Skip to main content

Secure mobile data with BitLocker

Applies to: Windows 7, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2

Is BitLocker To Go a great feature? I would say yes, absolutely. Using BitLocker To Go will protect your data on removable devices, which is important since it is easy to lose a thumb drive or a USB disk drive. I, for example, have 30 or more USB thumb drives plus five or more USB hard drives. Do I always remember which device contains sensitive data? No. One of the reasons I use the drives is to copy data between two disconnected computers. Once the task is done, I don’t always remember to remove the data from the device. I guarantee I am not the only one.

Interested in using BitLocker To Go? BitLocker To Go is a feature available in Windows 8 Professional and Windows 8 Enterprise, as well as Windows 7 Ultimate and Windows 7 Enterprise, which extends BitLocker data protection to USB storage devices.

What about Windows XP?

If you need to read data from a USB device protected with BitLocker, you can do that in Windows XP, but you can only read information from a USB stick and you will need to do that using an application called "BitLocker to Go" reader, which is conveniently included in the root folder of the USB device. Please note that once you access the drive through the reader application, you may need to copy the content from the application and save it to the local machine you are working on in order to be able to open it correctly. If you do, don’t forget to delete it when you are done as you had a reason to protect the drive in the first place.

Selecting the correct file system

There are no special requirements for the USB device itself; as long as the device works like a normal storage drive, it is okay to use with BitLocker. You can choose any of the following file systems on the drive (FAT, FAT32, exFAT or NTFS), but chose wisely. To be able to open the USB drive on a Windows XP-based computer, you cannot use NTFS; you can only use FAT, FAT32 or exFAT. The best format in that case would be exFAT since it was supported as far back as Windows XP Service Pack 2 (which, by the way, is no longer supported by Microsoft), does not have the limitations of FAT32 have, and is faster as it was more or less designed to be used on flash memory.

Control using Group Policy

Is it possible to control BitLocker using Group Policy? Of course! When testing BitLocker for myself, one of the first things that happened me was that I got an "access denied" message when trying to encrypt a removable device. All other devices worked perfectly fine, but not my USB device. After investigating further, it turned out that to be able to modify a BitLocker To Go device remotely, you first need to enable a policy that allows direct access to the drive. Enable this policy to be able to encrypt a USB device remotely:

\Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access\All Removable Storage: Allow direct access in remote sessions

Another policy that could be useful for an enterprise that has sensitive data (and doesn’t like the idea of destroying the USB port with glue) is to use a new policy introduced in Windows 8:

\Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption

New BitLocker and BitLocker To Go features in Windows 8

While some of these features do not affect the BitLocker To Go functionality directly, they are interesting nonetheless:

  • Used Disk Space Only encryption – Faster encryption since it is only encrypting the data on the device, instead of the entire device
  • BitLocker provisioning - Windows 8 is now deployable to an encrypted state during installation prior to calling setup
  • Standard User PIN and password change - Allows a standard user to change the BitLocker PIN or password on operating system volumes and the BitLocker password on data volumes
  • Network Unlock - Enables a BitLocker system on a wired network to automatically unlock the system volume during boot (this function requires Windows Server 2012)
  • Support for encrypted hard drives for Windows - Windows 8 includes BitLocker support for encrypted hard drives

For a demonstration of the BitLocker improvements in Windows 8, see BitLocker in Windows 8.

Get started

This is the easy part. To start using BitLocker To Go, the only thing you need to do is power on your Windows 8 Pro or Windows 8 Enterprise computer, log on, and find a USB device that you can use for target practice. Then perform the following steps:

  1. Insert the USB drive and wait for it to show up in Explorer.
  2. Select the USB drive.
  3. In the Explorer ribbon, select Manage and from the dropdown list select BitLocker – Turn on BitLocker. (You can also right click the device and select Turn on BitLocker or open up the Control Panel, go to System, Security, and then BitLocker Drive Encryption.)
  4. Select to use a password or, if desired, a smart card to control access to your device.
  5. Save the recovery file on save place.
    note iconNote: That is the only way to open the drive if you forget your password, and no, you cannot save the file on the encrypted device even if you try.
  6. Select to encrypt "used disk space" or "entire drive." The latter option is best when there is data on the drive; otherwise, choose the first one.
  7. Wait until encryption is done.

Congratulations your device is now protected with BitLocker To Go!

Now that you’ve successfully encrypted a drive, I recommend that you explore all the Group Policy settings you can utilize, and also try to recover a drive using your recovery key. It is nice to have performed this in a test environment before you ever need to do it in real life when the stakes are high.

Additional resources

About the author

Mikael Nystrom is a Microsoft MVP and Microsoft Certified Trainer (MCT) specializing in deployment, virtualization, and management. He has been involved in Technology Adoption Programs (TAPs) for several Microsoft products and technologies including Windows Server, Hyper-V, and Windows 7. In addition to his work as a speaker, trainer, and consultant, Mikael frequently shares technical news and insights through his blog and on Twitter.