This portion of the BitLocker guide deals with controlling BitLocker behaviors using key management. Channel professionals will learn what BitLocker can and can't do in this tip, from SearchWindowsSecurity.com.
In order for a system to use BitLocker, the two partitions described above have to be prepared before the initial installation. BitLocker itself is turned on (and the main drive encrypted) after Vista has been installed, and it can be managed remotely through WMI so that it can be administratively set up.
Therefore, if you plan to use BitLocker on multiple systems that are set up through cloning, you'll need to enable BitLocker after the cloning process so that each machine's key will be distinct and will be for that machine only. Microsoft has a quick walkthrough of the setup process for BitLocker for an individual machine; most of the partition preparation work could be done once for a machine image.
Note that once a set of keys is issued for a volume, the keys cannot be revoked or changed. The only way to do that is to shut off BitLocker and re-enable it. It is possible, however, to create a new PIN (not the recovery password) for a volume protected by TPM.
Right now, support for third-party multifactor authentication (i.e., smart cards or fingerprint readers) isn't actively available, but BitLocker was designed to allow the eventual inclusion of such trust mechanisms. A smart-card reader, for instance, could work at boot time as long as the device drivers are available to access the device (and at this point in Windows's evolution, it's a fairly trivial add-on).
You can use Group Policy to control BitLocker behaviors. For instance, you can back up BitLocker and TPM recovery data to Active Directory if needed, and many common BitLocker behaviors can be constrained if needed (such as issuing a new PIN).
BitLocker demystified: End-to-end encryption for Vista
About the author
Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
This tip originally appeared on SearchWindowsSecurity.com.
This was first published in January 2007