOS settings in order first so that we can make sure TPM is enabled with the correct options and then start testing a BitLocker deployment in SCCM. Have tried encrypting some drives then swapping them to a different machine but have had differing results.
Also, We are not using Intune. already synced AD objects via AADconnect. We are not using Task Sequence for OS Deployment.
My questions are:
1 - Our AD domain controllers are running on hosts without TPM chips installed. Will this affect our configuration when we set up AD to store recovery keys?
2 - Do we need to go to each DC server and add the “BitLocker Drive Encryption†feature?
3 - After adding the feature to the DCs, the DC servers will not be encrypted, correct?
4- What do you recommended as encryption method ? AES256 or XTS-AES 128 Bit ?
5- Is there any negative impact on SSD Drives ?
6- Encrypting only used space negates a lot of the benefit of BitLocker, unless you can guarantee that it'll only be used on brand new, blank drives. C
I will use Full encryption. Correct ?
7 - The gpo will not start encryption? Correct ?
8 - There is a policy called " Allow network unlock at startup" What's this? I am using 802.1x in our company environment. I don't have any WDS/DHCP machine. is it necessary to activate this setting?
9 - What happens disk encryption process ? Users may sleep/hibernate their machine instead of shutting it down
10 - Is there any automatic rotation for bitlocker recovery key ? This automatic rotation will refresh only the recovery password which was used to unlock during BitLocker recovery. Correct ?
11 - AFAIK , AD will store multiple keys in a big list under the BitLocker Recovery tab for the computer object. Now, there's one recovery key on the list. If I back up the recovery key every day, will this list swell or is it overwritten because it is the same recovery key?
12 - If the computer has a pending reboot, will it have a negative impact?
thanks,
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/3e793243-4d47-4e97-ad47-9d9250fb0bb8n%40googlegroups.com .
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/265ab6bfb1a84c7cb512ebf6685ac90f%40smithcons.com .
Brian Illner
May 1, 2024, 11:15:56 AM5/1/24
to ntsys...@googlegroups.com
Its there. Not sure what happened, but if you switch to or forward as plain text, you can read his questions.
|
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Michael B. Smith
Sent: Tuesday, April 30, 2024 2:59 PM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] Bitlocker planning questions
CAUTION: This message was sent from outside of Canal Insurance. Please do not click links or open attachments unless you recognize the source of this email and know the content is safe. Please report all suspicious emails to "inf...@canal-ins.com" as an attachment.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/265ab6bfb1a84c7cb512ebf6685ac90f%40smithcons.com.
Logsdon, Eric
May 1, 2024, 11:15:59 AM5/1/24
to ntsys...@googlegroups.com
Not just you. Must be top secret redacted.
--
Eric Logsdon
Product Manager
Cooperative Technologies, Inc.
ELog...@CooperativeTechnologies.com
http://CooperativeTechnologies.com
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Michael B. Smith
Sent: Tuesday, April 30, 2024 2:59 PM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] Bitlocker planning questions
Talk about a question being all black and white!
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/265ab6bfb1a84c7cb512ebf6685ac90f%40smithcons.com.
Mike Leone
May 1, 2024, 11:49:34 AM5/1/24
to ntsys...@googlegroups.com
On Wed, May 1, 2024 at 11:15 AM Ken Dibble <krdi...@stny.rr.com> wrote:
In Eudora everything appears redacted, but when I selected (highlighted) the text I was able to read it as white text against a blue background.
Eudora email! I haven't heard of that in a long time. I used to use that, back in the day. Along with Pegasus email, when we were still using Novell Networks ...
Good times ...
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/66325c11.050a0220.2ef74.f06dSMTPIN_ADDED_MISSING%40gmr-mx.google.com.
Ken Dibble
May 2, 2024, 7:54:28 AM5/2/24
to ntsys...@googlegroups.com
I've used Eudora consistently
throughout my professional and personal life. There are options to
upgrade it to use modern TLS encryption. It doesn't handle UTF-8 or
Unicode character sets, and the result is the odd characters that you'll
see here and there in the text below. It uses the mshtml.dll in Windows
to display HTML, with considerable success--though it's not
perfect.
Qualcomm released the code source to the public domain several years ago, and there is now an effort to modernize that code and release it on a shareware basis as a product called "Hermes Aurora". It's currently in alpha testing, and I can report that the UTF-8 and Unicode issues have largely been corrected. The plan is eventually to add an independent HTML engine, freeing it from the MS dll, but that will have to wait a while. A Mac version is also under development.
The development and testing process is very slow, owing to limited donated financial support. But Eudora's search features are still the best of any email client anywhere, and it's worth supporting.
(Note, I'm not part of the development project and am not formally participating in testing, but I have donated to the project.)
