Well the first few have to go out by Friday so I'll revisit the thread in a few months and report back how long they last
Some interesting info comparing the pros and cons of EFS vs BitLocker here...
Prevent data theft with Windows Vista's Encrypted File System (EFS) and BitLocker | TechRepublic
That 1.5GB partition is only the little 100MB hidden one in 7 so not too worried about that
Indeed, very glad we have Campus license here
Would be ideal to use BitLocker to go to secure any transfers but our desktops are all XP so might still be an issue there, won't be for much longer though as I'm planning to move them to 7 in the next year or so. In the meantime a couple of encrypted USB sticks from Integral or suchlike will probably suffice to ease my paranoia along with this GPO...
Last edited by gshaw; 7th February 2011 at 05:00 PM.
By the way, if you turn on BitLocker before joining a computer to your domain, you may want to read the following article to ensure the recovery keys get stored in AD...The 100 MB system partition is used primarily as BitLocker partition for BitLocker encryption. Additionally, it also holds the Windows Recovery Environment (WinRE) and boot files with boot manager for booting up the computer for troubleshooting when there is no Windows 7 installation DVD disc on hand. (Source)
Thanks for the link, another one saved to the Bookmark list!
I'm in two minds about whether to join these machines to the domain as they'll never be connected to it. I guess for the first time sync of policies e.g. BitLocker and maybe USB device restriction it could be handy but apart from that I'm not sure if there's any benefit?
I've recently enabled BitLocker on some of our staff laptops. I thought this could only be enabled on machines that have TPM? I attempted enabling it on non-TPM laptops, and didn't get anywhere with it.
What I found during going through the BitLocker setup wizard is that it creates the necessary partioning and information required. We're not currently implementing storing the recovery information in AD, so I simply stored the recovery key to a file on a protected network share.
I'd be interested to know if you get anywhere enabling without the need for TPM
We have added ours to the domain so they do get a policy. It was necessary for us to allow control over turning proxy settings on/off (the default for our workstations is that settings are locked) and adding a logon information box after the ctrl + alt + del screen to inform them of how to logon locally.
Last edited by DannyG555; 10th February 2011 at 11:15 AM.
Thanks guys. I think having to use a USB key to get their laptop booted is going to cause more issues for us than it's worth! Had a teacher the other day that didn't know what a USB key was lol. I didn't think it was possible not to, but there you go.
You might want to go and take a look on my blog. Ive just finished a three poster on how we deploy Windows 7 with Bitlocker on all our staff laptops. Works a dream. We use SCCM to manage the process - but in case you dont have it (and you should get it by the way!!), you can do all the same stuff with MDT as well. I will be posting an app up too shortly for changing pin codes, which needs you to be an Admin user normally.
MWT (27th January 2012)
There are currently 1 users browsing this thread. (0 members and 1 guests)