Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Deploying BitLocker on an enterprise environment?

14 Feb 2012   #1

Deploying BitLocker on an enterprise environment?

Does anyone have any experience deploying Bitlocker on an enterprise environment?
I've been doing some research, but wanted to hear from your past experience for any pro vs. con. Things to be aware of, sample scripts to kick it off. Any advice will help.

This is on a Win 7 front end, with a mix of Server2003,2008 exchange2010.


My System SpecsSystem Spec
17 Feb 2012   #2

Windows 7 Enterprise

The only thing I've run into since we deployed it 3 months ago - if you run it on machines that don't have TPM and need a USB start-up key, certain brands of USB flash drives will not work (I'm looking at you, Verbatim). Not sure if it's the manufacturer of the flash chips or the brand's software (Store 'n Go, in this case) that Bitlocker won't work with - but we've had no problems since switching to Kingston USB drives.
My System SpecsSystem Spec
19 Feb 2012   #3

Windows 10 Pro x64

One other thing to be aware of, is that some enterprises want to have up-to-date information and control on which machines are encrypted, which portable drives are encrypted (if forcing Bitlocker to go on USB devices), allow help-desk or admin staff to be able to access and provide recovery keys in the event of someone forgetting their TPM PIN or of disk failure, and more targeted enforcement. To give Bitlocker real enterprise-grade manageability and address these issues (and more), you also want to think about adding MBAM as your management and key escrow (in addition to AD) location. However, as you can see, MBAM requires access to MDOP, access to which you may or may not have already acquired from Microsoft as part of your volume licensing agreement and software assurance. Bitlocker + MBAM is really powerful though (and scales to tens or even hundreds of thousands of endpoints quite well), so it is worth it.

Also, one other security caveat is that you generally want to force TPM + PIN (or at least USB key if a v1.2 TPM isn't available), as well as disabling hybrid sleep. Bitlocker only protects data at rest, so if the machine is sleeping (and not hibernated or off), the security keys used to unlock the volume that are stored in RAM can be brute-forced if given enough physical time with the machine in a powered-on (sleep) state as RAM is not cleared (for obvious reasons - it's sleep! :)). This is true of any volume or disk encryption software, but it still bears repeating as some admins forget about disabling hybrid sleep when they start encrypting volumes.
My System SpecsSystem Spec

26 Dec 2013   #4

Windows 7 64 Bit Enterprise

I've gone through a couple installations of bitlocker on a Windows 7 64 bit enterprise OS

I had to meet this criteria
  • Ensure TPM is turned on in BIOS
  • Ensure your Network Domain computer account is made and active but dont login to network yet.
  • Must join your computer name to the network. After joining domain, restart computer.
  • Login as Local Administrator on laptop, Control panel, Bitlocker, Turn on Bitlocker
  • Save a recovery key on a network or external device, type in a startup key pin that is universal to your organization
  • Run bitlocker system check (Checkmark it)
  • Restart when told to restart
  • Login as Local Administrator again, at desktop bitlocker will begin to encrypt automatically.

If you need to re-image the laptop harddrive because...
  • Your locked out of Windows 7, due to forgotten password... remember you cant crack windows password with bootable cd like knoppix because the partitions are encypted where your password is kept.
  • You then need to re-image your hard drive, enter in your recovery bitlocker key.
  • Plug in your hard drive into an ESata Reader hooked up to another computer with windows 7 64 bit. Access control panel, Manage Bitlocker, Turn off bitlocker, Decrypt drive.
  • Remove hard drive, put back into original laptop.
  • Create a new Windows 7 Image or blow a new image from norton ghost onto the computer, or perform a new windows 7 installation from the cd.

If you lost your bitlocker recovery key. You can still image over the encryption but all data will be lost, effectively destroying the encryption, correct me if i'm wrong please. Hope this helps someone
My System SpecsSystem Spec
30 Dec 2013   #5

Windows 10 Pro x64

1. Bitlocker encryption can be disabled, you do not need to decrypt the drive.
2. A Windows PE environment that matches the installed version of Windows (if built from real WinPE source, and not using something from non-MS sources) can mount and access bitlocker-encrypted volumes on boot. This allows password recovery tools to work (see MSDaRT as an example).

Getting locked-out of a bitlocker-encrypted drive does not require decryption or paving of the disk to regain access.
My System SpecsSystem Spec

 Deploying BitLocker on an enterprise environment?

Thread Tools

Similar help and support threads
Thread Forum
BitLocker Drive Encryption - BitLocker To Go - Turn On or Off
How to Turn Windows 7 BitLocker To Go On or Off for Removable Drives BitLocker To Go is used to encrypt and password protect any removable external hard drives and USB flash drives. The drives must be formatted using either the exFAT, FAT16, FAT32, or NTFS file system and must be at least...
problem deploying windows 7
first of all hello to all i am preparing for MCTS 70-680 (Win 7 configuration exam) for doing labs i am using VMware workstation 7. every thing is going OK but when i try to copy the created image wim file to destination computer. on that particular dest computer i cannot access the e: drive...
Installation & Setup
BIOS flash error, BITLOCKER on? No bitlocker installed, Win 7 Pro
I tried using HP BIOS Flashing utility on my HP Z400 Workstation, and it says it can't continue because I have Bitlocker enabled, but I don't have bitlocker on Win 7 Professional 32bit. I don't see it on the control panel or in context menus. I do see it set to manual in "Services" but the service...
General Discussion
Deploying Windows 7
I am looking for a solution for how to put a image on 80 different PCs that are running windows 7. I am deploying 80 new PCs. I want to create one image and then deploy them on the 80 new PCs. Also should i buy OEM or let the computer come with windows and office??? Thanks
Installation & Setup
Deploying Windows 7
I'm rolling out Windows 7 to my small company, which is a non-profit, and I won't be setting up a deployment keep that in mind. In the past, with XP, I created a ghost image for each of my hardware devices, and stored them on a server. When I needed to reimage, I'd boot from a...
Installation & Setup

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 04:32.
Twitter Facebook Google+