Features introduced in Vista RTM:
- Supports TPM, TPM+USB, TPM+PIN, or USB to unlock a protected drive.
- Provides a unique recovery key for each protected volume
- Supports encrytion of only the Windows Partition
- Supports the backup of BitLocker and TPM recovery information to Active Directory
- Needs an additional partition to be created by the BitLocker Drive Preparation Tool
Features introduced in Vista SP1:
- Introduce support for Unified Extensible Firmware Interface (UEFI) systems
- Supports encryption of any partition on fixed disks
- Supports TPM+USB+PIN to unlock a protected drive
Features introduced in Windows 7 RTM:
- Supports encryption of partitions on fixed and removable disks
- Unlocks an encrypted drive by right-clicking on it in Windows Explorer
- Supports enforcement of minimum PIN length
- Supports association of a unique organizational identifier with each BitLocker volume.
- Supports recovery of all protected volumes by a single Data Recovery Agent (DRA)
- Windows Setup automatically creates system partitions for BitLocker
- Enables BitLocker on a drive by right-clicking it in Windows Explorer
- Has BitLocker Recovery password in Microsoft Remote Server Administration Tools (RSAT)
For bitlocker to work it needs to create a small seperate partition for boot information. The windows boot loader NTLDR (short for NT Loader) cannot exist on an encrypted partition because how will the system read it to load windows? Instead bitlocker puts the enhanced version NTLDR capable of reading the encrypted partitions on a seperate small little boot partition.
When installing windows vista if you wanted to use bitlocker you would have to use the "Bitlocker Drive Preparation Tool" to seperate the NTLDR boot loader from the main system partition to its own little boot partition before enabling bitlocker.
With Windows 7 everytime you install windows it automatically puts NTLDR on a seperate partition. This allows you to easily enable bitlocker by simply right clicking a partition and clicking "Turn on Bitlocker".
Also Windows 7 has a new feature called "Bitlocker To Go" which enables you to bitlock removable devices such as USB flash keys. You can unlock a removable drive by the following methods:
- Password or Passphrase
- Smart card
- Automatic unlocking (basically it remembers the password just for that 1 computer)
Bitlocker can be managed in 2 ways:
- Group Policy (so many policies around bitlocker to go)
- Windows User Interface
If all client workstations in your company are running windows 7, one policy I recommend implementing is "Deny write access to removal drives not protected by bitlocker"
This will force all users to right click the removable drive and "Turn on bitlocker" to continue using it. This means if any USB keys are lost and people outside the company get a hold of them, they will not be able to read company confidential data.
When this policy is enabled when a user puts a key into the computer they will automatically get presented with:
No comments:
Post a Comment