We use Bit locker here at our ORG and it is pretty easy to implement. Definitely look into MDOP to get MBAM to help your HDesk get the key or you can simply use AD to hold the key for you. If you do decide to use Bit locker, keep in mind the following steps.
1) Use a solution provided by your OEM to automate the BIOS steps needed. Dell and HP has this currently but Panasonic does not. Set a BIOS Password Turn on TPM Activate TPM 2) OWN TPM 3) Turn on Bit locker Good to go. If your OEM for your workstations does not have a solution to change BIOS parameters then Step 1 in the above example requires the technician or someone else to manually access the BIOS and set these manually which becomes a question of risk vs reward. From: [email protected] [mailto:[email protected]] On Behalf Of Linkey, Mike Sent: Tuesday, June 18, 2013 7:55 AM To: [email protected] Subject: [mssms] RE: Disk Encryption We do exactly that. We use Bitlocker and MBAM 2.0. If a user messes up their pc, the Help Desk can get the key for them. From: [email protected] [mailto:[email protected]] On Behalf Of Kevin Johnston Sent: Monday, June 17, 2013 9:32 PM To: '[email protected]' Subject: [mssms] RE: Disk Encryption Actually we do have SA. It just took them this long to realize that they need to encrypt data. We currently use WDS/MDT to do our images. I never understood why they went with Win 7 Pro and not enterprise on the machines (done before my time). Mistakes made by the past affect the future right :) But if going to Ent is a possible solution (only currently encrypting laptops) then they may still decide to do that. I figured bitlocker would be a suggestion, I just don't know how reliable and manageable it is. Also it is possible we will be going to Win 8 at some point too (I don't make any decisions, I don't wear a suit) From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jason Sandys Sent: Monday, June 17, 2013 9:37 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: Disk Encryption Good luck with that. The only full-disk encryption that plays well with OSD and MDT is ... surprise, Bitlocker - which of course your org cannot use because (being blunt here) your org was too cheap to actually buy SA and is now ending up paying even more in the long run because it saved them money in the short run. Sorry, more of rant not direct at you personally, just to short-sighted (worthless) MBAs. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kevin Johnston Sent: Monday, June 17, 2013 4:36 PM To: '[email protected]' Subject: [mssms] Disk Encryption Was wondering if anyone deploys disk encryption along with their deployments? We are looking into this, and just getting a feel for some of the players. Needs to be manageable and I would like to see something that is easy to deploy, maybe something that allows us to encrypt after an image (I guess kinda like bitlocker) but I am not sure how powerful it is. Our machines are solely Windows 7 Pro x64 machines. Anyone have any recommendations or suggestions? Thanks, Kevin Johnston ________________________________ CONFIDENTIALITY NOTICE: This email message and any attachments hereto are intended only for use by the addressee(s) named herein and may contain information which is legally privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, or an authorized representative of the intended recipient, of this email message, you are hereby notified that any review, dissemination, distribution, copying, or use (including any reliance thereon) of this email message, and/or any attachment hereto, is strictly prohibited. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is free from virus or other defect and no responsibility is accepted by the sending company, its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you have received this email message in error, please immediately notify the sender by return email and permanently delete from your system, the original and any copies of this email and any attachments hereto and any printout hereof. Unauthorized interception of this email is a violation of federal criminal law.
