I am looking for ideas how to manage the users and user assignments for MDE. Currently we are using $autoboot$ with a HD password. We want to move to pre-boot authentication with either BitLocker or MDE and get rid of the HD password. The only thing I like about Bitlocker is that you don't have to manage user keys - you can just use a pin (no user ID) which would be acceptable for us (password would be better). For MDE we need user to machine assignments. Ideally if we could just have a managed password for each machine that would be great (already passed that idea/suggestion to McAfee) An idea I was thinking of... During MDE installation automate a MDE user to be created unique to the machine (maybe serial #?), assign user to machine... user uses the serial number for PBA. Of course this isn't perfect because of other use cases... Like shared laptops, but it would work with a vast majority of our laptop use cases
Just curious if anyone else is doing creative with the MDE user and machine assignments that you could share.
All the security best practices advise against device based/common passwords, and steer people towards personal authentication. Device passwords are invariably shared, sharing means you can't attribute actions to a person, and no-attribution means you can't identify people related problems.
I agree it's a "cheap" solution, but it's very much sub optimal.