Windows Vista/7 - Ultimate and Enterprise
Windows 8/8.1/2008/Later - Professional and Enterprise
BitLocker meets FIPS 140-2 using AES encryption.
Now having recently gone through this in my own company I can say it was MUCH less painful that I ever thought it could have been previously. First off make sure your domain is at least a functional level of 2008. If you are still on a 2003 level you will need to extended the schema. I did not have so you;d need to Google-Fu up the procedures on doing that.
Now one of the first things I did was go here:
https://technet.microsoft.com/en-us/library/dd875529%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
I used the Add-TPMSelfWriteACE.vbs script to make sure the access control entry for TPM in AD was created.
- Download and review Add-TPMSelfWriteACE.vbs (http://go.microsoft.com/fwlink/?LinkId=167133) from the download page.
- Modify Add-TPMSelfWriteACE.vbs as appropriate for your environment.
- Type the following at a command prompt, and then press ENTER:cscript Add-TPMSelfWriteACE.vbs
Then I created the GPO that would require the Recovery Key to be stored within AD:
Now quite honestly.. once those were done I took a test laptop.. enabled the TPM within the bios. I enabled BitLocker and let it do the hardware check. It rebooted once, came back up and proceeded to encrypt the drive which took like 6 hours for a 500gb drive.
Once complete I verified the Recovery Key was stored in AD under the computer object:
Boom, done. I didn't really notice any performance hit after the encryption process completed however admittedly this is not my main machine so I need to use it for a while to better gauge that.
No comments:
Post a Comment