Home
Resources
Training
About Us
eStore
<a href="http://www.isdecisions.com/en/software/userlock/?xtor=SEC-230"><img src="http://www.isdecisions.com/images/pubs/Randy/userlock.gif" alt="UserLock" border="0" /></a>

>

resources > bitlocker

 

 

 

 

 

 

 

Latest Blog: WinReporter 4.0 Makes It Easy to Assess Attack Surface

  

Bitlocker

Frequently Asked Questions

What do I need in order to implement BitLocker?

At the minimum you need:

  • A laptop that supports USB drive access at boot up time.  Most new laptops do but enter the laptop setup mode and see if you USB drives are an option in the boot sequence.  BitLocker doesn’t actually boot from a USB drive but that will tell you if the laptop supports USB drives when BitLocker needs it.

Or

  • A laptop that has a built-in TPM version 1.2 and BIOS that supports it. AND you need a Vista driver for the TPM from the laptop manufacturer.  As of January 2007 these are in short supply!

For Microsoft's detailed requirements click here.

Any caveats to be aware of?

  • Keep a secure copy of the recovery key for each laptop!  Otherwise a number of events could render data on a laptop inaccessible.
  • When you install Windows leave at least 1.5 megabytes in unallocated or in a separate partition.  BitLocker requires this as a tiny bootstrap volume.
  • BitLocker is the total solution to protecting laptop data.  See the more detailed FAQ.
  • You need to train your help desk on how to help remote users recover laptops when there’s a problem with BitLocker

 

  

Randy's BitLocker Resources

FAQs

Decision Trees

BitLocker Utilities

Good Links

 

 

Which laptops support TPM for BitLocker?

Haven’t identified a single one yet that has a Vista driver updated BIOS.  I’ll update this Q&A as I learn of ones that do.  Please keep me informed!

What happens if we lose the startup key or the TPM breaks?

You will only be able to recover the data if you can locate a copy of the recovery key.  BitLocker allows you to save and/or print the recovery at the time you set up BitLocker.  You can also configure Vista to automatically save the recovery key to Active Directory. For more help see my decision tree.

What’s the best way to manage recovery keys?

  • If you are  relatively small shop you could simply keep a USB drive around expressly for the purpose of storing recovery keys.  BitLocker creates a unique file name for each recovery key which means you can store them all in the same place.  Of course, you need to keep the recovery key USB drive secure and maintain a backup of it off-site.  The easiest way to do this might be to back it up to a secure folder on any server that is regularly backed up to offsite storage.
  • You can also save recovery keys to a shared folder on a file server.  You could set up the permissions on the folder to allow everyone List and Create but limit Read access to administrators.  That way you could save recovery keys to the folder as any user but users wouldn’t be able to access each other’s keys. BitLocker creates a unique file name for each recovery key and displays this when you try to recover a PC.  That makes it easy to locate the correct file. 
  • If you are a larger shop, consider using the store to Active Directory feature.  In fact, group policy allows you to require a successful save to Active Directory before enabling BitLocker.
  • For more help see my decision tree.

What does it take to keep recovery keys in Active Directory?

You have to update the AD schema before Vista can store recovery keys in AD. Click here for more information.

But wait!

How do you access the recovery key from AD once you need it? Until recently there was no easy-to-use tool available for accessing those backed up keys once you need them.

We have the solution for you in 2 editions

  

Additional Links

A
D
V

Get Randy's Security Log Resource Kit

Sick of LimitLogin? Get UserLock for real logon control

NEW! GFI EventsManager 8 Extends Event Management Capabilities. Find Out More.


Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2007 Monterey Technology Group, All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.

Site Map