Show last authors
1 {{aagon.priorisierung}}
2 160
3 {{/aagon.priorisierung}}
4
5 {{aagon.floatingbox/}}
6
7 ACMP BitLocker Management helps you centrally manage your operating system and hard disk encryption for added protection against external threats. BitLocker is a Microsoft security feature that allows you to encrypt your hard drives. This helps protect your data by preventing unauthorised reading or theft of sensitive information.
8
9 [[Configuration Profiles>>doc:ACMP.64.ACMP-Solutions.Security.BitLocker Management.Konfigurationsprofile.WebHome]] allow you to make settings directly on the client and apply them using a [[container>>doc:ACMP.64.ACMP-Solutions.Security.BitLocker Management.Konfigurationsprofile.WebHome||anchor="HVerhaltenimContainer"]] or [[query action>>doc:ACMP.64.ACMP-Solutions.Security.BitLocker Management.Konfigurationsprofile.WebHome||anchor="HKonfigurationsprofileanClientszuweisen"]].
10
11 {{aagon.versionierungsbox}}
12 BitLocker Management is available in ACMP version 6.4 and above.
13 {{/aagon.versionierungsbox}}
14
15 = System requirements for BitLocker =
16
17 * ACMP agent (not OSC or other)
18 * Operating system Windows 10 (Pro or higher) version 1511 or Windows Server 2016 version 10.0.10586
19 * TPM version 2.0 must be enabled
20 * UEFI mode must be available
21 * Powershell scripts must be able to be executed
22 * The Client ID must be unique in ACMP.
23
24 {{aagon.infobox}}
25 If ACMP detects a duplicate Client ID, no BitLocker Configuration Profile can be assigned to the Client. For this reason, the Client ID must be unique.
26 {{/aagon.infobox}}
27
28 = Allow the logged-in user to change the password =
29
30 {{aagon.infobox}}
31 In the following section, we define both the system start PIN and the password.
32 The system start PIN is queried when the computer is booted and is only valid for the operating system drive. This PIN can be restricted to either alphanumeric or numeric only.
33 The password can only be limited in minimum length and must always be alphanumeric. It is used for all other fixed data drives except the operating system drive.
34 {{/aagon.infobox}}
35
36 There are two ways to allow users to change a password at the Client.
37 Either you make the password change available to the user via the ACMP Kiosk, or you run a query action that displays a dialogue to the user at the Client, where a new password can be assigned.
38
39 == Changing the BitLocker password using ACMP Kiosk ==
40
41 If you want to allow your users to change their BitLocker password at any time, follow these steps:
42 First navigate to the [[ACMP Kiosk>>doc:ACMP.64.ACMP-Solutions.Client-Management.ACMP Kiosk.WebHome]] (//Client Management// > //ACMP Kiosk//). Then click on //Add //Items and select //System Jobs//. A menu will open where you can select Options //Change BitLocker password//. Confirm the selection and a wizard will start to guide you through the process. Enter all the required information and exit the wizard.
43
44 {{figure}}
45 (% style="text-align:center" %)
46 [[image:64_BitLocker Management_ACMP Kiosk_815.png]]
47
48 {{figureCaption}}
49 Change BitLocker password via ACMP Kiosk
50 {{/figureCaption}}
51 {{/figure}}
52
53 The user at the Client who has been given the password change can now access the shortcut via the ACMP Kiosk. After opening the Kiosk, the user has to click on //Execute//, which opens a dialogue on the Client. This dialogue allows the user to change the password. Under Drives, the user can select the drive for which the password is to be changed.
54
55 {{aagon.infobox}}
56 The Drives field lists all drives that are BitLocker-encrypted and have a startup PIN or password.
57 {{/aagon.infobox}}
58
59 If the drive is currently locked, the user will also need to enter the old password.
60
61 {{aagon.infobox}}
62 If the password is no longer known, the password change must be executed via the query action.
63 {{/aagon.infobox}}
64
65 {{figure}}
66 (% style="text-align:center" %)
67 [[image:64_BitLocker Management_Passwort ändern_448.png]]
68
69 {{figureCaption}}
70 Change BitLocker password
71 {{/figureCaption}}
72 {{/figure}}
73
74 == Change BitLocker password via query action ==
75
76 If you do not want users to be able to change the password at any time without asking you again, you can make the changes by using a query action. This option can be started on demand.
77 To do this, open a query and select the client on which you want the user to change the password. Then click the //BitLocker Management// button and select //Change BitLocker drive passwords//. Confirm the action by clicking //Execute//.
78
79 {{figure}}
80 (% style="text-align:center" %)
81 [[image:64_BitLocker Management_Passwort ändern_Query Action_448.png]]
82
83 {{figureCaption}}
84 Dialogue window for changing the BitLocker password via the query action
85 {{/figureCaption}}
86 {{/figure}}
87
88 A dialogue box opens on the user's Client, allowing the user to change the password of a drive. The user can select the required drive, enter the new password and confirm. Click the //Change Password// button to save the changes. However, if several passwords for different drives are changed, the process must be repeated each time before the dialogue is finally closed with //Close//.
89
90 {{aagon.infobox}}
91 When changing the password using the query action, it is not necessary to enter the old password for a locked drive, as the recovery password is used.
92 {{/aagon.infobox}}
93
94 = Disable BitLocker =
95
96 If you want to disable BitLocker on one of your Clients, the only way to do this is through a Query Action. You will need to select all the Clients you want to disable BitLocker on. Then click the// BitLocker Management// button and select //Disable BitLocker//. You can choose to disable BitLocker on the operating system hard disk and/or fixed data drives. For the fixed data drive, you can choose to decrypt the entire drive or only selected partitions. If you choose the latter option, you will need to manually select the drives from the list.
