BitLocker To Go is used to encrypt removable data drives such as flash drives. Part 5 in this series also discusses the BitLocker To Go Reader which is required to read encrypted data on legacy Windows versions.

Last, but certainly not least is encrypting Removable Data Drives. As we did with the Operating System Drives and the Fixed Data Drives, start by going to the Control Panel and finding the BitLocker Drive Encryption applet. Click "Turn On BitLocker". Hopefully, you noticed that the User Account Control (UAC) shield is missing for encrypting Removable Data Drives. What does this mean? It means that users that do not have Administrative rights can encrypt their own removable devices!

Bitlocker Active Directory - BitLocker To Go

BitLocker to Go

Wait for BitLocker to think some and you’ll be prompted to enter a password. As with BitLocker for Fixed Data Drives, Microsoft doesn’t tell the user that they have a minimum password length requirement. If the user types in a password that is too short, they are only notified that the password is too short. Once again, you’ll want to communicate with your users that there is minimum password policy and what length that password will need to be.

Bitlocker Active Directory - The password provided does not meet minimum length requirements

BitLocker To Go - The password provided does not meet minimum length requirements

When you’re asked if you’re ready, click "Start Encrypting". And wait for your drive to encrypt. Checking in Computer, you should now see the lock that indicates that the drive is encrypted.

Bitlocker Active Directory - Encrypted Removable Drive

BitLocker encrypted removable drive

When you insert your removable drive into a Windows 7 computer, you will be prompted for your password to unlock the drive. What’s great about the screenshot below was that it was actually made on my home computer that is running Windows 7 Professional, not my test system running Windows 7 Ultimate where the drive was originally encrypted.

Bitlocker Active Directory - BitLocker Encrypted Removable Drive - Window 7 Professional

BitLocker encrypted removable drive - Window 7 Professional

BitLocker To Go Reader

But what if you need to access data on your drive from an operating system that doesn’t include BitLocker To Go support like Windows XP or Vista? The BitLocker To Go Reader allows both Windows XP and Vista read-only access BitLocker To Go encrypted drives that are on the FAT, FAT32, or exFAT file systems.

Note the "Reader" in that; you’ll only be able to read the drive, not write back to it. By default, the reader is included on the drive; so, you only need to install the reader on your computer if your environment requires it. The other good news is that the reader doesn’t require Administrator rights if you run it directly from the drive.

In the example below, this is what you’ll see if you use a pre-Windows 7 OS to access the removable device:

Bitlocker Active Directory - Vista BitLocker To Go

Vista BitLocker To Go

If you run BitLockerToGo.exe, you’ll be prompted for your password and click "Unlock".

Bitlocker Active Directory - BitLocker To Go - Unlock

BitLocker To Go - Unlock

You’ll have read-only access to your files.

Bitlocker Active Directory -  BitLocker To Go- Read only access

  BitLocker To Go - Read only access

  1. Avatar
    Venkat 12 years ago

    Great Article, Thanks for sharing, is it possible to test this on virtual environment specially the OS Drive encryption, is that supproed ?

  2. Avatar
    Kyle 12 years ago

    To encrypt an OS drive, you have to have the TPM or use a USB startup key. The problem with USB startup keys is that most people tend to put the USB drive near the device that is encrypted. If it is just for testing purposes, I don’t think you’ll have any problems.

  3. Avatar
    Venkat 12 years ago

    @ Kyle, Thanks will try this using VMware workation.

  4. Avatar
    kirill 12 years ago


    Do you probably know how to allow non-administrative users on Windows 2008 R2 encrypt their removable drives like they can do on Windows 7 (without UAC shield) ?

Leave a reply

Please enclose code in pre tags: <pre></pre>

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account