Many people (outside Microsoft) have cited concerns over how to manage Windows Vista's Bitlocker encryption feature set for large groups of machines. The native Active Directory functionality works pretty well and covers the automatic publication of the recovery keys so that you can both meet corporate governance requirements (including the Regulation of Investigatory Powers Act (RIPA) in the UK) and provide the means to help users "who's dog has eaten their encryption key" via the help desk.
System Center Configuration Manager (SCCM) enables you to automatically partition the hard disk as required by Bitlocker, configure the Trusted Platform Module (TPM) (if present), automatically configure Bitlocker to encrypt the hard disk, specify the appropriate authentication mechanism (TPM, PIN, USB device) and publish the keys to Active Directory.
There is no corporate governance requirement to ensure decryption keys are recoverable under RIPA. There was a fuss about this in 2000, under the rubric of "key-escrow by intimidation", and the bill was amended so as not to place corporate officers in any legal jeopardy for failing to ensure keys were recoverable (see http://www.cyber-rights.org/documents/hc-rip.htm)
Of course there are other reasons why assuring key recovery is a good idea, but RIPA compliance is not one of them.
Hej, För dem av er som undrar lite över nyheterna i SCCM så är detta kanske en bra sådan att tänka på;
A while ago I wrote a blog post on BitLocker Drive Encryption and why I thought it wasn’t ready for prime