Question about Bitlocker in Windows 7
TPM essentially marries the BitLocker drive to the specific computer where the drive is encrypted. If you were to remove this drive from the computer and put it into a different one with a different TPM chip, the drive would ask for the BitLocker Recovery
Key to unlock the drive.
When using TPM in conjunction with BitLocker ( and not using a usb stick to hold the recovery key) you essentially give a "transparent" look to having an encrypted system.
We currently have this setup at United on our Windows 7 deployed laptops. It makes it easier on the user to not have to have a separate USB key or PIN to boot the system.
Now...if the user writes down their domain credentials and plasters it to the computer...when the thief boots it...there is nothing preventing them from getting into the system.
Hope this helps,
johnJohn Wildes | Senior Enterprise Architect | United Airlines | Desktop Engineering
February 22nd, 2011 12:35pm
All
iam learning about Bitlocker as we are thinking of implementing Bitlocker in our enterprise
iam just wondering if the whole laptop gets stolen along with the TPM chip present inside - what is the security provided by TPM and bitlocker in this case
Because the person who stole the laptop can boot up the OS without requiring any authentication since TPM chip present inside
My question is - When to exactly use TPM and Bitlocker ?
Free Windows Admin Tool Kit Click here and download it now
February 22nd, 2011 1:51pm
TPM is from Bitlockers point of view a secure keystorage. Each TP-Module is unique. If you separate a bitlocked Win7 from ist origin tpm, you can't start Win7 without the recoverykey.
Regarding the fact that a tpm-bitlocked laptop is stolen, yes it can be booted.
If the thief is interested in the data on the disk, there is only one way to get them: using username/password and login to windows.
Attaching the disk to another pc wont help as ist content is encrypted.
Without Bitlocker a thief has another way: Booting an alternative OS via usb/cd and access the filesystem. But if the Systemdrive is bitlocked, theres no offline-access to the disk-content.
Strong passwords for the accounts and TPM-Bitlocker offers a quite good security for the data on the protected disks.
Bitlocker is also an integrity-test against the Hardware/Bios(settings)/Core-Operatingsystem. If you enable bitlocker, the system is measured on certain levels (determined in TPM-platform validation
profile ). The result of the measurement is stored in pcrs inside the tpm. So if sombody
manipulates the system, like adding hardware or wants to boot from another devices (depends on how tight you set up the tpm-platformvalidationprofile), the measurement differs from the original value and this prevents the system to unlock. This helps
you to detect manipulation of the system on a broad level.
We implemented TPM-Based Bitlocker on over 1100 pcs.
February 22nd, 2011 7:22pm
Thanks Th0U and Johnwildes
It is clear now
Free Windows Admin Tool Kit Click here and download it now
February 22nd, 2011 7:27pm