Applies to: Windows 7, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2
Is BitLocker To Go a great feature? I would say yes, absolutely. Using BitLocker To Go will protect your data on removable devices, which is important since it is easy to lose a thumb drive or a USB disk drive. I, for example, have 30 or more USB thumb drives plus five or more USB hard drives. Do I always remember which device contains sensitive data? No. One of the reasons I use the drives is to copy data between two disconnected computers. Once the task is done, I don’t always remember to remove the data from the device. I guarantee I am not the only one.
Interested in using BitLocker To Go? BitLocker To Go is a feature available in Windows 8 Professional and Windows 8 Enterprise, as well as Windows 7 Ultimate and Windows 7 Enterprise, which extends BitLocker data protection to USB storage devices.
If you need to read data from a USB device protected with BitLocker, you can do that in Windows XP, but you can only read information from a USB stick and you will need to do that using an application called "BitLocker to Go" reader, which is conveniently included in the root folder of the USB device. Please note that once you access the drive through the reader application, you may need to copy the content from the application and save it to the local machine you are working on in order to be able to open it correctly. If you do, don’t forget to delete it when you are done as you had a reason to protect the drive in the first place.
There are no special requirements for the USB device itself; as long as the device works like a normal storage drive, it is okay to use with BitLocker. You can choose any of the following file systems on the drive (FAT, FAT32, exFAT or NTFS), but chose wisely. To be able to open the USB drive on a Windows XP-based computer, you cannot use NTFS; you can only use FAT, FAT32 or exFAT. The best format in that case would be exFAT since it was supported as far back as Windows XP Service Pack 2 (which, by the way, is no longer supported by Microsoft), does not have the limitations of FAT32 have, and is faster as it was more or less designed to be used on flash memory.
Is it possible to control BitLocker using Group Policy? Of course! When testing BitLocker for myself, one of the first things that happened me was that I got an "access denied" message when trying to encrypt a removable device. All other devices worked perfectly fine, but not my USB device. After investigating further, it turned out that to be able to modify a BitLocker To Go device remotely, you first need to enable a policy that allows direct access to the drive. Enable this policy to be able to encrypt a USB device remotely:
\Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access\All Removable Storage: Allow direct access in remote sessions
Another policy that could be useful for an enterprise that has sensitive data (and doesn’t like the idea of destroying the USB port with glue) is to use a new policy introduced in Windows 8:
\Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption
While some of these features do not affect the BitLocker To Go functionality directly, they are interesting nonetheless:
For a demonstration of the BitLocker improvements in Windows 8, see BitLocker in Windows 8.
This is the easy part. To start using BitLocker To Go, the only thing you need to do is power on your Windows 8 Pro or Windows 8 Enterprise computer, log on, and find a USB device that you can use for target practice. Then perform the following steps:
|Note: That is the only way to open the drive if you forget your password, and no, you cannot save the file on the encrypted device even if you try.|
Congratulations your device is now protected with BitLocker To Go!
Now that you’ve successfully encrypted a drive, I recommend that you explore all the Group Policy settings you can utilize, and also try to recover a drive using your recovery key. It is nice to have performed this in a test environment before you ever need to do it in real life when the stakes are high.
Mikael Nystrom is a Microsoft MVP and Microsoft Certified Trainer (MCT) specializing in deployment, virtualization, and management. He has been involved in Technology Adoption Programs (TAPs) for several Microsoft products and technologies including Windows Server, Hyper-V, and Windows 7. In addition to his work as a speaker, trainer, and consultant, Mikael frequently shares technical news and insights through his blog and on Twitter.