Lesson 1: Managing BitLocker CHAPTER 11 563
The last step before you enable BitLocker on a computer is running the System Check, as
shown in Figure 11-8. This check verifies that BitLocker can work with your computer and that
there is not a problem with the configured startup key or TPM chip. Although this check takes
time, you should run it because all data on the computer may be lost if there is a problem
with one of the BitLocker features. For example, if you are using BitLocker without a TPM,
this check allows you to discover whether the USB device that you have stored the startup
key on is accessible to the computer prior to booting into Windows. Even though the startup
key may be present on the device, if the BIOS does not support accessing the USB device
at the appropriate time, BitLocker locks out the computer. If that is the case, you cannot
use BitLocker on this computer. It is much better to discover this type of problem prior to
activating BitLocker than having to go through the BitLocker recovery process.
FIGURE 11-8 Run a System Check prior to using BitLocker
The system check test involves a reboot. After the test completes successfully, BitLocker
begins the encryption process. The encryption process occurs in the background. A user with
administrative privileges can pause and resume the encryption process if necessary. BitLocker
is not fully active until the encryption process is completed.
Quick Check
n
Which policy must you configure to allow a computer that does not have a TPM
chip to use BitLocker with a startup key stored on a compatible USB device?
Quick Check Answer
n
You must configure the Require Additional Authentication At Startup policy to
allow a computer that does not have a TPM chip to use BitLocker with a startup
key stored on a compatible USB device.
5 6 4 CHAPTER 11 BitLocker and Mobility Options
BitLocker To Go
BitLocker To Go is a feature that is available in the Enterprise and Ultimate editions of
Windows 7. Computers running these editions of Windows 7 can configure a USB device to
support BitLocker To Go. Other editions of Windows 7 can read and write data off BitLocker

To Go devices, but they cannot configure a device to use BitLocker To Go. BitLocker To Go
allows for removable storage devices to be encrypted using BitLocker. BitLocker To Go differs
from BitLocker in previous versions of Windows because it allows you to use BitLocker-
encrypted removable storage devices on other computers if you have the appropriate
password. Although BitLocker in Windows Vista SP1 and later did allow you to encrypt
BitLocker removable storage devices, the process of using a BitLocker-encrypted device on
another computer was complicated and involved performing BitLocker recovery.
BitLocker To Go does not require that the computer have a TPM chip or that Group
Policy be configured to allow some other form of authentication such as a startup key. If you
configure appropriate policies, devices protected by BitLocker To Go can be used in read-only
mode with computers running Windows XP and Windows Vista.
BitLocker To Go Policies
The Removable Data Drives node of the BitLocker Drive Encryption policy node contains six
policies that allow you to manage BitLocker To Go, as shown in Figure 11-9.
FIGURE 11-9 Removable drive policies
n
Control Use of BitLocker On Removable Drives This policy includes two settings
that can be enabled. The first setting allows users to apply BitLocker protection
to removable drives. The second allows users to suspend and decrypt BitLocker
protection on removable drives. If this policy is disabled, users are unable to use
BitLocker To Go.
n
Configure Use Of Smart Cards On Removable Data Drives This policy allows you to
enable and/or require use of smart cards to authenticate user access to a removable
drive. When this policy is disabled, users cannot use smart cards to authenticate access
to removable drives protected with BitLocker.
Lesson 1: Managing BitLocker CHAPTER 11 565
n
Deny Write Access To Removable Drives Not Protected By BitLocker Configuring
this policy allows you to stop users from writing data to removable devices that are not

BitLocker-protected. Within this policy, you can enable the Do Not Allow Write Access
To Drives Configured In Another Organization setting, which allows you to limit the
writing of data to removable devices configured with a specific BitLocker identification
string. This string is configured using the Provide The Unique Identifiers For Your
Organization Policy that you learned about earlier in this lesson and which was shown
earlier in Figure 11-4. When this policy is enabled, users can still read data from
removable devices that are not protected by BitLocker or have another organization’s
identifier. If this policy is disabled, users can write data to removable devices whether
or not they have been configured with BitLocker.
n
Allow Access To BitLocker-Protected Removable Data Drives From Earlier Versions
of Windows Use this policy to allow or restrict BitLocker-protected removable
devices formatted with the FAT file system from being accessed on previous versions
of Windows. This policy does not apply to NTFS-formatted removable devices. You can
configure this policy to allow the installation of BitLocker To Go Reader, a program that
allows previous versions of Windows read access to BitLocker-protected removable
devices. BitLocker To Go Reader must be present on a computer running a previous
version of Windows for that computer to be able to read BitLocker-protected removable
devices. When this policy is disabled, FAT-formatted BitLocker-protected removable
devices cannot be unlocked on computers running previous versions of Windows.
n
Configure Use Of Passwords For Removable Data Drives This policy determines
whether a password is required to unlock a removable data drive protected
by BitLocker, as shown in Figure 11-10. The policy allows password complexity
requirements to be enforced. If this policy is disabled, users are not allowed to use
passwords with removable devices.
FIGURE 11-10 Password to access encrypted removable storage
5 6 6 CHAPTER 11 BitLocker and Mobility Options
n
Choose How BitLocker-Protected Removable Drives Can Be Recovered This policy

