We're starting to deploying SafeBoot Device Encryption on just our laptop users. We have 8 loan laptops and 12 AV laptops. There seems to be a lot of new admin work for laptops if we have add/remove users for every loan. Unfortunately, theres no chance we can use generic login accounts either.
I just like to know how have you configured your loan laptops with SafeBoot?
Indeed it will. You don't have many options then. Either use a shared account, or provision the laptop for the user as/when they need it with a unique user/password.
You're going to either have to fix the user list and password for each loan, or at least the password. You can do that all via a script of course if that's easier, but some (existing) user will need to boot the machine.
do you have a checkout/in process, or is it just ad-hock (user just picks it off the shelf?).
do you do anything to clean the machine between loans?
If you have a dedicated laptop check-out admin, they could have a permanent account on the laptops. The laptop admin would then add/remove and synch. Also, if a person ever logs into SafeBoot, then uses it again in 6 months, it will still remember their password from 6 months ago. Otherwise the laptop admin would need to reset the password of the user, possibly leading to issues if the laptop check-out admin is not specifically designated as a password reset authority.
One thing you could try, is to have a shared account for those laptops that is only for SafeBoot. You could have a scheduled server job that resets that password the first of every month at 1:00am and e-mails it to a list of people. If you uncheck the right machine settings (require SB login, attempt windows login, etc), this would make the password only for SafeBoot access and not linked to Windows/Domain access. Perhaps you could get your management to approve that method. If you elect to do this, I would suggest a words list for the reset script to pick from, that way users would be less likely to write it down (Horse26 vs qw$09&8syx).
Do your AV machines and Loaner Laptops need encryption? This is an evaluation we did before deciding who to encrypt, and AV systems were excluded since they were a) locked down (physically) and b) wiped very regularly. Loaner laptops are a different battle.
You could absolutely disable the pre-boot authentication and rely solely on Windows authentication, what you want to do is setup the AutoBoot account (see your documentation) and then I'd probably suggest creating a group for these systems and then managing it at the group level. Keep in mind that you almost may as well be disabling encryption by enabling AutoBoot - you're allowing easier decryption of the device. If there could be information on the device worth protecting, definitely think this one out!
I'll assume that you have someone responsible for assigning out the laptops when users need them, correct? What about a setup like this:
1. User requests laptop. 2. IT logs into laptop (with SafeBoot enabled & no autoboot) with user present 3. IT runs provisioning script on laptop (see below) 4. IT reboots and verifies user can login to laptop through SafeBoot.
The provisioning script would be pretty simple, just:
1. Prompt for admin user name and admin SB password. 2. Prompt for clients user name and clients Windows password. 3. Issue a SETUSER to connect the user to the device. 4. Issue a ResetPassword that changes the users SB password to the password obtained in step #2.
You'll of course need to be there so that the script can prompt you for your password as a SB admin with rights to do those two things, and then the user will be there to enter their current Windows password. Depending on where the script lives and how secure it is, I suppose the username/password could be embedded within it if the person loaning laptops shouldn't be resetting password on their own outside of the script, but those are security things you'll need to think about.
The end result is that the user is attached to the laptop and that their passwords are in synch with limited trouble. You may want to take the script even further to create the account if it doesn't exist, or to remove all users from the laptop that aren't using it any longer.
remember if you use any kind of "autoboot" mode, regardless of product, be it Bitlocker, McAfee EEPC etc, you are storing the encryption key along with the data in an unprotected way (otherwise how would it boot on its own?).
This would probably mean you won't be compliant with many of the PII disclosure laws, so check with your legal team to make sure you are not opening your employer, or yourself, up to legal shenanigans.