We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Windows Vista Ultimate - BitLocker FAQ

How BitLocker secures Ultimate laptops

On a system without TPM, no additional hardware required: You can opt to have users enter a 48-digit PIN number at boot time, though they may find that process cumbersome and slow. Because this is difficult to memorise, most people will be inclined to write it down - another security breach waiting to happen. In light of all this, it's clear that adding BitLocker to an existing system, with the possible risks of USB drive loss or the inconvenience of a 48-digit PIN, is inferior to using a TPM-enabled system from the outset. Running BitLocker transparently over TPM is the best option but also the most costly to implement, since in many instances it entails buying a new computer.

Whatever method you choose, when setting up BitLocker policies, be sure to enable encryption key recovery through Active Directory. When a BitLocker computer is configured, the administrator can (and should) make a backup of the encryption key into an AD repository. This way, if the key is lost but the data itself is not - for instance, if you're using a USB drive and it goes missing - any needed data can be recovered from the system without declaring the whole thing scorched earth.

Scope of Protection

So, how well does BitLocker succeed in its stated goal of functioning as a 'seamless, secure and easily manageable data protection solution'? It all hinges on the scope of the protection it provides.

On the plus side, BitLocker thoroughly encrypts something that has traditionally not been encryptable in Windows without the aid of third-party software: the operating system itself. An encrypted drive will remain unreadable even if mounted in another computer. This is crucially important with laptops, since it's trivially easy for an attacker to gain physical access to a system and remove the hard drive.

However, BitLocker doesn't by default encrypt anything other than the boot drive. It is possible to encrypt drives other than the boot drive with BitLocker, but this is not something that can be done automatically through BitLocker's configuration GUI (at least not yet). Microsoft does not yet support encrypting data volumes with BitLocker either.


Encryption is difficult to implement properly, no matter what the product, and Microsoft deserves kudos for making it possible to do this in such a tightly integrated way in Windows Vista.

There's no question that when properly implemented and deployed, BitLocker can add a considerable layer of security to a computer. Just be aware that this security comes at a cost - including the price of an edition of Windows Vista that supports BitLocker, the proper hardware to fully implement it, and, most important, the effort on the part of both IT and the end user to ensure that it has all been implemented correctly.

IDG UK Sites

Android M Developer Preview announced at Google I/O: Android M UK release date and new features. Wh?......

IDG UK Sites

Why I think the Apple Watch sucks and you'd be mad to buy it

IDG UK Sites

Ben & Holly's Game of Thrones titles spoof is delightfully silly

IDG UK Sites

Mac OS X 10.11 release date rumours: all the new features expected in Yosemite successor