Bitlocker: what happens if someone leaves the company or locks themselves out?

Many of the questions I've been asked recently regarding Bitlocker are covered on the excellent Windows BitLocker Drive Encryption Freuqently Asked Questions.

For me the most important thing to consider is how on Earth to deal with the "the dog ate the USB key used to unlock Bitlocker" or "I can't remember for the life of me what my BitLocker PIN is" user scenarios. Planning is the way to make sure you can solve these problems quickly and easily.

The best way to deal with key recovery is to ensure that each of the client machines are domain members - if you do this then via Group Policy you can configure the clients to automatically publish the recovery keys securely into Active Directory - that way the help desk can get your users back in following successful out of band authentication.

If the client machines are not domain joined then I'd strongly recommend they publish the recovery key for each machine securely to the Internet via the Windows Vista Ultimate Extra. Absolute worst case make sure you write down the key and store it somewhere physically secure.

The following image shows the options presented by the Bitlocker control panel applet for duplicating the keys per volume - if you look closely you'll see that I have multiple volumes - some are Bitlocker encrypted, others are in the clear: