Changes in BitLocker Drive Encryption

Applies To: Windows 7, Windows Server 2008 R2

In Windows 7, BitLocker Drive Encryption technology is extended from operating system drives and fixed data drives to include removable storage devices such as portable hard drives and USB flash drives. This allows you to take your protected data with you when traveling and use it with any computer running Windows 7.

Setting up BitLocker

In Windows 7, drives are automatically prepared for use by BitLocker; there is no need to create separate partitions before turning on BitLocker. The system partition is automatically created and does not have a drive letter, so it is not visible in Windows Explorer and data files will not be written to it inadvertently. In a default installation, a computer will have a separate system partition and an operating system drive. The system partition is smaller in Windows 7 than in Windows Vista, requiring only 100 MB of space.

BitLocker can be used to encrypt operating system drives, fixed data drives, and removable data drives in Windows 7 and Windows Server 2008 R2. When BitLocker is used with data drives, the drive can be formatted with the exFAT, FAT16, FAT32, or NTFS file system and must have at least 64 MB of available memory. When BitLocker is used with operating system drives, the drive must be formatted with the NTFS file system.

Using BitLocker To Go with removable drives

In Windows 7, users can encrypt their removable media by opening Windows Explorer, right-clicking the drive, and clicking Turn On BitLocker. They will then be asked to choose a method to unlock the drive. These options include:

  • Password. This is a combination of letters, symbols, and numbers the user will enter to unlock the drive.

  • Smart card. In most cases, a smart card is issued by your organization and a user enters a smart card PIN to unlock the drive.

After choosing the unlock methods, users will be asked to print or save their recovery password. This is a 48-digit password that can also be stored in Active Directory Domain Services (AD DS) and used if other unlock methods fail (for example, when a password is forgotten). Finally, users will be asked to confirm their unlock selections and to begin encryption.

Unlocking BitLocker-protected drives

When you insert a BitLocker-protected drive into your computer, Windows will automatically detect that the drive is encrypted and prompt you to unlock it. While the ability to encrypt drives is only available on some versions of Windows 7, all versions will permit unlocking of BitLocker-protected drives.

New Group Policy settings

BitLocker in Windows 7 introduces several new Group Policy settings that permit easy management of features. For example, administrators will be able to:

  • Require all removable drives be BitLocker-protected before data can be saved on them.

  • Require or disallow specific methods for unlocking BitLocker-protected drives.

  • Configure methods to recover data from BitLocker-protected drives if the user's unlock credentials are not available.

Note

In addition to recovery passwords, administrators can use Group Policy to configure a domain-wide public key called a data recovery agent that will permit an administrator to unlock any drive encrypted with BitLocker. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console (GPMC) or the Local Group Policy Editor.
To use a data recovery agent with BitLocker, you must enable the appropriate Group Policy setting for the drives that you are using BitLocker with. These settings are: Configure how BitLocker-protected operating system drives can be recovered, Configure how BitLocker-protected removable data drives can be recovered, Configure how BitLocker-protected fixed data drives can be recovered, and Configure how BitLocker-protected drives can be recovered (Windows Server 2008 and Vista). When you enable the policy setting, select the Enable data recovery agent check box. There is a policy setting for each type of drive, so you can configure individual recovery policies for each type of drive on which you enable BitLocker. You must also enable and configure the Provide the unique identifiers for your organization policy setting to associate a unique identifier to a new drive that is protected with BitLocker. Identification fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker will manage and update data recovery agents only when an identification field is present on a drive and is identical to the value configured on the computer.

In Windows 7, Group Policy settings for BitLocker have been extended to include configurable options for removable data drives as well as fixed data drives. Most of the Group Policy settings have separate settings to be applied to operating system drives, fixed drives, and removable drives as appropriate. BitLocker Group Policy settings can be viewed by using either the Local Group Policy Editor or the GPMC. Using these policy settings helps enforce standard deployment of BitLocker Drive Encryption in your organization. Group Policy settings that affect BitLocker are located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption. Globally applied BitLocker Group Policy settings are located in this folder. Subfolders for fixed data drives, operating system drives, and removable drives support configuration of policy settings specific to those drives.

Note

If you want to use BitLocker to protect an operating system drive on a computer that does not have a Trusted Platform Module (TPM), you must enable the Require additional authentication at startup Group Policy setting, and then within that setting click Allow BitLocker without a compatible TPM.