What Threats Does BitLocker Protect Against?
Applies To: Windows 7, Windows Server 2008 R2
BitLocker helps protect against unauthorized access to data stored on drives in the event that the drives are lost or stolen. BitLocker can be used to protect operating system drives, fixed data drives, and removable data drives.
For example, many organizations have configured their computers to require that users provide their domain credentials to access information stored on the computer. If a portable computer has been configured for this form of authentication and is lost or stolen, without BitLocker protection the content on the operating system drive could easily be obtained by a malicious user. BitLocker addresses this threat by encrypting the entire drive and using the Trusted Platform Module (TPM) to verify the integrity of early boot components before starting the operating system and allowing any associated fixed or removable data drives to be unlocked. If the TPM detects any changes to the system configuration, it starts the user in "recovery mode," which requires that the user be able to provide a recovery key (which can be either a password or a file) before they can access the operating system drive.
Because data is not always stored on operating system drives, you can use BitLocker with a computer running Windows 7 or Windows Server 2008 R2 to protect fixed and removable data drives. This means that if a computer has additional internal drives, they can also be protected with BitLocker to help prevent unauthorized access if the computer or drive is lost or stolen. Data on removable drives, such as USB flash drives or external hard disk drives, can also be protected. BitLocker-protected removable drives can be unlocked on any version of Windows 7 or Windows Server 2008 R2, and if the removable drives are formatted by using the FAT16, FAT32, or exFAT file system, they can be unlocked with read-only access on computers running Windows XP or Windows Vista by using the BitLocker To Go Reader.
The BitLocker To Go Reader is not supported for use on Windows Server 2003 or Windows Server 2008.
When a data drive is encrypted with BitLocker, a user must unlock the drive by providing a password or smart card credential, or the drive can be automatically unlocked along with the operating system. If an unlock method is unsuccessful, a recovery key can be used to gain access to the drive.