This article reviews Windows 7 BitLocker and BitLocker to Go in detail and gives tips how to install and configure BitLocker.
Latest posts by Michael Pietroforte (see all)

bitlocker-logo BitLocker was introduced with Windows Vista and, as far as I know, it was not very popular. This might be because it is available only for Windows Vista Ultimate and Windows Vista Enterprise. But the main reason probably is that it is complicated to set up. I compared BitLocker to TrueCrypt a year ago and concluded that the Open Source tool is the better drive encryption solution. BitLocker in Windows 7, however, has significantly improved. In this article I discuss BitLocker's system drive encryption, and in my next post I will review BitLocker-to-Go, the new encryption solution for removable storage devices.

BitLocker for Vista was too complicated to set up once the operating system is installed. Users had to shrink the system partition to make space for the BitLocker partition. Microsoft acknowledged that this was too difficult for end users, and too time consuming for administrators, and released the BitLocker Drive Preparation Tool, which is part of the Ultimate Extras and is also available for Windows Vista Enterprise.

bitlocker-drive-encryption BitLocker drive preperation is now integrated into Windows 7. It greatly simplifies the encryption of a system drive. BitLocker can be found under System and Security in the Control Panel. Basically, you only have to turn on BitLocker, and the Drive Preparation Tool does the rest. This works, however, only if the computer has a TPM (Trusted Platform Module). If not, the encryption key also can be stored on a USB stick.

bitlocker-local-group-policy-editor But USB stick support has to be enabled before being used. Unfortunately, this can't be done via the Control Panel; it has to be enabled through Group Policy or the Local Group Policy Editor (type gpedit.msc at Start Search). I am sure this will confuse many people. The settings' location has changed slightly in Windows 7: "Local Computer Policy | Computer Configuration | Administrative Templates | Windows Components |Operating Systems Drives | BitLocker Drive Encryption -> Require Additional Authentication at Startup". Please note there are two independent keys for Windows 7 and Server 2008/Vista.

Once you have allowed BitLocker without TPM, the wizard in the BitLocker Drive Preparation will let you store the Startup Key on a USB flash drive. It also allows you to save a Recovery Key, which you will need if you have lost your USB stick. You will then be asked whether you want to run a BitLocker System Check. If you agree, your computer will be restarted to check whether the USB device is available during the boot-up process. Note that this usually doesn't work if you try it in a virtual environment. But there are workarounds (VMware Workstation, Virtual PC). These posts were written for Vista, but they should work for Windows 7 also.

bitlocker-volumeBitLocker preparation works differently in Windows 7 from Vista because the BitLocker partition is already available. I am not sure if Windows 7 setup will create it also in editions that don't support BitLocker. Like with Vista, BitLocker will be supported only for the Ultimate and Enterprise editions. The BitLocker partition has 200 MB (400MB if WinRE (Windows Recovery Environment) is installed). Unlike in Vista, it has no drive letter and is hidden, which makes sense. You can see it in Disk Management, though. According to Microsoft, upgrades from Vista to Windows 7 are possible if BitLocker is enabled.

bitllocker-boot-up The encryption process seemed quite fast to me but, because I was testing in a virtual environment, that might not mean much. For 1GB, BitLocker took approximately 30 seconds. Once the system drive is encrypted, you can boot-up Windows 7 only if the USB stick (and/or the TPM) is present. If you have lost the USB drive, you will require the Recovery Key or the Recovery Password.

Windows 7 chooses the Recovery Password, which has 48 digits. So it is not really a viable alternative to the TPM or the USB stick. I prefer TrueCrypt here; it allows you to choose a memorable passphrase and it doesn't require special hardware for it. This might not be as secure BitLocker's method, but I think it is secure enough if you don't happen to be a CIA agent. If you forget the USB stick or the Recovery Key at your office before a trip, your laptop will be useful only as ballast for your luggage. Note that for system drives, you can use only a PIN, instead of a USB stick, if your computer is equipped with a TPM. Unlocking a fixed drive with a password works only for volumes other than the operating system volume.

Subscribe to 4sysops newsletter!

However, BitLocker has two important advantages over TrueCrypt. It can be centrally managed through Group Policy, and it allows you to store the Recovery Key and the Recovery Password in Active Directory. BitLocker has quite a few new Group Policy settings compared to Vista, mostly because of the new features such as BitLocker-to-Go. Vista also supports Active Directory integration, but Windows 7 has an important new recovery option, the Data Recovery Agent. I will write more about this feature in my next post about BitLocker-to-Go, because I think this feature will be used more often for portable devices.

  1. Avatar
    John W. Anderson 15 years ago

    Our corporate experience with TrueCrypt has been abysmal. It is unstable at times, performs poorly in some configurations, and doesn’t handle Windows errors well. In one case a BSOD caused us to lose the partition.