allows you to specify the methods that can be used to recover BitLocker-protected
removable devices. You can configure removable drives to use the DRA specified in
the Computer Configuration\Windows Settings\Security Settings\Public Key Policies\
BitLocker Drive Encryption node. You can also configure a recovery password
and a recovery key. Using this policy, you can specify whether BitLocker recovery
information is stored within AD DS.
Once a removable device supports BitLocker To Go, it is possible to manage it either by
right-clicking it within Windows Explorer or by clicking Manage BitLocker within the BitLocker
Drive Encryption control panel. This opens the dialog box shown in Figure 11-11. This dialog
box allows you to change the password assigned to the device, configure the device so that
you can unlock it with a smart card, save the recovery key, remove the password from the
device, or configure the computer to automatically unlock the device whenever it is connected.
FIGURE 11-11 Change BitLocker To Go options
BitLocker Recovery
Encrypted volumes are locked when the encryption key is not available. When the operating
system volume is locked, you can boot only to recovery mode. In recovery mode, you can
enter the BitLocker password or you can attach the USB device that has the recovery key
stored and restart the computer. Once you enter the recovery password or key, you can boot
your computer normally. The following events trigger recovery mode:
n
The boot environment changes. This could include one of the boot files being modified.
n
TPM is disabled or cleared.
Lesson 1: Managing BitLocker CHAPTER 11 567
n
An attempt is made to boot without the TPM, PIN, or USB key being provided.
n
You attach a BitLocker-encrypted operating system volume to another computer.
If you need to perform a task that would normally trigger recovery mode, such as
modifying the boot files, it is possible to disable BitLocker temporarily. You should temporarily

disable BitLocker when upgrading the computer’s BIOS or making any modification to the
startup environment, such as configuring Windows 7 to dual-boot with a virtual hard disk
(VHD) installation of the operating system. Once you have finished the configuration changes,
you can re-enable BitLocker. The changes that you made when BitLocker was disabled do not
trigger recovery mode.
Manage-bde.exe
Manage-bde.exe is the BitLocker command-line utility. You must use Manage-bde.exe from
an elevated command prompt. Manage-bde.exe allows you to unlock locked BitLocker
volumes and allows you to modify BitLocker PINs, passwords, and keys. Table 11-1 lists
common Manage-bde.exe parameters. You will use Manage-bde.exe in the practice exercise
at the end of the lesson.
TABLE 11-1 Common Manage-bde.exe Parameters
PARAMETER FUNCTION
-status Displays BitLocker status
-on Encrypts a volume and turns BitLocker on
-off Decrypts a volume and turns BitLocker off
-pause/-resume Pauses or resumes encryption or decryption
-lock Prevents access to BitLocker-protected data
-unlock Allows access to BitLocker-encrypted data
-SetIdentifier Configures the identifier for a volume
-changepin Modifies the PIN for a volume
-changepassword Modifies a volume’s password
-changekey Modifies a volume’s startup key
eXaM tIP
Remember which policy to configure to allow computers without TPM chips to use
BitLocker.
5 6 8 CHAPTER 11 BitLocker and Mobility Options
Practice Configuring BitLocker To Go
In this practice, you configure Group Policies so that users are able to write data only to specially
prepared removable storage devices that support BitLocker To Go. Implementing similar policies

in a real-world environment ensures that data stored on a removable storage device is safe from
third-party access if the owner of the removable storage device loses it in a public place.
exercise 1 Configuring BitLocker To Go Policies
In this exercise, you configure BitLocker To Go–related Group Policy settings.
1. Log on to computer Canberra using the Kim_Akers user account.
2. Ensure that the USB storage device that you will encrypt using BitLocker To Go is
attached to the computer.
3. Use the Disk Management console to format the USB storage device with the FAT32
file system.
4. Disconnect the USB storage device from the computer
5. In the Search Programs And Files text box, type gpedit.msc. This opens the local
Group Policy Editor.
6. Navigate to the Computer Configuration\Administrative Templates\Windows
Components\BitLocker Drive Encryption node.
7. Edit the Provide The Unique Identifiers For Your Organization policy. Enable the policy
and set the BitLocker Identification Field and the Allowed BitLocker Identification Field
to ContosoBitLocker, as shown in Figure 11-12, and then click OK.
FIGURE 11-12 Configure identifiers
Lesson 1: Managing BitLocker CHAPTER 11 569
8. Open the Removable Data Drives node and then set the Deny Write Access To Removable
Drives Not Protected By BitLocker policy to Enabled. Then select the Do Not Allow Write
Access To Devices Configured In Another Organization check box. Click OK.
9. Enable the Allow Access To BitLocker-Protected Removable Data Drives From Earlier
Versions Of Windows policy.
10. Set the Configure Use Of Passwords For Removable Data Drives policy to Enabled.
Select the Require Password For Removable Data Drive check box, set the Configure
Password Complexity For Removable Data Drives to Allow Password Complexity, as
shown in Figure 11-13, and then click OK.
FIGURE 11-13 Removable drive password complexity
11. Close the Local Group Policy Editor and then reboot the computer.

