Microsoft BitLocker: our five tips
Tip one: make sure you have all the ingredients for a proper BitLocker deployment
Microsoft BitLocker doesn’t manage itself. So you’ll need to have the right support. Subscribing to Microsoft Desktop Optimization Package (MDOP) is a no brainer to receive Microsoft BitLocker Administration and Monitoring (MBAM). MBAM is an essential solution for managing BitLocker deployments by connecting BitLocker use to individual users and their roles.
Microsoft BitLocker doesn’t include an automated self-service portal for password resets – and the method itself introduces a security risk. The ideal deployment relies on an SQL server instance to store the BitLocker recovery key – but it’s not the easiest route. WinMagic’s encryption management solutions dramatically reduce the cost of password resets, with multiple password reset and recovery options right at pre-boot.
Tip three: be prepared for TPM chip resets
The ultimate failsafe for forgotten BitLocker passwords is to reset a user’s TPM chip, and IT pros should familiarize themselves with the process for a TPM reset.
Beyond password concerns, TPM chips can sometimes lock out, or the recovery information used in conjunction with the chip can become corrupted. In certain cases, this renders the machine inaccessible. Resetting a TPM chip obviously means either accessing the end-user’s machine or removing the user from TPM and re- adding them (or both processes). SecureDoc doesn’t require TPM, but it’ll utilize it if it’s available, so you can automate the TPM provisioning process.
Tip four: hire an expert to help install and configure MBAM
Many IT pros bemoan the lack of support material for MBAM installation. Microsoft TechNet provides online documentation for the brave-at-heart and seasoned administrator, but it’s hard to find step-by-step instructions.
Deploying MBAM and enabling BitLocker management is not easy. For that reason, it is highly recommended that companies hire a third-party consultant to manage the deployment and the needed configuration of MBAM. SecureDoc enables simplified deployment and management, with a dedicated support team of encryption experts at the ready.
Tip five: brush up on your full Microsoft Windows IT Pro skill set
Deploying Microsoft BitLocker requires significant understanding of a machine’s hardware, specific configurations and a better-than-basic comprehension of a mix of Microsoft applications, including SQL server, SCCM (System Center Configuration Manager), AD (Active Directory), GPO (Group Policy Object) and IIS (Internet Information Services). Since each of these components aids or complements MBAM, each is a possible point of failure.
An appropriately deployed and managed FDE solution is not free. It requires learning new IT skills, considering software and hardware requirements for a given FDE approach, and deploying new processes to address the end-user impact. Most IT pros say they wish they’d known about the challenges and hidden costs ahead of the BitLocker deployment process.
Microsoft BitLocker and WinMagic – better together
WinMagic’s encryption management solution, SecureDoc Enterprise Server (SES), greatly reduces the cost and hassle of managing BitLocker. With SES, organizations can take advantage of the native OS encryption provided by BitLocker while gaining increased security through improved authentication and boosting ROI. WinMagic’s solutions manage other encryption methods, such as those provided by other OS environments, emerging hardware-based efforts like self-encrypting hard drives and TPM. And, as more enterprises move to the cloud, the single pane of glass management console from WinMagic’s SecureDoc Enterprise Server, will simplify encryption management across the board.
Related page: MDOP for MBAM