Laptop Encryption/Control

itmoonlighter used Ask the Experts™
We are looking at replacing a number of PCs with laptops, so users can work remotely when needed. I'm wondering what the best options are for drive encryption on the laptops in case they are lost or stolen? If possible, I'd also like something that does the encryption but can also control other areas of the laptops (trusted sites, allow/not allow downloading software, etc.). These would be Windows 7 and they'd be accessing the network via VPN when they are not in the office.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Chief Operations Manager
I would definitely separate encryption software and user control software.

Most people will recommend truecrypt for encrypting the entire hard disk but I always recommend bestcrypt volume encryption from

It's much easier to use, and give you better control and management in a corporate environment.  It has many feature that truecrypt does not have (the use of hardware tokens for example).

Unlike truecrypt it's not free ... but it's not expensive and support is good.

Are your users working remotely over the internet or are they predominantly working on files and data "offline?"  If they are going to be accessing your system remotely, you may consider abandoning ANY company data being stored locally and utilizing a remote system like Terminal Services or Citrix to provide a remote sandbox for the user to work within your network

In addition, the laptops can be locked down via GPO or with the help of an additional management software like Deep Freeze which prevents a user from permanently affecting the configuration of the laptop:

I have found that when users get laptops, regardless of policies, they become personal machines, kids use the to browse the web, etc.  Deep Freeze effectively resets the system to your original image on each restart regardless of what was done purposefully (install iTunes) or accidentally (installed malware.)

If you must apply true encryption to your laptop disk, you can use a program like TrueCrypt however many time its slows the overall performance of the laptop and I generally only consider it if a user if going to be using data offline that is highly confidential or is bound by a legal requirement for encryption, HIPAA for example.


Thanks for the comments. All of the data and programs they'd be working with would be online only, which they'd access via a VPN, I have the same fear that this will become a personal laptop, even though they'd be instructed that it's not.  I'll have to look at Deep Freeze. Is there other user control software out there? Our industry is bound by compliance, which is driving the disk encryption issue.
Top Expert 2015

Full disk encryption like BitLocker or truecrypt?
Distinguished Expert 2018


Depends on your edition.
Win7 Ultimate and enterprise (not pro!) have both Bitlocker and applocker.
BL encrypts, applocker restricts application usage effectively. What edition do you run?
Win7 pro could use software restriction policies, which are similar to applocker.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial