Unlocking Removable Drives on Windows XP and Windows Vista
Applies To: Windows 7, Windows Server 2008 R2, Windows XP
BitLocker protection on FAT-formatted removable drives is known as BitLocker To Go. When a BitLocker-protected removable drive is unlocked on a computer running Windows 7, the drive is automatically recognized and the user is either prompted for credentials to unlock the drive or the drive is unlocked automatically if it is configured to do so. Computers running Windows XP or Windows Vista do not automatically recognize that the removable drive is BitLocker-protected.
To allow users of these operating systems to read content from BitLocker-protected removable drives by default, an additional FAT32 drive is created that is hidden on computers running Windows 7 but is visible on computers running Windows XP or Windows Vista. This hidden drive is called the discovery drive. The discovery drive contains the BitLocker To Go Reader. With BitLocker To Go Reader, users can unlock the BitLocker-protected drives by using a password or a recovery password (also known as recovery key).
As an alternative to having BitLocker install the BitLocker To Go Reader on the removable drive, the reader can be downloaded from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=151425). You can configure the Group Policy setting Allow access to BitLocker-protected removable data drives from earlier versions of Windows to control whether the discovery drive is created and the BitLocker To Go Reader is installed on removable drives when BitLocker protection is turned on for the drive.
- You should make sure that users unlock BitLocker-protected removable drives only on computers they trust. After the drive is unlocked, the contents of the drive and the unlock mechanism you used are exposed to the host computer and could be captured.
- The discovery drive is formatted as unencrypted (plaintext) and with no free space. User data should not be stored on this drive.
A best practice to consider when using BitLocker To Go is requiring users to use a standard user account instead of an administrator account. This helps prevent modifications to the discovery drive's source directory (Windows\BitLockerDiscoveryVolumeContents) where the BitLocker To Go Reader (bitlockertogo.exe) application is copied from and applied to discovery drives.
The BitLocker To Go Reader is not compatible with the NTFS file system. By default, many external drives are formatted in NTFS by the operating system. If you are planning to use the BitLocker To Go Reader, format the external drives in your organization by using the exFAT file system.