97 Once you have started the job, the selected disks will be decrypted on the relevant Clients
98
99 {{aagon.infobox}}
100 If a Configuration Profile is still assigned to the Client, the drives will be reencrypted according to the settings in the Configuration Profile. This ensures that the disks that the Configuration Profile settings specify will always be encrypted for those Clients.
101 {{/aagon.infobox}}
102
103 {{figure}}
104 (% style="text-align:center" %)
105 [[image:64_BitLocker Management_Deaktivieren.png]]
106
107 {{figureCaption}}
108 Disable BitLocker via a query action
109 {{/figureCaption}}
110 {{/figure}}
111
112 = Stop and continue BitLocker protection (system jobs) =
113
114 If you have a Client where the operating system drive is encrypted, you can optionally require a system start PIN when the system boots. This means that the Client's operating system will not continue until the user has successfully entered the PIN. For example, if you run a Client command or job on the Client that requires a reboot, the job may not continue until the user has entered the PIN. To work around this, you can temporarily disable the protection so that the PIN is no longer requested. This can be done, for example, by running a system job in a [[Job Collection>>doc:ACMP.64.ACMP-Solutions.Jobs.Job Collections.WebHome||anchor="HJobCollectionhinzufFCgen"]], thus temporarily suspending the system start PIN entry.
115
116 {{aagon.infobox}}
117 System jobs can be retrieved wherever you can run a job.
118 {{/aagon.infobox}}
119
120 (% class="wikigeneratedid" %)
121 Navigate to the [[Job Collection>>doc:ACMP.64.ACMP-Solutions.Jobs.Job Collections.WebHome]] (//Jobs// > //Job Collection//) and select the appropriate Collection that you want to use to pause BitLocker protection. The BitLocker-specific jobs can be found in the //System Jobs// drop-down box. If you have a Client Command or Job that requires a possible restart, you can create a Job Collection for it using the //Stop BitLocker protection job//. To do this, first set the //Stop system job for BitLocker protection//, and then add the possible job or command to the collection.
122
123 {{figure}}
124 (% style="text-align:center" %)
125 [[image:64_BitLocker Management_Job Collections.png]]
126
127 {{figureCaption}}
128 Stop and enable BitLocker protection
129 {{/figureCaption}}
130 {{/figure}}
131
132 If the command or job does not require a restart, and therefore the client is not restarted, it is possible that BitLocker protection will be removed. However, you can play it safe and ensure that protection is always re-enabled by using the //Turn on BitLocker protection// system job. To do this, set the system job to Resume BitLocker protection after the job or client command. This enables the protection again.
133
134 = Managing BitLocker in Client Details =
135
136 You can view the details of the BitLocker settings from the Client Details (//Software// > //Security// > //BitLocker// //Management//). All drives of the selected Client are listed.
137
138 {{figure}}
139 (% style="text-align:center" %)
140 [[image:64_BitLocker Management_Client Detqails_840.png]]
141
142 {{figureCaption}}
143 BitLocker Management in the Client Details
144 {{/figureCaption}}
145 {{/figure}}
146
147 The //General// tab allows you to view the general status, the protection status of the drives on the Client and which key protectors are being used. Further details are stored and displayed for each drive. For example, you can see at a glance the encryption method, hard drive size and encryption status.
148
149 {{aagon.infobox}}
150 If you want to view the properties for BitLocker management, you can explicitly select fields that you can use for queries, filters, reports etc.
151 {{/aagon.infobox}}
152
153 You can also use Detail View to view the recovery password with the appropriate permissions. To do this, click the //Show recovery password// button and copy the password if necessary. If you have selected an automatically generated password for the key protectors of the hard disks, you can view it by clicking //Show automatically generated password//.
154
155 {{aagon.warnungsbox}}
156 The user-defined passwords and system start PINs are not stored in ACMP!
157 {{/aagon.warnungsbox}}
158
159 (% class="wikigeneratedid" %)
160 The Configuration Profiles tab shows which profile has been assigned to the Client. It can be identified by the name and the type of assignment (manual assignment or via a container). You cannot make any direct changes here, you have to go back to the [[Configuration Profiles>>doc:ACMP.64.ACMP-Solutions.Security.BitLocker Management.Konfigurationsprofile.WebHome]].
161
162
163 = Next recommended steps: =
164
165 * [[Konfigurationsprofile anlegen>>doc:ACMP.64.ACMP-Solutions.Security.BitLocker Management.Konfigurationsprofile.WebHome]]
166 * [[Konfigurationsprofile an Clients zuweisen>>doc:ACMP.64.ACMP-Solutions.Security.BitLocker Management.Konfigurationsprofile.WebHome||anchor="HKonfigurationsprofileanClientszuweisen"]]
167 * [[Konfigurationsprofil-Einstellungen vornehmen (Betriebssystemlaufwerke, Festplattenlaufwerke und Wechseldatenträger)>>doc:ACMP.64.ACMP-Solutions.Security.BitLocker Management.Konfigurationsprofile.Konfigurationsprofil-Einstellungen.WebHome]]
168 * [[CI Anpassungen für die BitLocker Fenster vornehmen>>doc:ACMP.64.ACMP-Solutions.Security.BitLocker Management.BitLocker Management CI Anpassungen.WebHome]]
169 * [[Use Case: Migration von bestehenden BitLocker Verschlüsselungen>>doc:ACMP.64.ACMP-Solutions.Security.BitLocker Management.Use Case für BitLocker Management.Migration von bestehenden BitLocker Verschlüsselungen.WebHome]]

Navigation

© Aagon GmbH 2024
Besuchen Sie unsere neue Aagon-Community