none
BitLocker single signon? RRS feed

  • Question

  • Does Bitlocker support single sign-on? 

    In our environment (WinXP) a smartcard is required to login. We have an older disk encryption solution "SafeBoot" but are replacing it with another solution with a move to Windows 7 Enterprise and the Gemalto .NET smartcard. A contractor has recommended  McAfee Endpoint Encryption however in-house tests discovered the McAfee product doesn't support single sign-on with a smart card on Windows 7.  That is, a user is prompted for their smartcard PIN twice. Once for disk encryption and once to login to Windows. This limitation has been confirmed by McAfee. Our current implementation of disk encryption has the authentication integrated so the user is not prompted twice which makes us wonder if the McAfee product is right for us. Does bitlocker support single signon?

    Tuesday, March 15, 2011 4:44 PM

Answers

  • BitLocker has no relation with the logged on user for decryption. Encryption is system wide and can be unlocked with a system PIN, a system USB or just the TPM in the system. The only user integration I have ever seen is an internal MS development that tracked the number of failed logons to remove the key material from the TPM.

    Short answer: no BitLocker does not have a single signon option in Windows 7.


    Ray - Author of Windows 7 for XP Professionals
    Tuesday, March 15, 2011 8:57 PM

All replies

  • BitLocker has no relation with the logged on user for decryption. Encryption is system wide and can be unlocked with a system PIN, a system USB or just the TPM in the system. The only user integration I have ever seen is an internal MS development that tracked the number of failed logons to remove the key material from the TPM.

    Short answer: no BitLocker does not have a single signon option in Windows 7.


    Ray - Author of Windows 7 for XP Professionals
    Tuesday, March 15, 2011 8:57 PM
  • Has this changed since the original question was asked in March 2011?
    Wednesday, September 25, 2013 3:34 PM
  • No, BitLocker is still tied to the hardware (at system level) and not to the user.

    Ray - Author of Windows 7 for XP Professionals


    • Edited by NextXPertMVP Thursday, September 26, 2013 6:46 AM
    Thursday, September 26, 2013 6:46 AM
  • Has this changed since the original question?

    If not, is there any other product(s) like MBAM that helps with SSO?

    Tuesday, April 19, 2016 8:18 PM
  • I have two windows 10 machines. Both have bitlocker enabled. On one I have to sign into bitlocker and then as a user. On the other I only have to sign in as a user. What's up? How do I enable the SSO on the one machine?
    Thursday, May 4, 2017 2:45 PM
  • My best guess is that your Windows user account has no password set. Therefore, it boots right into the user profile. If that is true, it is not SSO and not very secure.
    Wednesday, February 7, 2018 2:56 PM