Management types are always trying to push BitLocker rather than third party encryption because its free. “Free” as in, “included in Windows Professional/Enterprise”. They never consider the less obvious costs in usability and to the helpdesk. The Windows guys would even team up with the management types complaining that non-Microsoft full disk encryption products made system deployment difficult. (There are of course ways to work with things like MDT in McAfee encryption. I don’t know about the other versions.)
For me it always came down to two main things.
- It’s not acceptable security to me to use Bitlocker without pre-boot authentication.
- Using Bitlocker with pre-boot authentication is kind of annoying.
a. Bitlocker preboot authentication requires a per machine password. Users would need to know this additional password rather than the single signon used by non-Microsoft alternatives.
b. The password recovery options available are kind of cumbersome.
This month, Microsoft released security bulletin MS15-122 to patch a vulnerability in Bitlocker when used without pre-boot authentication. This attack involves spoofing a domain controller.