Implementing encryption on clients laptops
Posted by bigredsun@reddit | sysadmin | View on Reddit | 22 comments
I have a client that runs a small firm (him + 4 remote employees) using google workspace as their main resource sharing (excels and words). He has a local folder that syncs with workspace and the other 4 employees worm from those folders in filestream mode, so, no local copies on their laptops.
A few days ago he was mugged and beaten, his iPhone got stolen and even though he had the Face ID active for everything a few moments after the phone was stolen they managed to make 3 money transfers from his bank app.
Along the years he has been very reluctant to using windows with a password lockscreen because it was a hassle to type a password every time he leaves his laptop for 20 min /1hr, I always said its better safe than sorry but he never minded much for that, now, given current events he is now in a full paranoid mode with PTSD, which I get it and wants me to lock everything under 20 locks and vaults.
I was thinking on implementing Bitlocker and call it a day but the more I read about it the more I feel its just an update away from blowing up or have some weird issue.
I thought about cryptomator, for him it would work, I don't know if it will work with his employees since they have to access through filestream the same files he has on his Google Drive.
Then it got me, ok, work files are safe but what about his Chrome/Edge/browser credentials and other assorted files that can be around a non encrypted OS?.
Work files were already backed up, encrypted on a local mini pc server he has, a local server I have and a copy on B2 so that's not a problem.
I said to him my job is get you up and working again in as little time as possible, whatever happens its better to cry about having to pay another laptop or phone and not losing moths/years of work.
Can you help me with this? Is there any alternative I'm missing?
RichPractice420@reddit
We push bitlocker via security baselines in Intune and it works like absolute ass. Machines constantly suspending bitlocker and requiring manual re-enabled while not being compliant.
I can't even figure out a way to fix it via remediation script. It's just awful and we can't figure it out.
MNmetalhead@reddit
You’re doing something very, very wrong.
That, and/or there is something wrong with the TPM storing the key.
RichPractice420@reddit
I'm open to advice. We push it via the Defender security baseline with standard settings. There's no other configuration policy or conflicting baseline. It shows it applies successfully.
Then seemingly randomly we'll see the device non-compliant one day and bitlocker has been suspended. This is across many different models of laptops with no rhyme or reason that we've been able to establish. Our best guess is something with windows update at the moment.
MNmetalhead@reddit
If I remember correctly, there is a scheduled task that re-enables BitLocker when the device starts up.
Windows Updates, and some driver/firmware updates, can momentarily suspend BitLocker to prevent it from tripping when they install. The Scheduled Task turns it back on.
Also, if you’re using a vendor tool, like Dell Command Update, it can also suspend BitLocker for various reasons.
BitLocker doesn’t just suspend on its own, something tells it to.
cheesycheesehead@reddit
have thousands of devices and zero issues, would recommend looking up best practices.
bigredsun@reddit (OP)
That's a big problem. Do you have phyiscal access to those devices in case you need to service them? I don't, some of the employees live on the other side of the city.
RichPractice420@reddit
Bitlocker doesn't lock them out, the protection just gets suspended and device is no longer compliant or protected.
Reo_Strong@reddit
It's very, very likely that having he laptop bitlocker encrypted would have changed anything in the presented scenario.
What are you being asked to do? (and thus, are asking for help with)
bigredsun@reddit (OP)
He wants me to lock everything up and prevent any kind of compromise if he or his employees get mugged or someone breaks in and stoles their laptops.
Reo_Strong@reddit
Okay, then in reality, it's the bog-standard stuff like ensuring that passwords and MFA are in use, then you can ratchet it up with things like auto-locking, location based policies and some registry keys to help make sure that the polices are protected and always in place..
In reality, you aren't protecting against state sponsored folks, so basic security functions are the right ones to look at.
Bitlocker is only really helpful if they Acquiesce to the pin to boot configuration and then you setup an auto-off or they commit to shutting down when traveling with the machine.
bigredsun@reddit (OP)
Yeah, 2FA is implemented for the workspace suit gmail/drive, Bitwarden for passwords (paid tier) and encrypted backups were already in place, 1 local 2 offsite. Not a sponsor state attack ofc, but the more I can keep away prying eyes from the files, the better.
I don't get why the downvotes, but anyway.
canadian_sysadmin@reddit
I've never heard of an update crashing bitlocker. Follow best practices with saving the recovery keys and you should be fine. Plus, any important data should be backed up somewhere anyway, so even if the drive somehow crashes, it should only represent a minor inconvenience.
Use Windows Hello, it's plenty secure.
Add in physical Yubikeys for an extra physical security layer.
Install Prey if you want some extra bells and whistles for stolen laptops.
But don't overthink this and keep it as simple as possible.
bigredsun@reddit (OP)
Passwords are managed with Bitwarden and I have an instance of vaultwarden just in case, already backed up that too.
This are the kind of things that give me some concerns about bitlocker, but I agree about following best practices.
https://www.windowslatest.com/2025/05/17/microsoft-confirms-kb5058379-bitlocker-bug-crashes-windows-10-wants-recovery-key/
https://www.windowscentral.com/microsoft/windows/windows-bitlocker-bug-recovery-workaround
canadian_sysadmin@reddit
Keep the recovery key safe with the underlying data backed up somewhere and you'll be fine.
Full drive encryption is pretty much the standard on every OS anyway.
thanitos1@reddit
Some hardware vendors (hp/dell) offer bios level tracking wiping and so on. May be worth a look.
bigredsun@reddit (OP)
They are all Thinkpad T14 Gen3, I will look into that.
ghostnodesec@reddit
If you're a windows shop, with a domain or M365 type, Intune for example, bitlocker, just make sure you have a method of the recovery keys, which you don't need often, but if you do something like swap out a hard drive you will. One key thing here, depending on how you set it up, remind people to actually shut their machines down when travelling, if you're logged in the key is in memory, by design
bigredsun@reddit (OP)
No M365, just Windows 11 and Office 2019 + Google Workspace business subscription.
Yes, having them to shut their laptop is one of the things I've asked them to do, I give them a few 20min zoom brief about their equipment, do's /don'ts, passwords, the whole speech.
protogenxl@reddit
Print out the bit-locker recovery keys and they get filed away by accounting. Digital copies on a thumb drive also secured.
As for hassle of entering passwords Get laptops that have fingerprint readers. Any of the business class models should have it as an addon for a nominal fee.
bigredsun@reddit (OP)
He has a T14 gen3 with fingerprint, but you know some people are just inmune to good advice. I hope after this he starts using it.
CoolNefariousness668@reddit
Bitlocker, it’s an extremely quick win.
estritt_91@reddit
Definitely Bitlocker - store the keys yourself in a secure vault somewhere. For bonus points you can set a boot password in most BIOSes so it will be required every time they start their laptops.
User accounts passwords are a must - if too much hassle typing in (what??), set up windows hello.
Also, 2FA set up for everything that can use it. Preferably Yubikeys but phone app will do too. Just don't let them do sms/voice - not safe.