Bitlocker Features Questions
Hi, I'm looking into getting some more details on Bitlocker's feature set to compare against some alternate 3rd party products for encryption. I've read details available on Technet and some other sources but wanted to verify the following: Boot up login is only supported through TMP+PIN and/or USB. CAC cards and PIV cards aren't supported for boot up login. Only 1 PIN can be assigned per workstation, and can only be set using F1-F12 keys. If its a kiosk or multiuser machine, all users will share the same PIN. Only USB removable media can be encrypted. Optical discs, floppy disks, and other media are not yet recognized by Bitlocker to Go. Decrypting removable media requires the original password, users in the same domain cannot be granted automatic decrypt rights to that media (it means users passing USB flash drives around will need to expose the password to the recipient instead of letting their domain credentials be enough to view and modify contents). Bitlocker to Go challange/recovery passwords are 48-characters long. Can they be cut/pasted from Bitlocker Recover Password Viewer into an email to an end user and then copied into the recovery dialog box on their system? Otherwise, reading back and confirming a 48-character key over the phone won't work. Some other questions Does it support bypassing on Wake-On-LAN (to allow for installation of patches and service packs through SCCM) on systems that are turned off at the end of the day? Does it support Rights Management (rights which are still tied to the device even it can't communicate back to the original encrypting domain)? Thanks! rpc180
July 27th, 2010 10:41pm

Thank you for posting in Technet. Here are the answers for your questions. 1. Boot up login is only supported through TMP+PIN and/or USB. CAC cards and PIV cards aren't supported for boot up login. Not sure. You should get information from the CAC/PIV manufacturer. 2. Only 1 PIN can be assigned per workstation, and can only be set using F1-F12 keys. If its a kiosk or multiuser machine, all users will share the same PIN. Only 1 PIN can be assigned per workstation, but not can only be set using F1-F12 keys. All users share the same PIN. 3. Only USB removable media can be encrypted. Optical discs, floppy disks, and other media are not yet recognized by Bitlocker to Go. Can encrypt hard drives, USB flash drives and external hard drives. I guess the thing you misunderstand is that Bitlocker go Go can store keys into a flash drive, not only with TPM. 4. Decrypting removable media requires the original password, users in the same domain cannot be granted automatic decrypt rights to that media (it means users passing USB flash drives around will need to expose the password to the recipient instead of letting their domain credentials be enough to view and modify contents). Yes 5. Bitlocker to Go challange/recovery passwords are 48-characters long. Can they be cut/pasted from Bitlocker Recover Password Viewer into an email to an end user and then copied into the recovery dialog box on their system? Otherwise, reading back and confirming a 48-character key over the phone won't work. Cannot copy and past. Additionally, the following article will be helpful. How to use Group Policy to save “BitLocker to Go” recovery keys in Active Directory – Part 1 - Windows Live Some other questions Does it support bypassing on Wake-On-LAN (to allow for installation of patches and service packs through SCCM) on systems that are turned off at the end of the day? Yes. You may refer: What Should You Consider in Your BitLocker Deployment Plan Does it support Rights Management (rights which are still tied to the device even it can't communicate back to the original encrypting domain)? Yes. Arthur Xie TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 28th, 2010 12:39pm

Thanks for the very quick response Arthur, While reading through, I think what I was referring to in scenario 1 pertained to Multifactor Authentication at system boot. From what I'm reading it supports the following authentication methods: TMP + Enhanced PIN (more characters than just F1-F12) TMP + keys stored on USB flash drive TMP + keys stored on USB flash drive + Enhanced PIN So "CAC/PIV & Enhanced PIN" isn't yet supported as a multifactor authentication method at system boot? And also, for Bitlocker-to-Go compatible media: can floppy disks or CD/DVDs be encrypted? -Romel
July 29th, 2010 4:21pm

Here is an example. From the instruction of DoD CAC/PIV Card. Boot up is supported. IT Security, DOD CAC Card & PIV Card, Important Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information. You need to read the instructions from the cards manufacturers to confirm whether boot up is supported. Removable devices that BitLocker to Go can encrypt are USB flash drives and external hard drives. Floppy disks or CD/DVDs are not supported. Arthur Xie TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
August 2nd, 2010 10:36am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics