+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 28
Windows 7 Thread, BitLocker on laptops in Technical; Just wondering if anyone has used BitLocker on staff-issued laptops? We're going to encrypt all of ours and just ordered ...
  1. #1
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,690
    Thank Post
    171
    Thanked 222 Times in 205 Posts
    Rep Power
    68

    BitLocker on laptops

    Just wondering if anyone has used BitLocker on staff-issued laptops? We're going to encrypt all of ours and just ordered some cheap USB sticks to hold the encryption key as I somehow doubt they have TPM onboard

    Would be interested to know how much of a hit it has on performance and if there's any compatibility issues anyone's encountered?

  2. #2

    teejay's Avatar
    Join Date
    Apr 2008
    Posts
    3,206
    Thank Post
    286
    Thanked 777 Times in 587 Posts
    Rep Power
    336
    Works very well apart from staff losing the USB keys
    Make sure you keep a copy of the backup key from the usb key and also check that the recovery key is being stored in active directory.
    You need to have some firm policies in place, such as not keeping the usb key in the laptop bag. Also, when (not if) a memeber of staff loses their usb key you really need to be re-encrypting the hard drive with a new encryption key. If they just break their key then just copy the encryption key onto a new usb stick.

  3. #3
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,690
    Thank Post
    171
    Thanked 222 Times in 205 Posts
    Rep Power
    68
    These laptops aren't part of the domain (issued for home use and never see the network) so we're going to keep records of the keys for each laptop on record (file stored on the network and paper documentation).

    Yup we'll be making it part of the loan scheme that the USB key is never stored with the laptop, will try and get them to put the USB on their main keys when booking out to make sure

  4. #4

    teejay's Avatar
    Join Date
    Apr 2008
    Posts
    3,206
    Thank Post
    286
    Thanked 777 Times in 587 Posts
    Rep Power
    336
    How are they going to back up any work on them and how are you going to ensure the backup is encrypted?

  5. #5
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,690
    Thank Post
    171
    Thanked 222 Times in 205 Posts
    Rep Power
    68
    Tbh I don't think many have ever been backed up but you make a good point about the use of USB sticks etc. Would be easy enough to control on network managed machines but not so sure about these ones. I think the next stage is encrypted USB sticks but haven't got those yet...

  6. #6
    Killer_Bot's Avatar
    Join Date
    Dec 2009
    Location
    Great Britain
    Posts
    75
    Thank Post
    5
    Thanked 13 Times in 12 Posts
    Rep Power
    12
    Have the laptops already been partitioned accordingly, i.e. with the 1.5Gb system partition? If not then you're going to have to format as you may already know.

    Also, my understanding of BitLocker is that it will hit the performance but if the laptops aren't used for anything that rely on fast performance I can't see it being an issue. Could be worth looking into EFS for folder encryption if there's only a select few files that really need encrypting. Unless you're worried about the pagefile and whatnot.

  7. #7
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,690
    Thank Post
    171
    Thanked 222 Times in 205 Posts
    Rep Power
    68
    Yup they need to be completely reformatted anyway, the plus point of doing it with BitLocker is that it doesn't rely on people storing files in the right place... anywhere on the HD will be encrypted... can't get much easier than that

  8. #8
    Killer_Bot's Avatar
    Join Date
    Dec 2009
    Location
    Great Britain
    Posts
    75
    Thank Post
    5
    Thanked 13 Times in 12 Posts
    Rep Power
    12
    Quote Originally Posted by gshaw View Post
    Yup they need to be completely reformatted anyway, the plus point of doing it with BitLocker is that it doesn't rely on people storing files in the right place... anywhere on the HD will be encrypted... can't get much easier than that
    That's true but on the other hand they don't have to rely on a USB to do any work at all, if they lose it on a weekend and can't see you for a day or two it's pretty much a brick in the meantime. It's one of those pros vs cons things isn't it. Ideally I'd love to BitLocker all our laptops here but I know without a doubt that USBs would be constantly lost or left with the laptop itself out of convenience. Either way it's a headache we could do without though I appreciate that sometimes you really do need this level of security.

  9. #9


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,792
    Thank Post
    231
    Thanked 882 Times in 758 Posts
    Rep Power
    300
    isnt that why when installing win7 it leaves a blank partition so you dont need to do that?

