I first deployed Bitlocker and AD integration with Windows 7 Enterprise back before it was publicly released (that gap between when it gets released to Volume Licence customers, but not to the public). It wasn’t easy, and I had to use some interesting hacks and self-discovered cludges gleaned from old Vista documentation, as the Win 7 documentation hadn’t been released by Microsoft at the time. I had meant to document and release it as a quick-fix blog entry but the time passed and everything can be done properly now.
Since deployment, Bitlocker has been fantastic. The only issue we’ve had with Bitlocker since we deployed it is that of ensuring that end-users don’t suspend it or disable it, and that we most definitely have a good backup of the recovery key.
Effectively, without a management tool, you fly a bit blind until a problem comes up, or a Bitlockered laptop ends up in your lap with it disabled. Ignorance shouldn’t be bliss when it comes to full disk encryption and protecting your company’s data.
The AD backup of keys is a particular pain, as we’ve found that sometimes, Bitlocker just forgets to back itself up to AD when it’s enabled. To mitigate this, we’ve just instructed Bitlocker to also copy the key to a secure fileshare when it’s enabled during the MDT task, as well as backing it up to AD.
Fortunately, Microsoft have started to build a Bitlocker management tool called Microsoft Bitlocker Administration and Management. You can read more about it on the Windows Team Blog.
It’s still in Beta, but I’m looking forward to trying this out!