@Paul Bergson; Great Article, my organization has moved to using InTune
for BitLocker management and reporting, and it works spectacularly well.
However, one thing your article leaves out that we had to learn the hard
way: As a Hybrid-Join tenant, BitLocker will only escrow the BitLocker
key to AD O...
@Alan La Pietra @ChadWst Thank you for all the additional information
and links.Just flagging up that I've tried changing the Domain
controller: LDAP server signing requirements setting in the DDCP from
None to Required and this changed the ldapserverintegrity registry entry
from 1 to 2 (below
HKLM\...
Adding some other information Important to point out: LDAP over TLS/SSL
communication are already signed as TLS would detect any modification of
the payload as it can't be decrypted. The behavior for LDAP simple binds
and LDAP simple binds through SSL are as follows: LDAP simple binds are
rejected I...
@Alan La Pietra -- Another follow-up to your response. Up til this point
I have considered LDAP signing and LDAP CBT mutually exclusive. Is this
accurate? For example, could we disable LDAP signing=REQUIRED and move
forward with CBT = 1? These changes dont have to be done together right?
Most Enterprise Architecture doesnt even know half of these stuffs, and
yet they often agreed to onboard SaaS based applications and let the BAU
guys to figure things out.Excellent post!