I don't agree with the group policy method for troubleshooting. I believe that a TPM (Trusted Platform Module) Log should be report back or log to a centralised database (Microsoft BitLocker Administration tool?). We really need to have the ability to report on what is causes BitLocker recovery key requests. Having to turn off individual PCR's (Platform Configuration Registers) in GPO is is a very slow and painful process to determine what is causing the lockout especially if we are trying to determine a RCA (Root Cause Analysis) after a lockout event.
The below blog post from blogs.technet.com explains a bit about Bitlocker. The author uses many abbreviations without explaining the abbreviation. This makes the document hard to read especially since the document is meant to be a "starter" type introduction to BitLocker.
Starter for someone who is not familiar with bitlocker part III - Digging in - Site Home - TechNet Blogs: "Now there is a way how we can configure TPM platform validation profile or in simple words asking TPM to measure what and what not before releasing secret (not recommended though) we have a group policy"
'via Blog this'
If you find this article useful please leave me a comment or click on an ad to show your support.
No comments :
Post a Comment