What is most valuable?
- Integration with System Center Configuration Manager (C: and D: logical drives are encrypted before installing Windows via SCCM).
- Use of the computer's TMP to not have to request PIN for the user.
- In Windows 10 (1511) the TPM supports the XTS-AES encryption algorithm.
How has it helped my organization?
Before BitLocker we used the DELL disk protection through the BIOS. This protection is not very efficient and the user needs a PIN to unlock the computer. With BitLocker I guarantee the protection of the disk and the configuration is transparent to the user.
What needs improvement?
The implementation of BitLocker is not simple. There are many prerequisites and hours of study and testing. We have had some communication problems between Windows 10 and TMP and, in some cases, the computer does not work and we need to generate a new key in MBAM.
For how long have I used the solution?
We tested the solution for four months on all computer models we have before placing it in the production environment.
What do I think about the stability of the solution?
Yes. We had communication problems between the OS and TPM 1.2 of the computer. It is best to use computers with TPM 2.0.
What do I think about the scalability of the solution?
No. We have 1200 computers and the environment, with one MBAM server and one SQL, is supporting the environment. I do not know how scalability is using Active Directory to store the encryption keys.
How is customer service and technical support?
There is a lot of documentation in English and Brazilian Portuguese. To date, we have not needed Microsoft technical support.
Which solutions did we use previously?
No. Symantec, Dell and McAfee solutions for disk encryption are expensive and some of them use BitLocker behind the solution, but are very expensive.
How was the initial setup?
The initial setup is simple. You have the task of turning on the TPM of all computers before attempting to use the BitLocker. When using MBAM + SCCM + SQL it is important to have a CA root in your environment to issue the digital certificate to the MBAM.
What's my experience with pricing, setup cost, and licensing?
BitLocker is already in Windows 10 and its price has already been "paid". To use another disk encryption solution you have to analyze well the needs of each company and how much data is critical to the business.
Which other solutions did I evaluate?
I evaluated solutions from DELL, Symantec and McAfee. Among all, Symantec has a good solution, but very expensive.
What other advice do I have?
We are using BitLocker for Windows 10 (which depends on TPM 1.2 or greater) being managed by MBAM 2.5 with SQL Server database to store the encryption keys. BitLocker is configured to use Active Directory or SQL to store the encryption keys. When using AD, the keys are stored in an unprotected directory. When using SQL, the stored keys are stored in an encrypted database.
I recommend that you study many hours before you start testing. Take the MBAM test at Microsoft's website.
Study TPM 1.2 and 2.0.
Use SQL to store the encryption keys and not the Active Directory, so you leave the AD free of high processing and add a layer of protection with the encryption of the database.
It is important to test on ALL models of computers, there is always a model that will not work.
Disclosure: My company has a business relationship with this vendor other than being a customer: Microsoft Partner.
Sep 28 2017