exercise 2 Testing the Application of BitLocker To Go Policies
In this exercise, you encrypt a removable storage device and verify that it is possible to write
data to the device only when the device has been configured with BitLocker.
1. After computer Canberra has rebooted at the end of Exercise 1, log on with the
Kim_Akers user account.
2. After you have logged on, connect the USB storage device that you prepared in
Exercise 1. Verify that the message displayed in Figure 11-14 appears.
5 7 0 CHAPTER 11 BitLocker and Mobility Options
FIGURE 11-14 Removable device warning
3. Click Don’t Encrypt This Drive to dismiss this dialog box. Create a file on the desktop
named Test.txt. Using Windows Explorer, attempt to copy this file to the USB storage
device. This prompts a message informing you that the disk is write-protected.
4. In the Search Programs And Files text box, type Manage BitLocker. Click the Manage
BitLocker item.
5. In the BitLocker Drive Encryption control panel, click the Turn On BitLocker item next
to the removable USB drive, as shown in Figure 11-15.
FIGURE 11-15 The BitLocker control panel
6. On the Choose How You Want To Unlock The Drive page, enter the password
P@ssw0rd twice and then click Next.
7. On the How Do You Want To Store Your Recovery Key? page, click Save The Recovery
Key To A File and save the recovery key on the desktop. Click Next.
Lesson 1: Managing BitLocker CHAPTER 11 571
8. On the Are You Ready To Encrypt This Drive? page, click Start Encrypting. Windows
starts encrypting the drive.
9. When the removable drive has stopped encrypting, open an elevated command
prompt and issue the command manage-bde –status e: (where e: is the volume
identifier of the USB storage device). Verify that the Identification Field setting matches
ContosoBitLocker, as shown in Figure 11-16.
FIGURE 11-16 Check BitLocker status
10. Use Windows Explorer to copy the file Test.txt from the desktop to the USB storage

device, and verify that you are now able to write data to the device.
11. Disconnect and then reconnect the storage device. Verify that you need to enter
a password to access the storage device.
Lesson Summary
n
BitLocker offers full volume encryption and system protection for computers running
the Enterprise and Ultimate editions of Windows 7.
n
TPM chips are required for BitLocker boot integrity protection. TPM PINs can be
backed up to AD DS.
n
BitLocker can use five different modes: TPM-only, TPM with PIN, TPM with startup key,
TPM with PIN and startup key, and startup key without TPM. The startup key without
TPM mode can be enabled only by configuring Require Additional Authentication At
Startup Group Policy.
n
DRAs can be configured for the recovery of BitLocker-encrypted volumes.
n
BitLocker To Go provides BitLocker encryption to removable storage devices.
Computers running the Enterprise and Ultimate editions of Windows 7 can configure
removable devices. Computers running other editions of Windows 7 cannot configure
removable devices, but they can read and write data to BitLocker To Go–protected
devices.
5 7 2 CHAPTER 11 BitLocker and Mobility Options
n
BitLocker To Go–protected removable storage devices can be protected with
passwords.
n
BitLocker To Go storage devices can be accessed from computers running Windows
Vista and Windows XP through a utility named BitLocker To Go Reader if Group Policy

is configured to allow this.
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 1,
“Managing BitLocker.” The questions are also available on the companion DVD if you prefer
to review them in electronic form.
note ANSWERS
Answers to these questions and explanations of why each answer choice is correct
or incorrect are located in the “Answers” section at the end of the book.
1. Which of the following policies must you configure when setting up a DRA to recover
the operating system volume for BitLocker? (Choose all that apply; each answer forms
part of a complete solution.)
a. Computer Configuration\Administrative Templates\Windows Components\Provide
The Unique Identifiers For Your Organization
B. Computer Configuration\Administrative Templates\Windows Components\Choose
Default Folder For Recovery Password
c. Computer Configuration\Administrative Templates\Windows Components\Choose
How Users Can Recover BitLocker-Protected Drives
D. Computer Configuration\Windows Settings\Security Settings\Public Key Policies\
BitLocker Drive Encryption
e. Computer Configuration\Administrative Templates\Windows Components\
BitLocker Drive Encryption\Operating System Drives\Choose How BitLocker-
Protected Operating System Drives Can Be Recovered
2. You want to block users from writing data to removable drives if those drives are
not BitLocker-protected. Users should not be able to write data to drives configured
with BitLocker by organizations other than your own. Which of the following policies
must you configure to accomplish this goal? (Choose all that apply; each answer forms
part of a complete solution.)
a. Control Use Of BitLocker On Removable Drives
B. Store BitLocker Recovery Information In Active Directory Domain Services
c. Deny Write Access To Removable Drives Not Protected By BitLocker

D. Provide The Unique Identifiers For Your Organization