Just before going on tour for our Technical (TechNet) Roadshow I received a shiney new laptop and promptly trashed the incumbunt O/S (XP) and replaced it with 64 bit Vista. All was good. I was in a hurry and therefore simply booted from the network and accepted the Microsoft IT Dept’s corporate build. If was good. My machine worked perfectly and happily ran multiple virtual machines together with Office et al whilst I was on the road.
During my only day in the office last week I finally got around to copying all of my data onto my second hard disk (inserted in the internal bay), reformatting the main drive and rebuilding from scratch. I’ll share the details of how I rebuilt in a follow up post as it may be interesting to those of you who are planning to deploy BitLocker – it was a good experience though there were a couple of twists along the way.
I’ve used BitLocker on several other laptops from early builds of Vista to the released product and had a good experience. What made this system interesting/different was that it’s the first machine to have a Trusted Platform Module (TPM) v1.2 meaning that I could take advantage of the additional BitLocker features – namely to generate and store the root keys in hardware and to ensure the pre-O/S boot integrity too.
Upon power up my machine prompts me to either enter my BitLocker PIN (10 digits in my case) OR insert a USB token containing the key. After unlocking BitLocker the boot loader menu came up and I was able to boot into 64 bit Vista or 32 bit XP. XP’s only there as I have a single device that doesn’t have Vista drivers – it’s a 3G data card and as such isn’t critical but is rather handy hence I’m trying to encourage the vendor to produce an updated driver.
With minimal effort I setup BitLocker to use the TPM and off I went into my weekend. Being a geek I took my laptop with me when visiting some (geeky) friends for the weekend and sure enough out it came for a few of hours of surfing and movie watching. Part way through I shut the lid of my machine (for lunch) and it duely suspended as I’d configured it to do. Upon returning to my machine I wondered whether BitLocker’s PIN protection would be triggered as the machine came back up. I wasn’t unduely surprised to find that there wasn’t any additional interaction (from BitLocker), I just logged back into the O/S as normal.
As Michael Howard points out in his A real-World Windows Vista BitLocker Tip if someone knows your O/S sign in credentials then you have a much bigger problem. The “spooky coincidence” is that Michael wrote his post at about the same time as I experienced the behaviour! Michael goes on to recommend a way to ensure that BitLocker does also request a PIN at resume time – choose to hibernate the machine (data gets flushed to disk) instead of put it to sleep (data stays in RAM).