0

I have a Windows Server 2012 R2 LAN that is working great. I recently have been given the task to encrypt the data at rest. I would like to use bitlocker, but all the documentation is for hyperglobalmegaplex level business.

My server doesn't have TPM, so I think a safety key (USB stick) would work, but for the clients..would I use safety key there? Is is possible to force all external media to be encrypted via AD keys?

mfinni
  • 35,711
  • 3
  • 50
  • 86
dotdawtdaught
  • 117
  • 2

2 Answers2

0

Do your clients have TPM? You haven't said.

That's also not required, you can use a startup password.

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview

What documentation are you looking at, that you think it doesn't apply to your environment?

mfinni
  • 35,711
  • 3
  • 50
  • 86
  • I currently I have no TPM enabled equipment. I am not interested in a startup password, just the ability to tick a box on my compliance requirements for data at rest. The documentation that you linked to refers to several enterprise products that a Small 5 Person firm would never use (InTune, System Center) This would be a single server AD with less than a dozen workstations that are a hodgepodge of hardware. – dotdawtdaught Jan 25 '20 at 05:47
  • `Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM.` This answers your question. You can use Bitlocker on your endpoints, even without TPM. If you don't want to use a startup password or a USB key, and don't have TPM on the endpoints, you can't use Bitlocker. Pretty clearly explained. – mfinni Jan 27 '20 at 03:17
  • The document I linked to doesn't even contain "InTune" or "System Center" in the text. – mfinni Jan 27 '20 at 03:19
0

Are these articles any help?

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings

JaeBee
  • 136
  • 3