Windows 7: BitLocker To Go & Biometric improvements overview

So far, in our Windows 7 Overview series, we have published the following:

Over the next few weeks we will be adding many more focus items on Windows 7 including Touch, Windows 7 networking and media enhancements. Stay tuned for the ultimate Windows 7 focus from Neowin.net. Here is an overview of BitLocker To Go and Biometric improvements in Windows 7.

Microsoft has introduced BitLocker To Go with Windows 7. Bitlocker To Go extends BitLocker drive encryption to USB storage devices, enabling them to be restricted with a passphrase. Many corporations have been asking for this feature since Windows XP when USB storage devices began to become more popular. In addition to having control over passphrase length and complexity, IT administrators can set a policy that requires users to apply BitLocker protection to removable drives before being able to write to them. BitLocker To Go also allows users to more securely share data with users who have not yet deployed Windows 7. Microsoft currently allows Windows XP SP3 and Windows Vista SP1 users to read BitLocker To Go devices using the passphrase. If you plug a bitlocker encrypted USB storage device into Windows 2000 or Windows XP SP2 you will simply see the device as a non-formatted device and will be unable to access the data. I took the feature for a spin earlier today and you can see the results below.

Microsoft has also introduced (with Windows 7) the Windows Biometric Framework. The framework is designed to make biometrics more reliable, compatible and usable in Windows 7. The Windows Biometric Framework also makes it easier for developers to include biometrics in their applications by providing a common API that can be added independently with each biometric fingerprint solution. Perhaps the most important addition in this area is that fingerprint sensors can now be used on domain enabled networks.

UPEK, who manufacture tens of millions of fingerprint sensors, has worked closely with Microsoft and released its pre-release protector suite and driver for Windows 7. The driver works well with Windows 7 and allows you to utilise the inbuilt fingerprint sensor to logon to Windows. I have been using the beta driver myself on a Lenovo X300 and you can find a demonstration below.

Bitlocker To Go

Below you can see the BitLocker control panel options, you can see that the USB key is currently encrypted:

To achieve encrypted status you need to do the following, click on protect in the Bitlocker control panel and you will get the following, allowing you to setup a strong pass phrase:

You must setup a recovery key so you can unlock the device if you forget the pass phrase:

Encryption will then begin and it took us approximately 20 mins for a slow 1GB stick. When you plug in the USB stick again it will prompt you for the pass phrase:

If you forget the pass phrase you can use the recovery key to unlock the device:

Biometric Improvements

Microsoft have introduced a control panel applet for managing fingerprint sensors:

You can associate various fingers per user:

You can also change the settings to enable/disable fingerprint logon, here you can see the domain option:

When you go to login to Windows the logon screen will look like this:

Report a problem with article
Previous Story

Windows 7: Problem Steps Recorder overview

Next Story

Is Google polluting the Globe?

65 Comments

Commenting is disabled on this article.

Hmm... I don't see any biometrics control panel selection. Using a Dell XPS1330. Do I need to have the fingerprint software running? Or is it supposed to be native support?

I bought a Upek Eikon for this The only one in the Netherlands (cost me 60 euro's!) but I like to try it out..
(damn..i'm a geek)

this article is misleading as you need to install the upek driver from their own website to use them correctly (read: for anything else than windows sign-on and even then I couldn't sign-on with windows7 built-in software I hade to install upek crapware over w7 and then I had problems because I already made my fingerprints on w7 utility and upek would ask for them again!)

I sure hope they fixed that in the RC, cause it would be really great if it worked for everything out of the box (read: logging into websites too !)

ok so I have a Dell Precision M65 notebook which has an integrated UPEK fingerprint scanner. I followed the instructions above and per the only some work mine should. I installed the UPEK Windows 7 preview drivers and nada. As before I tried it I have the biometric device in device manager but still no biometric devices in control panel. Does anyone have any ideas?

My U.are.U 4000B Reader (Digital Persona) is detected in Device Manager but it doesn't light up nor does it has a biometric enrollment feature in the biometric devices section of the control panel.

Anyone else got it working?

Cheers

Point to note is that if you BitLock a drive, it is still accessable as a share. This is because when you plug it in it'll ask for password, from that point it will be like any normal drive with permissions etc.
So thus BitLocking is only good for drives you move around and want to protect once removed, not if on a network (just use normal permission/share setup for that)

greenphotos said,
Point to note is that if you BitLock a drive, it is still accessable as a share. This is because when you plug it in it'll ask for password, from that point it will be like any normal drive with permissions etc.
So thus BitLocking is only good for drives you move around and want to protect once removed, not if on a network (just use normal permission/share setup for that)

Indeed. Once you've authenticated to the drive, Windows has full and open access to it, so you'll need to use share / folder permissions to secure it from there. Bitlocker is only useful to prevent data theft if someone finds your USB key on a train or something.

