Is my plan for Bitlocker deployment missing anything?Moving BitLocker startup key from flash memory to USB key?Windows Active Directory Bitlocker deploymentHow to enable BitLocker with no prompts to the end userBitLocker - No TPM & No Flash DriveBitLocker Group Policy RequirementsCan I recover a bitlocker encrypted drive offline?Bitlocker on Hyper-V serverBitlocker not auto-unlocking C: drive on server 2008 R2Checking which PCR triggered for BitLocker recoveryCannot save BitLocker keys to ADDS for certain machines
Can compressed videos be decoded back to their uncompresed original format?
Where would I need my direct neural interface to be implanted?
How obscure is the use of 令 in 令和?
Finitely generated matrix groups whose eigenvalues are all algebraic
Avoiding the "not like other girls" trope?
How do conventional missiles fly?
Why didn't Boeing produce its own regional jet?
Sums of two squares in arithmetic progressions
Is it a bad idea to plug the other end of ESD strap to wall ground?
What is a Samsaran Word™?
Pact of Blade Warlock with Dancing Blade
How seriously should I take size and weight limits of hand luggage?
Forgetting the musical notes while performing in concert
Does the Idaho Potato Commission associate potato skins with healthy eating?
How dangerous is XSS
Obtaining database information and values in extended properties
Implication of namely
How to travel to Japan while expressing milk?
What are the G forces leaving Earth orbit?
Why was the shrink from 8″ made only to 5.25″ and not smaller (4″ or less)
Notepad++ delete until colon for every line with replace all
How can a day be of 24 hours?
Knowledge-based authentication using Domain-driven Design in C#
Why were 5.25" floppy drives cheaper than 8"?
Is my plan for Bitlocker deployment missing anything?
Moving BitLocker startup key from flash memory to USB key?Windows Active Directory Bitlocker deploymentHow to enable BitLocker with no prompts to the end userBitLocker - No TPM & No Flash DriveBitLocker Group Policy RequirementsCan I recover a bitlocker encrypted drive offline?Bitlocker on Hyper-V serverBitlocker not auto-unlocking C: drive on server 2008 R2Checking which PCR triggered for BitLocker recoveryCannot save BitLocker keys to ADDS for certain machines
1.) Confirm that TPM is activated in the BIOS of all workstations.
- All of these workstations are using Windows 10 Pro, which I believe automatically activates the TPM chip when the OS is installed right? I read that here https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/prepare-your-orga...
2.) Create GPO for Bitlocker settings and apply it to test OU
- I created a GPO that sets the drive encryption method and cipher strength (AES 256-bits) and makes AD store the recovery password as an attribute of the Computer object.
3.) Apply GPO to my test OU made up of three Windows 10 test machines I've set up.
- From my understanding so far, the GPO only contains the settings that should be applied once Bitlocker is enabled right? It doesn't enable Bitlocker encryption itself, so I can push a Powershell script to the three test machines and enable the encryption.
4.) Confirm that Bitlocker has been enabled on the test machines and that the keys are being stored properly in AD
5.) Continue deployment to live workstations in small groups to make it easy to troubleshoot problems.
This is the plan I've drawn up so far. I'm interested to know if I'm overlooking anything major? The goal is to have Bitlocker full drive encryption deployed to our workstations and store the recovery keys in AD. I also intend for this to be as no-touch as possible by using the GPOs and powershell scripts pushed by a remote management agent.
windows active-directory bitlocker
New contributor
add a comment |
1.) Confirm that TPM is activated in the BIOS of all workstations.
- All of these workstations are using Windows 10 Pro, which I believe automatically activates the TPM chip when the OS is installed right? I read that here https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/prepare-your-orga...
2.) Create GPO for Bitlocker settings and apply it to test OU
- I created a GPO that sets the drive encryption method and cipher strength (AES 256-bits) and makes AD store the recovery password as an attribute of the Computer object.
