Windows 7 and BitLocker to Go
Here is the second of my posts on BitLocker under Windows 7. While not strictly deployment focused I found these points of interest. We all tend to use USB disks for moving data around and securing these is becoming more important. For example how many people have a deployment point on their USB stick that might have user names and passwords in clear text?
BitLocker to Go and legacy versions of Windows
When using BitLocker to Go you can encrypt removable drives with NTFS, but you won’t be able to read them on a down level OS i.e. Windows XP or Windows Vista. However if you encrypt a FAT (or exFAT, FAT32) formatted drive, you will see the BitLocker to Go Reader when you plug it into a down level machine, which will allow read access to your files.
When considering the usage of BitLocker to Go it’s worth noting that you can configure whether or not the BitLocker to Go Reader is included on the removable drive when you encrypt it using Group Policy – Run GPEdit > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Drives > Allow access to BitLocker-protected removable data drives from earlier versions of Windows.
BitLocker to Go, Certificates and Smart Cards
If anyone has tried out Bitlocker to Go you will have seen the option to encrypt an external disk using your smart card. However not all certificates are suitable for this use.
A certificate is considered valid for BitLocker to Go if the following conditions are met for Key Usage:
No KU is present
KU is present and contains one of the following keyEncipherment bits:
CERT_DATA_ENCIPHERMENT_KEY_USAGE
CERT_KEY_AGREEMENT_KEY_USAGE
CERT_KEY_ENCIPHERMENT_KEY_USAGE
A certificate is considered valid for BitLocker to Go if the following conditions are met for Extended Key Usage:
No EKU is present
EKU is present and contains BitLocker™ OID
EKU is set to anyExtendedKeyUsage
NOTE: The BitLocker OID is configurable in group policy
Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use .
This post was contributed by Richard Trusson , a Senior Consultant with Microsoft Consulting Services - U.K.
Comments
- Anonymous
December 11, 2013
Hi, can I use bitlocker to go to apply group policies in machines that cannot join domain as Windows 7 home premium? Thanks in advance for your help. Ellyot