On windows 7 beta 7000 I just set up a bitlocker 1GB USB key drive and added a picture.
Then on my colleagues XP SP3 box he opened it, typed the password and up came the file, and opened fine.

It works 100%. Very impressed.

creamhackered said,
So I'm not a liar? Phew thanks for confirming this too

ROFL! If it's any consolation, I just confirmed it too

And suprise suprise Microsoft doesn't even support it's own fingerprint reader in Windows 7....
MS Hardware site says; No beta software is available. Fingerprint Reader is not supported on Windows 7.

It never even worked properly in Vista as it causes IE7 to hang when you scan your print.. and they never even got that fixed.

What a joke - last time I purchase any Microsoft branded hardware!

swift_gti said,
What a joke - last time I purchase any Microsoft branded hardware!

I wouldn't quite go that far, their keyboards and mice are usually quite good and generally have good future OS support (beta software is out already!).

Microsoft are (in)famous for releasing new and novelty items and then not supporting them for very long. They did it with the Strategic Commander and the Game Voice... both were very good products in their day and had tons of potential, but they stopped making them very soon after they started. It's the same with the fingerprint reader which is now just a useless paperweight. I won't be buying any non-keyboard and mouse products from them in the future.

TCLN Ryster said,
I wouldn't quite go that far, their keyboards and mice are usually quite good and generally have good future OS support (beta software is out already!).

Microsoft are (in)famous for releasing new and novelty items and then not supporting them for very long. They did it with the Strategic Commander and the Game Voice... both were very good products in their day and had tons of potential, but they stopped making them very soon after they started. It's the same with the fingerprint reader which is now just a useless paperweight. I won't be buying any non-keyboard and mouse products from them in the future.


I see... Microsoft is a bad company because they didn't release a pre-release driver for Windows 7? I could see the argument if you were making this after Windows 7 was officially released as final...

Anyway, get the AutenTech finger print reader driver anyways as that is the hardware Microsoft uses... So it IS supported in 7 MS just doesn't want you harping at them yet.

I was making a general point regarding Microsoft's history of not supporting their cool gadgets with software updates for very long. It was the OP that made the point about the fingerprint reader, not I.

Anyhow, where would one obtain the Authentec finger print reader driver from?

Edit: I found the links near the top of this thread.

Yes, that branding is a bit unfortunate, I also got very confused even as I started reading the article. :S Maybe I'm just slow, but I can see the potential for this confusing other readers in the future too. MS should simply change that name to something else to not risk anything; easy enough to do now during the beta. BitLocker Mobile, just something like that?

OMG, they sure got it right....I've been unable to get my Microsoft Fingerprint Reader to work at all! Great job, Microsoft! Way to get hardware branded with the comapany logo working correctly! /sarcasm (At least Microsoft's driver made my fingerprint reader not show up as an unknown device, or a device with a driver error. Vista was better in this category for me. It at least "worked". Now, it just appears to work to suit device manager's needs. It doesn't let me register fingerprints, which makes it useless. Not a happy camper on this end dealing with this issue.)

Don't think Windows can read FileVault, either. Just one of those incompatibilities that we'll have to live with.

Not sure if it would be safe to open up BitLocker at all and make it a standard of some sort, either.

simon360 said,
Don't think Windows can read FileVault, either. Just one of those incompatibilities that we'll have to live with.

Not sure if it would be safe to open up BitLocker at all and make it a standard of some sort, either.

Generally Open Source standards are more secure in the end. Relying on obscurity is a weak form of security

simon360 said,
Don't think Windows can read FileVault, either. Just one of those incompatibilities that we'll have to live with.

Not sure if it would be safe to open up BitLocker at all and make it a standard of some sort, either.


Why not?

TrueCrypt is open-source, and it doesn't make it less secure.

My fingerprint reader is listed under the Biometric devices in the driver manager, but it's not listed in the Biometrics windows in the CP. Any ideas why? It's a UPEK one too.

edit:
I found out that you need the UPEK prelease Windows 7 drivers: 32BIT or 64BIT

creamhackered said,
Yup, that's mentioned in the article :)

doh! I only looked at the pictures lol

edit: Windows Explorer crashes after enrollment

s3n4te said,
doh! I only looked at the pictures lol

edit: Windows Explorer crashes after enrollment

Yeah. And after I rebooted, the finger print stuff no longer works for me.

It actually gave me the link directly to the 64 bit version of that driver inside the windows solution center. That's what surprised me to most.

creamhackered said,
Yeah it's a great improvement, much needed. Especially for corp customers!

Phew. When I read the article title "Bitlocker to go", my immediate thought was "oh no, they're scrapping bitlocker" .

Wow, built-in support from UPEK. I will install Windows 7 as soon as possible to try it since I have a fingerprint reader that is supported with UPEK software.