3.) Apply GPO to my test OU made up of three Windows 10 test machines I've set up.
- From my understanding so far, the GPO only contains the settings that should be applied once Bitlocker is enabled right? It doesn't enable Bitlocker encryption itself, so I can push a Powershell script to the three test machines and enable the encryption.
4.) Confirm that Bitlocker has been enabled on the test machines and that the keys are being stored properly in AD
5.) Continue deployment to live workstations in small groups to make it easy to troubleshoot problems.
This is the plan I've drawn up so far. I'm interested to know if I'm overlooking anything major? The goal is to have Bitlocker full drive encryption deployed to our workstations and store the recovery keys in AD. I also intend for this to be as no-touch as possible by using the GPOs and powershell scripts pushed by a remote management agent.
windows active-directory bitlocker
New contributor
add a comment |
1.) Confirm that TPM is activated in the BIOS of all workstations.
- All of these workstations are using Windows 10 Pro, which I believe automatically activates the TPM chip when the OS is installed right? I read that here https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/prepare-your-orga...
2.) Create GPO for Bitlocker settings and apply it to test OU
- I created a GPO that sets the drive encryption method and cipher strength (AES 256-bits) and makes AD store the recovery password as an attribute of the Computer object.
3.) Apply GPO to my test OU made up of three Windows 10 test machines I've set up.
- From my understanding so far, the GPO only contains the settings that should be applied once Bitlocker is enabled right? It doesn't enable Bitlocker encryption itself, so I can push a Powershell script to the three test machines and enable the encryption.
4.) Confirm that Bitlocker has been enabled on the test machines and that the keys are being stored properly in AD
5.) Continue deployment to live workstations in small groups to make it easy to troubleshoot problems.
This is the plan I've drawn up so far. I'm interested to know if I'm overlooking anything major? The goal is to have Bitlocker full drive encryption deployed to our workstations and store the recovery keys in AD. I also intend for this to be as no-touch as possible by using the GPOs and powershell scripts pushed by a remote management agent.
windows active-directory bitlocker
New contributor
1.) Confirm that TPM is activated in the BIOS of all workstations.
- All of these workstations are using Windows 10 Pro, which I believe automatically activates the TPM chip when the OS is installed right? I read that here https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/prepare-your-orga...
2.) Create GPO for Bitlocker settings and apply it to test OU
- I created a GPO that sets the drive encryption method and cipher strength (AES 256-bits) and makes AD store the recovery password as an attribute of the Computer object.
3.) Apply GPO to my test OU made up of three Windows 10 test machines I've set up.
- From my understanding so far, the GPO only contains the settings that should be applied once Bitlocker is enabled right? It doesn't enable Bitlocker encryption itself, so I can push a Powershell script to the three test machines and enable the encryption.
4.) Confirm that Bitlocker has been enabled on the test machines and that the keys are being stored properly in AD
5.) Continue deployment to live workstations in small groups to make it easy to troubleshoot problems.
This is the plan I've drawn up so far. I'm interested to know if I'm overlooking anything major? The goal is to have Bitlocker full drive encryption deployed to our workstations and store the recovery keys in AD. I also intend for this to be as no-touch as possible by using the GPOs and powershell scripts pushed by a remote management agent.
windows active-directory bitlocker
windows active-directory bitlocker
New contributor
New contributor
New contributor
asked yesterday
destinyunbound3destinyunbound3
91
91
New contributor
New contributor
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
destinyunbound3 is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f960874%2fis-my-plan-for-bitlocker-deployment-missing-anything%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
destinyunbound3 is a new contributor. Be nice, and check out our Code of Conduct.
destinyunbound3 is a new contributor. Be nice, and check out our Code of Conduct.
destinyunbound3 is a new contributor. Be nice, and check out our Code of Conduct.
destinyunbound3 is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f960874%2fis-my-plan-for-bitlocker-deployment-missing-anything%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown