BitLocker in a enterprise environment

Each System-Administrator knows the problem. Every day a users loses his Notebook or his mobile device. The financial loss is one thing, but lose the the datas and the control who has access to this datas is a disaster for a lot of companies.

To secure your datas from loss some developers created solutions to backup your datas. Another important point is to encrypt your datas in a secure way, so that no one outside your organisation can access your sensitive datas.

The following things should be noted:

  • The datas should be available for all users, wich can authorize them self against the encrypting-mechanisme.
  • Cause a lot of datas are safed on Windows system partition, this partition should encrypted also.
  • All datas should be accessible or recovarable to an administrator team

As a solution to this problem, Microsoft is offering BitLocker for Windows Vista and higher to encryption your partitions. In this and subsequent articles, I consider only BitLocker with Windows 7 and Windows 2008 R2 Server as Vista and Windows 2008 Server are not in use in my environment.


To active BitLocker, you will need:

  • Vista, Windows 7 – Ultimate or Windows 7 Enterprise Edition
  • Windows 2008 oder Windows 2008 R2
  • Locale Admin-Rights to your notebook / mobile windows device.
  • The encrypted disk should be a Basic Disc (not a Dynamic Disk)
  • To encryt your disk, your notebook must be powered by the power supply and not by battery.

Additional prerequisites are optional, but recomended:

  • TPM 1.2
  • Recovery-Key-Backup to the ActiveDirectory
  • Membership in a Windows Domain


Backup your Recovery-Keys to ActiveDirectory

Normaly each user with local admin-rights can encrypt his partitions whenever he want. Sometimes the created recovery key get lost and when you need to do a system recovery, he lose access to his datas. This is the reason, why i don’t recommend BitLocker or any other encryption technology to Home-Users.

To prevent that the recovery key get lost, you can define per group policy that user can’t encrypt any drives without saving the recovery key to the Active Directory. To define this create a group policy with this settings:

You can download a detailed configuration guide here:

Document: Drive encryption with Microsoft BitLocker