Ken Dibble
Conklin NY
Qualcomm released the code source to the public domain several years ago, and there is now an effort to modernize that code and release it on a shareware basis as a product called "Hermes Aurora". It's currently in alpha testing, and I can report that the UTF-8 and Unicode issues have largely been corrected. The plan is eventually to add an independent HTML engine, freeing it from the MS dll, but that will have to wait a while. A Mac version is also under development.
The development and testing process is very slow, owing to limited donated financial support. But Eudora's search features are still the best of any email client anywhere, and it's worth supporting.
(Note, I'm not part of the development project and am not formally participating in testing, but I have donated to the project.)
Ken Dibble
Conklin NY
At 11:50 AM 5/1/2024, Mike Leone wrote:
On Wed, May 1, 2024 at 11:15 AM Ken Dibble <krdi...@stny.rr.com> wrote:
- In Eudora everything appears redacted, but when I selected
(highlighted) the text I was able to read it as white text against a blue
background.
Eudora email! I haven't heard of that in a long time. I used to use that, back in the day. Along with Pegasus email, when we were still using Novell Networks ...
Good times ...
- Ken Dibble
- Conklin NY
- Conklin NY
- At 02:59 PM 4/30/2024, Michael B. Smith wrote:
- Talk about a question being all black and white!
- Â
- (Or is it just me and other people see words here?)
- Â
- From: ntsys...@googlegroups.com < ntsys...@googlegroups.com> On Behalf Of Max Coder
- Sent: Tuesday, April 30, 2024 2:56 PM
- To: ntsysadmin < ntsys...@googlegroups.com>
- Subject: [ntsysadmin] Bitlocker planning questions
- Â
- Hi,
- I have been tasked with implementing Bitlocker to our machine fleet (about 4000+ laptops). Has anyone undertaken this before? I am pretty clueless about how to go about this and am honestly pretty confused about how BitLocker/TPM works. Just looking for any kind of game plan to work with and I figured we should get all our BIOS settings in order first so that we can make sure TPM is enabled with the correct options and then start testing a BitLocker deployment in SCCM. Have tried encrypting some drives then swapping them to a different machine but have had differing results.
- Also, We are not using Intune. already synced AD objects via AADconnect. We are not using Task Sequence for OS Deployment.
- My questions are:
- 1 - Our AD domain controllers are running on hosts without TPM chips installed. Will this affect our configuration when we set up AD to store recovery keys?
- 2 - Do we need to go to each DC server and add the “BititLocker Drive Encryption†feature?
- 3 - After adding the feature to the DCs, the DC servers will not be encrypted, correct?
- 4-Â What do you recommended as encryption method ? AES256 or XTS-AES 128 Bit ?
- 5-Â Is there any negative impact on SSD Drives ?
- 6-Â Encrypting only used space negates a lot of the benefit of BitLocker, unless you can guarantee that it'll only be used on brand new, blank drives. C
-    I will use Full encryption. Correct ?
- 7 - The gpo will not start encryption? Correct ?
- 8 - There is a policy called " Allow network unlock at startup" What's this? I am using 802.1x in our company environment. I don't have any WDS/DHCP machine. is it necessary to activate this setting?
- 9 -Â What happens disk encryption process ? Users may sleep/hibernate their machine instead of shutting it down
- 10 - Is there any automatic rotation for bitlocker recovery key ? This automatic rotation will refresh only the recovery password which was used to unlock during BitLocker recovery. Correct ?
- 11 - AFAIK , AD will store multiple keys in a big list under the BitLocker Recovery tab for the computer object. Now, there's one recovery key on the list. If I back up the recovery key every day, will this list swell or is it overwritten because it is the same recovery key?
- 12 -Â If the computer has a pending reboot, will it have a negative impact?
Markus Klocker
May 6, 2024, 1:33:06 AM5/6/24
to ntsys...@googlegroups.com
Hardest in our case:
- make the client Bitlocker compatible (BIOS ... most are).
- make sure no hardware encryption is used (or has that one be fixed jet?)
- store the recovery key somewhere save (AD, EntraID...)
- make sure the recovery gets to the laptop user if it is needed
- make sure WinRE is fixed or disabled
- think about complex startup PIN (this can bit you in automation though)
most important: testing :)
hth
Markus
- make the client Bitlocker compatible (BIOS ... most are).
- make sure no hardware encryption is used (or has that one be fixed jet?)
- store the recovery key somewhere save (AD, EntraID...)
- make sure the recovery gets to the laptop user if it is needed
- make sure WinRE is fixed or disabled
- think about complex startup PIN (this can bit you in automation though)
most important: testing :)
hth
Markus
Reply all
Reply to author
Forward
0 new messages