BitLocker is included in Windows Vista and later client operating systems. Include planning decisions for BitLocker in your environment. One BitLocker decision you must make is the storage of the recovery keys. You can store BitLocker recovery keys in:

·     A local folder. Select this option to store the recovery key on UFDs, which each user manages.

·     A network folder. Select this option to centrally store the recovery keys in a network shared folder, which network administrators manage.

·     Active Directory® Domain Services (AD DS). Select this option to store the recovery keys in AD DS, which Active Directory administrators manage.

Also, elect the methods users will employ to start their computers after BitLocker is enabled. Users can start their computers using one of the following methods:

·     Trusted Platform Module (TPM) version 1.2 or later. TPM is a cryptographic hardware chip installed on the target computer. If the target computer does not support TPM, a UFD or PIN must be used to start the computer. This is the preferred method if the target computer supports TPM.

Note   You can provide a PIN that users can enter in conjunction with TPM, or you can use a UFD to strengthen the security when starting a computer.

·     UFD. In this method, the required encryption keys are stored on a UFD, which must be present in the computer when the computer starts. This is the preferred method if the target computer does not support TPM.

For more information on BitLocker, see BitLocker Drive Encryption Overview.

Related Topics

Planning MDT Deployments