Questions to File and Disk Encryption
-
Hi,
at the end of the show you implemented a gpo, that pushed the network unlock feature to the clients including the the self signed certificate for authentication with the wds server.
What about the clients? Will all the clients that have bitlocker enabled copy the bitlocker recovery keys from the thumbdrive to the WDS server? What about clients that have no bitlocker encryption in place? I guess I would create an additional GPO to tell all my servers to encrypt all the drives, and they would use the WDS as a recovery key storage due to the policy you created in the show.
In 56:10 you mention "Windows Server 2012 R2 Enterprise". I guess this is wrong because there are just standard and datacenter (and the two smaller brothers foundation and essentials) with the same featureset, they just differ in the licensing. -
Sven,
Sorry about the delay in answering, we've been a little busy but I think I understand what is you're asking, please let me know if I'm not answering the question you're asking...I can...I have done that in the past so let me know.
The Network Unlock policy itself enables the client itself to create and implement Network Key Protection as long as your client is TPM enabled to automatically unlock the OS hard drive when you boot the system. Clients using the policy will get the pushed Network Unlock Certificate and that client will CREATE and use the Network Key Protectors. The pushed certificated is used to create the Network Key Protectors that will then unlock the system itself. I emphasize the client side generation of things because you had mentioned pushing the recovery keys to the WDS server because this isn't necessary since everything really resolves around the client getting the cert and doing it's own generation to perform the network unlock.
Everything works fairly well on TPM based systems but what about systems without it? Well they cannot create these Key Protectors.
I would assume also that computers that do not have BitLocker enabled will also not be affected by the policy itself. So I believe you would need some method, regardless of whether it is Group Policy or a manual configuration to enable BitLocker first before applying the unlock policy.
I believe you're correct and the hosts just forgot, most of us got our start with Server 2000, 2003 and 2008, it's in the 2008 environment we saw the Enterprise Editions so it's easy to forget. I will see if I can get some show errata in place on the episode about this.
Cordially,
Ronnie Wong
Host, ITProTV