Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
«193 »
  • Post
  • Reply
Sacred Cow
Aug 13, 2007


Caf posted:

If you're licensed for it, take a look at MBAM (https://docs.microsoft.com/en-us/mi...n-pack/mbam-v25).

It requires an agent but allows you to easily manage encryption for secondary or removable drives.

edit - Misread the requirement. You can enforce the encryption type but not force the fixed drive to encrypt. Yeah, you need MBAM to enforce any kind of encryption compliance. I use it in my environment and its nice to have if only to show our legal/compliance team that yes, all laptops are encrypted. If you have an EA/SA or use Windows Enterprise editions then you are licensed for MBAM. All of MDOP used to be its own license but they wrapped it all up into the Enterprise OS licensing.

Adbot
ADBOT LOVES YOU

wolrah
May 8, 2006
what?


MF_James posted:

We threw in the towel attempting to encrypt secondary drives via bitlocker and just use stuff like this: https://www.amazon.com/Apricorn-Har...CS9WXKN65KC23QB

Bitlocker works great for drives that are permanent/semi-permanent, but once you have drives that are extremely mobile it becomes a pain.

This was about a year ago maybe a little longer that we tried it, things might have gotten better, I'm not sure.

A lot of my customers use these, they seem pretty nice.

Of course half of the things have the PIN on a label attached to the device.

The Fool
Oct 16, 2003



Sacred Cow posted:

edit - Misread the requirement. You can enforce the encryption type but not force the fixed drive to encrypt. Yeah, you need MBAM to enforce any kind of encryption compliance. I use it in my environment and its nice to have if only to show our legal/compliance team that yes, all laptops are encrypted. If you have an EA/SA or use Windows Enterprise editions then you are licensed for MBAM. All of MDOP used to be its own license but they wrapped it all up into the Enterprise OS licensing.

Last I looked you needed an SQL server to throw MBAM on too.

Sacred Cow
Aug 13, 2007


The Fool posted:

Last I looked you needed an SQL server to throw MBAM on too.

If you have SCCM in your environment (which sounds like the case for peak debt) you can just throw it on the same SQL server. MBAM is covered in you System Center SQL license. If you're not integrating with SCCM, then yes you will need a SQL server.

BangersInMyKnickers
Nov 3, 2004

I have a thing for courageous dongles



BitlockerToGo does all the work for you. Non-encrypted drives lock as read-only and you have to encrypt them to make them writable, enforceable with GPOs. The iffy part in my experience are encrypting non-boot fixed data drives.

peak debt
Mar 10, 2001
b& :(

Nap Ghost

We already have third-party encrypted USB drives (Kingston DT4000s) so this is specifically only for fixed drives. I'll have a look at MBAM, thanks!

lol internet.
Sep 4, 2007
the internet makes you stupid

peak debt posted:

I'm trying to set up Bitlocker encryption in our domain.

So far we have encrypted all our OS drives straight out of the SCCM task sequence where everything is working exactly as it should. All computers are getting encrypted and the recovery keys are making their way into AD as they should.

But now I have gotten the task to make sure that all secondary drives (d:\ etc) are also encrypted. I tried looking at group policy to do this, and here is where my questions start. Am I right in that there is in fact no "encrypt this drive" GPO? I found lots of GPOs that set how an encryption is supposed to happen but none that actually trigger it.

If so, is it the usual procedure to just use a Powershell script or something similar to actually trigger the encryption myself?

As things look, how I am planning to do this is to use a script like the following:
code:
add-bitlockerkeyprotector -mountpoint d: -recoverypasswordprotector
$x = get-bitlockervolume -mountpoint d:
backup-bitlockerkeyprotector -mountpoint d: -keyprotectorid $x.KeyProtector[0].KeyProtectorId
$pw = convertto-securestring -string $somerandom20letterstring -asplaintext -force
enable-bitlocker -mountpoint d: -passwordprotector $pw
enable-bitlockerautounlock -mountpoint d:
This _should_ work, but I am absolutely not sure if that's best practice since I've never done anything like this.

Windows 10 actually enables bit locker by default if you have a gpo to store the keys in AD.

I actually have a task sequence command to add a registry keg so it doesn't enable by default. When I was looking into enabling bit locker I could of sworn a gpo covers the extra drives

lol internet. fucked around with this message at Jul 4, 2018 around 17:56

The Fool
Oct 16, 2003



lol internet. posted:

Windows 10 actually enables bit locker by default if you have a gpo to store the keys in AD.

This hasn't been my experience, do you have a link?

lol internet.
Sep 4, 2007
the internet makes you stupid

The Fool posted:

This hasn't been my experience, do you have a link?

https://docs.microsoft.com/en-us/wi...file-encryption

My osd task sequence adds this registry key step otherwise bitlocker is enabled when I logged in. I had to dig a bit to find out what was going on. My image is 1709 if that matters.

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker

Value: PreventDeviceEncryption equal to True (1)

Type: REG_DWORD



Off topic but is there anyway to have users automatically login to the windows store? Doesn't appear to be a gpo for it.

lol internet. fucked around with this message at Jul 5, 2018 around 08:41

Caf
May 21, 2004

I'm King James! The Lion King!

lol internet. posted:

https://docs.microsoft.com/en-us/wi...file-encryption

My osd task sequence adds this registry key step otherwise bitlocker is enabled when I logged in. I had to dig a bit to find out what was going on. My image is 1709 if that matters.

Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker

Value: PreventDeviceEncryption equal to True (1)

Type: REG_DWORD



Off topic but is there anyway to have users automatically login to the windows store? Doesn't appear to be a gpo for it.

I have never seen that happen before on any computer and we definitely enforce the recovery backup to AD in group policy.

RE: Your Windows Store question - I don't think that's possible unless your login is a Microsoft account, in which case it should happen automatically. If you're using domain accounts then that's why Windows Store for Business exists.

Caf fucked around with this message at Jul 6, 2018 around 17:47

snackcakes
May 7, 2005

A joint venture of Matsumura Fishworks and Tamaribuchi Heavy Manufacturing Concern


Ultra Carp

Not sure if this is a thread for here, the VM thread, or some unknown third option but does anyone know what stopping a VM inside Azure does? I get that you can power off the machine and de-allocate resources, but does it initiate a graceful shutdown first? Or am I better off shutting down the VM from within the OS, and then stopping it? This has been surprisingly hard to google.

Adbot
ADBOT LOVES YOU

The Fool
Oct 16, 2003



snackcakes posted:

Not sure if this is a thread for here, the VM thread, or some unknown third option but does anyone know what stopping a VM inside Azure does? I get that you can power off the machine and de-allocate resources, but does it initiate a graceful shutdown first? Or am I better off shutting down the VM from within the OS, and then stopping it? This has been surprisingly hard to google.

I believe I read that it attempts a graceful shutdown and will force it to stop after a timeout. However I'm not able to find any source for this and could easily be wrong.

E: https://azure.microsoft.com/en-us/b...ul-shutdowns-2/ describes a shut down request with a 5 minute timeout. Should also apply to windows vms

The Fool fucked around with this message at Jul 14, 2018 around 16:48

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
«193 »