Subscribe via e-mail: - Active Directory and BitLocker – Part 1: Introduction
- Active Directory and BitLocker – Part 2: Schema update, ACE settings, Password Recovery Viewer
- Active Directory and BitLocker – Part 3: Group Policy settings
- Active Directory and BitLocker – Part 4: Encrypting hard disks
- Active Directory and BitLocker – Part 5: BitLocker to Go
- Active Directory and BitLocker – Part 6: View recovery information
- Active Directory and BitLocker – Part 7: Tips and troubleshooting
Last, but certainly not least is encrypting Removable Data Drives. As we did with the Operating System Drives and the Fixed Data Drives, start by going to the Control Panel and finding the BitLocker Drive Encryption applet. Click “Turn On BitLocker”. Hopefully, you noticed that the User Account Control (UAC) shield is missing for encrypting Removable Data Drives. What does this mean? It means that users that do not have Administrative rights can encrypt their own removable devices!
BitLocker to Go
Wait for BitLocker to think some and you’ll be prompted to enter a password. As with BitLocker for Fixed Data Drives, Microsoft doesn’t tell the user that they have a minimum password length requirement. If the user types in a password that is too short, they are only notified that the password is too short. Once again, you’ll want to communicate with your users that there is minimum password policy and what length that password will need to be.
BitLocker To Go – The password provided does not meet minimum length requirements
When you’re asked if you’re ready, click “Start Encrypting”. And wait for your drive to encrypt. Checking in Computer, you should now see the lock that indicates that the drive is encrypted.
BitLocker encrypted removable drive
When you insert your removable drive into a Windows 7 computer, you will be prompted for your password to unlock the drive. What’s great about the screenshot below was that it was actually made on my home computer that is running Windows 7 Professional, not my test system running Windows 7 Ultimate where the drive was originally encrypted.
BitLocker encrypted removable drive – Window 7 Professional
BitLocker To Go Reader
But what if you need to access data on your drive from an operating system that doesn’t include BitLocker To Go support like Windows XP or Vista? The BitLocker To Go Reader allows both Windows XP and Vista read-only access BitLocker To Go encrypted drives that are on the FAT, FAT32, or exFAT file systems.
Note the “Reader” in that; you’ll only be able to read the drive, not write back to it. By default, the reader is included on the drive; so, you only need to install the reader on your computer if your environment requires it. The other good news is that the reader doesn’t require Administrator rights if you run it directly from the drive.
In the example below, this is what you’ll see if you use a pre-Windows 7 OS to access the removable device:
Vista BitLocker To Go
If you run BitLockerToGo.exe, you’ll be prompted for your password and click “Unlock”.
BitLocker To Go – Unlock
You’ll have read-only access to your files.
BitLocker To Go – Read only access
Great Article, Thanks for sharing, is it possible to test this on virtual environment specially the OS Drive encryption, is that supproed ?
To encrypt an OS drive, you have to have the TPM or use a USB startup key. The problem with USB startup keys is that most people tend to put the USB drive near the device that is encrypted. If it is just for testing purposes, I don’t think you’ll have any problems.
@ Kyle, Thanks will try this using VMware workation.
Hello,
Do you probably know how to allow non-administrative users on Windows 2008 R2 encrypt their removable drives like they can do on Windows 7 (without UAC shield) ?