- Integration with System Center Configuration Manager (C: and D: logical drives are encrypted before installing Windows via SCCM).
- Use of the computer's TMP to not have to request PIN for the user.
- In Windows 10 (1511) the TPM supports the XTS-AES encryption algorithm.
Improvements to My Organization
Before BitLocker we used the DELL disk protection through the BIOS. This protection is not very efficient and the user needs a PIN to unlock the computer. With BitLocker I guarantee the protection of the disk and the configuration is transparent to the user.
Room for Improvement
The implementation of BitLocker is not simple. There are many prerequisites and hours of study and testing. We have had some communication problems between Windows 10 and TMP and, in some cases, the computer does not work and we need to generate a new key in MBAM.
Use of Solution
We tested the solution for four months on all computer models we have before placing it in the production environment.
Yes. We had communication problems between the OS and TPM 1.2 of the computer. It is best to use computers with TPM 2.0.
No. We have 1200 computers and the environment, with one MBAM server and one SQL, is supporting the environment. I do not know how scalability is using Active Directory to store the encryption keys.
Customer Service and Technical Support
There is a lot of documentation in English and Brazilian Portuguese. To date, we have not needed Microsoft technical support.
No. Symantec, Dell and McAfee solutions for disk encryption are expensive and some of them use BitLocker behind the solution, but are very expensive.
The initial setup is simple. You have the task of turning on the TPM of all computers before attempting to use the BitLocker. When using MBAM + SCCM + SQL it is important to have a CA root in your environment to issue the digital certificate to the MBAM.
Pricing, Setup Cost and Licensing
BitLocker is already in Windows 10 and its price has already been "paid". To use another disk encryption solution you have to analyze well the needs of each company and how much data is critical to the business.
Other Solutions Considered
I evaluated solutions from DELL, Symantec and McAfee. Among all, Symantec has a good solution, but very expensive.
We are using BitLocker for Windows 10 (which depends on TPM 1.2 or greater) being managed by MBAM 2.5 with SQL Server database to store the encryption keys. BitLocker is configured to use Active Directory or SQL to store the encryption keys. When using AD, the keys are stored in an unprotected directory. When using SQL, the stored keys are stored in an encrypted database.
I recommend that you study many hours before you start testing. Take the MBAM test at Microsoft's website.
Study TPM 1.2 and 2.0.
Use SQL to store the encryption keys and not the Active Directory, so you leave the AD free of high processing and add a layer of protection with the encryption of the database.
It is important to test on ALL models of computers, there is always a model that will not work.
Disclosure: My company has a business relationship with this vendor other than being a customer: Microsoft Partner.
Sep 28 2017