    Open Source is what it is, a mixed bag, and quality questionable versus commercial software. It will never interoperate as well, either. Sorry to irritate you fanboys, but that’s reality in the corporate big leagues.

  2. Avatar
    Bob 15 years ago

    From my test installations of Win7 Home Premium, a 200MB System Partition is created by default if you install to unallocated space and there’s an extra slot in the partition table available.

    Considering how unlikely a non-Ultimate user will ever upgrade to Ultimate *and* use Bitlocker, it’s a waste of a partition table entry (there are only 4 with MBR disks) if you want to install other O/S’s without using a virtual machine. There should be an installation option to skip this step.

  3. Avatar

    John, thanks for sharing your experiences with TrueCrypt. However, I am using it for several years and I never experienced any problems.

    Bob, that is interesting. Perhaps Microsoft will change this until the final release.

  4. Avatar
    anonymuos 15 years ago

    MS made the same mistake with 7 wrt BitLocker. It should have been part of at least Professional.

  5. Avatar

    anonymuos, I absolutely agree.

  6. Avatar
    Ryan 15 years ago

    Any idea what the reasoning behind not including it in Professional was? Seems like that’s where it’s most likely to get the use, seeing as how you can’t really buy laptops with Enterprise installed, and an organization that is most likely to use it would probably be using the Volume Licensing.

    • Avatar

      I think they simply want to convince corporate customers that Volume Licensing makes sense. In my view, security-related features should be included in all Windows editions.

  7. Avatar
    Jokin 15 years ago

    I have tried bitlocker some days with windows 7 beta (build 7022) and have a lot of problem with it, always related to the lack of free space in the encrypted drive. I couldn’t decompress big zipped files ( microsoft virtual pc images downloaded from ) nor get to build some projects with visual studio, it says that there is not enough space to create the target binaries. Have to see how it works in the final version, but right now it’s a pain.

  8. Avatar
    Lukas Beeler 15 years ago

    I did multiple Custom Clean Installations on Windows Vista Bitlocker enabled laptops (using TPM protection). Migrated the Profiles using USMT Hardlink Migration (went from x86 to x64).

    Bitlocker rocks!

  9. Avatar
    BitLocker 14 years ago

    Win7 Bitlocker is easy to use especially for using removable dat devices.
    Actually I’m using the TrueCrpt and it seems to be a perfect tool for using on Vista and Win7 taking the place of Private Folder in XP.
    But both new tools are more secure and using a true encryption system.
    A short review of mine at my blog post

    Thanks for sharing

  10. Avatar
    Matas 14 years ago

    Very informative, thanks a lot Michael.

  11. Avatar
    Michelle 14 years ago

    how would you use this tool if one has Vista and Windows 7 already dual booted but want to enable BL in each OS?

  12. Avatar
    Jay Mehta 14 years ago

    I had encrypted my removable data drive with Bit-Locker on Windows 7. But while i was decrypting it back to normal, my Bit-Locker got corrupted. Now, whenever i connect my removable data drive, Bit-locker goes “Not Responding”.
    So can you help me out of this?

  13. Avatar
    Brian Kesire 13 years ago

    Jay, you’ll probably need to have your data drive professionally recovered, though that may not even be possible at this point. Without a proper key, your data is essentially just random bits on a disk.

    If I may ask, in what way did BitLocker corrupt? I’ve never encountered this before…

  14. Avatar
    Jon Watts 13 years ago

    Truecrypt is good, cheap (lienses is free but time is not) and occassionally blue screens a machine. From seeing 20 machines installed with Truecrypt should know. Saying that back up well before you start, avoid new releases and you can avoid this issue. But do you want the hassle?

    Windows Bitlocker is part of the OS and more reliable. However, you can’t upgrade from professional to ultimate for less than 120 USD. Microsoft says buy the right version when you buy your computer. What that means is you need to buy a computer that is available with ultimate. And this is actually not always that easy. here in Singapore professional or home is often the standard and getting ultimate installed at the outset quite hard.

  15. Avatar
    Anonymuos 13 years ago

    I am using BitLocker on a 1TB external hard drive for the first time and it is taking forever to encrypt. The drive is only 20% used (storage). Any comments or suggestions? The only option is to “pause” the encryption. Can it be safely stopped?

  16. Avatar
    sai 12 years ago

    bitlocker encrypt the whole drive even the free space on the drive.

  17. Avatar
    amrit 12 years ago

    Enabled bitlocker to go for my 500GB external hard disc. It took 12 hrs to encrypt.. Lost all my patience…

  18. Avatar
    Mike 12 years ago

    We are using bitlocker (Windows 7 Ultimate) to secure our PCs in our companies. It had been perfect so far.

    We use Biocryptodisk to secure the access key and the USB end point solution to prevent intruder to duplicate the access key in other USB flash disk

Leave a reply

Please enclose code in pre tags: <pre></pre>

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account