Bitlocker revisited

Reading Time: 2 minutes

A while ago I wrote a blog post on BitLocker Drive Encryption and why I thought it wasn’t ready for prime time yet. While reading up on BitLocker I found out two of my eight reasons are history or will be history in the near future.


BitLocker Drive Encryption Central Management

Steve Lamb wrote a blog post a couple of weeks ago on centrally managing BitLocker Drive Encryption using System Center Configuration Manager (SCCM) 2007. Since System Center Configuration Manager (SCCM) 2007 reached to Release to Manufacturers (RTM) status on August 27, 2007 this is now a viable alternative to using manage-bde.wsf, Active Directory, some group policies, some sample scripts and the BitLocker Recovery Password Viewer tool in combination with a startup or login script to prepare the system for BitLocker Drive Encryption before actually rolling out BitLocker Drive Encryption…


Encrypting volumes other than the system volume

I found a second piece of news in the Windows Vista ServicePack 1 Beta Whitepaper, which states:


BitLocker Drive Encryption encrypts extra local volumes. For example, instead of encrypting only drive C, customers can also encrypt drive D, E and so on.


Wow! Using Manage-BDE.wsf you could already do this, but it wasn’t supported or possible using the built-in graphical tools. With Service Pack 1 it’s apparently going to supported like it is on Windows Server 2008.


Multiple Factor Authentication

The Windows Vista Service Pack 1 Beta Whitepaper also reveals another new BitLocker feature, which I found rather interesting:

Enhances BitLocker Drive Encryption (BDE) to offer an additional multifactor authentication method that combines a key protected by the Trusted Platform Module (TPM) with a Startup key stored on a USB storage device and a user-generated personal identification number (PIN).


Well, that certainly makes up a new interesting BitLocker Drive Encryption deployment scenario using Something you have, combined with another thing you have and something you know. To my disappointment there’s still no deployment scenario demanding “something you are” unless you use a biometrically secured USB device to store the Start Up key.

Adding a scenario with a second “something you have” has its advantages, but things you have or know can still be transferred to (or obtained by) other persons.



BitLocker got more enterprise-ready with System Center Configuration Manager (SCCM) 2007 last month and the features we might expect with Windows Vista Service Pack 1 sure sound promising!

Unfortunately I keep feeling the people behind the BitLocker functionality still have a long road ahead of them, before they have a product that can compete with products from PointSec, Credant, Utimaco and SafeBoot.

Further reading

Windows Vista Service Pack 1 Beta Overview
Configuring Active Directory to Back up Windows BitLocker Drive Encryption and TPM Recovery Information
Enabling BitLocker on Removable Drives (USB Flash drives, USB Hard Drives)
Vista's BitLocker Encryption: All It's Cracked Up to Be?
Windows BitLocker Drive Encryption Design and Deployment Guides
Keys to Protecting Data with BitLocker Drive Encryption
BitLocker and disk decommissioning
SCCM Config mgr 2007 is RTM
Using BitLocker, even without a TPM
Manage BitLocker Via The CLI
BitLocker GPO settings

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.