  10. #10

    teejay's Avatar
    Join Date
    Apr 2008
    Posts
    3,206
    Thank Post
    286
    Thanked 777 Times in 587 Posts
    Rep Power
    336
    Quote Originally Posted by Killer_Bot View Post
    That's true but on the other hand they don't have to rely on a USB to do any work at all, if they lose it on a weekend and can't see you for a day or two it's pretty much a brick in the meantime. It's one of those pros vs cons things isn't it. Ideally I'd love to BitLocker all our laptops here but I know without a doubt that USBs would be constantly lost or left with the laptop itself out of convenience. Either way it's a headache we could do without though I appreciate that sometimes you really do need this level of security.
    It's an even bigger headache for the school when a laptop gets stolen and has confidential data in an unencrypted part of the drive, think it's up to a £500k fine now.

  11. #11


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,354
    Thank Post
    241
    Thanked 2,808 Times in 2,073 Posts
    Rep Power
    812
    Quote Originally Posted by sted View Post
    Isn't that why when installing win7 it leaves a blank partition so you don't need to do that?
    That's correct. In addition to BitLocker, the 100MB partition is also used for other things (it's not completely blank).

  12. #12
    Killer_Bot's Avatar
    Join Date
    Dec 2009
    Location
    Great Britain
    Posts
    75
    Thank Post
    5
    Thanked 13 Times in 12 Posts
    Rep Power
    12
    Quote Originally Posted by teejay View Post
    It's an even bigger headache for the school when a laptop gets stolen and has confidential data in an unencrypted part of the drive, think it's up to a £500k fine now.
    Luckily that's not my decision to make, I just do as I'm told by my boss BitLocker is by no means fully secure either, especially if it's set for the USB keys. Granted, it's much more secure than an unencrypted drive but requires far more staff training RE things like storage, social engineering, passwords, etc.

    Just to be clear I'm not against BitLocker, I just don't think it's something to take on lightly when EFS and training with it can do almost the same thing.

  13. #13
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,690
    Thank Post
    171
    Thanked 222 Times in 205 Posts
    Rep Power
    68
    Quote Originally Posted by Arthur View Post
    That's correct. In addition to BitLocker, the 100MB partition is also used for other things (it's not completely blank).
    Isn't that 100MB partition hidden anyway?

    Tbh once we get our 2008 servers in the whole argument becomes moot anyway as it'll all be done via Terminal Services \ VDI so will only need an Internet connection and no files will be moving between locations. In the meantime it's really just a case of providing an additional computing resource with Office etc installed for staff that don't have dedicated PCs at home. As it stands I'd rather have them encrypted and take a few groans than the other option as mentioned above.

    Just considering if it's worth locking the USB ports as well, although that might push people over the edge :P

    Quick qu just thinking about it, if set to encrypt the boot drive am I right in thinking it won't auto encrypt USB sticks by default? Not sure I want it doing that until we've decided on a strategy there...
    Last edited by gshaw; 7th February 2011 at 03:43 PM.

  14. #14
    Killer_Bot's Avatar
    Join Date
    Dec 2009
    Location
    Great Britain
    Posts
    75
    Thank Post
    5
    Thanked 13 Times in 12 Posts
    Rep Power
    12
    It's another layer of protection so why not. As you say it's only temporary. Otherwise could a user not "accidentally" copy some contents onto there unencrypted stick? Not sure if it works like EFS where it unencrypts before copying? You could maybe set up BitLocker ToGo though and insist sticks be protected with that?

  15. #15

    teejay's Avatar
    Join Date
    Apr 2008
    Posts
    3,206
    Thank Post
    286
    Thanked 777 Times in 587 Posts
    Rep Power
    336
    Quote Originally Posted by gshaw View Post
    Just considering if it's worth locking the USB ports as well, although that might push people over the edge :P
    They'll all be broken in a few weeks from having the usb encryption key rammed in the wrong way round anyway

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. [SCCM 2007] Deploying Windows 7 and BitLocker
    By Ric_ in forum O/S Deployment
    Replies: 4
    Last Post: 23rd June 2010, 07:52 PM
  2. Replies: 1
    Last Post: 5th December 2009, 09:52 AM
  3. HP Laptops
    By laserblazer in forum Hardware
    Replies: 13
    Last Post: 30th November 2007, 06:49 PM
  4. Replies: 1
    Last Post: 24th July 2007, 08:10 PM
  5. Vista Bitlocker
    By Nij.UK in forum Windows Vista
    Replies: 0
    Last Post: 6th June 2007, 08:11 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •